Today, most C-Suite and boardroom discussions on cybersecurity are based on gut feelings and incomplete data. We are wasting a lot of money because we don’t know how to deal with cybersecurity effectively.
If you have a mature cybersecurity program, your chief information security officer (CISO) probably provides periodic updates with qualitative (or quasi-quantitative) estimates of cyber-risk organized around categories such as risk to intellectual property, risk of operational disruption from a cyberattack, risk of customer data disclosure, etc. The presenting executive might review status of key cybersecurity projects, and perhaps ask for additional budget to pursue “necessary” initiatives to keep up with the evolving threat landscape. Sometimes these sessions become deeply technical and hard to follow. Come next year (or next quarter), a similar meeting occurs. With the steady stream of cyber breaches in the news, you hope your company is doing the right things to stay out of trouble.
This may or may not shock you, but many CIOs and CISOs are quite uncomfortable about these meetings. Most are mindful that they only have a vague idea about the enterprise’s overall cybersecurity picture and are forced to pretend they know what’s going on. Some even lie and make things up when they have no real data to support their pronouncements.
This works, until it doesn’t. If a major cybersecurity incident happens, some senior executive becomes the scapegoat. You agree to increase cybersecurity spending and tighten things up. Then the cycle continues, but nothing really changes.
We can all do better!
The Cybersecurity Checklist
When you interviewed your CISO, you were probably impressed by the details of the security program they said they would operate. An experienced security executive will organize the enterprise cybersecurity practice around a checklist of known good techniques — specific tools and controls, security policies, compliance items and a 24/7 security operations center (SOC). Some will map their checklists against standard frameworks with confidence-inspiring acronyms such as NIST 800-53, SOC 2, CIS 100 and ISO 27001.
Unfortunately, while checklists have proved to be very effective in safely flying Boeing 747s around the globe, landing a man on the moon and operating nuclear power plants, they don’t quite work in cybersecurity.
Exponential Risk And Dirty Secrets
The attack surface of a modern enterprise is gargantuan. A typical enterprise has a bewildering variety of assets: infrastructure, applications, managed and unmanaged endpoints (fixed and mobile), IoTs and cloud services. Each internet-facing element can be attacked in hundreds of ways. Users can be phished. Weak passwords, software vulnerabilities, misconfigurations and numerous other vectors can be leveraged to compromise some enterprise asset and gain an initial foothold inside your network. Once in, the adversary may be able to rapidly move across the enterprise to locate and compromise some important asset — and you have a major breach.
To properly measure risk, we need to predict the likelihood of the adversary being able to breach some internet-facing asset and then jump to some valuable enterprise asset. We must also understand the business impact of the asset being compromised. This calculation needs to be performed for all permutations and combinations of assets and breach methods. We must continuously observe relevant security attributes of all enterprise assets, factoring in information about active threats, asset criticality and compensating controls. The math involves correlation analysis in a hyper-dimensional space combined with Markov Chain Monte Carlo simulations.
Even for small firms, there are tens of millions of factors in this calculation. For the big ones (for example, JP Morgan), hundreds of billions of time-varying factors have to be continuously analyzed to accurately predict where and how breaches might happen. Simply analyzing logs with tools like Splunk and QRadar doesn’t work, as past events don’t correctly predict future breach scenarios. Checklists don’t work in cybersecurity because of the scale of the underlying math, our constantly changing software and the dynamic adversary.
Most organizations do not even have an accurate real-time inventory of their assets. Furthermore, many important security attributes of assets — such as reused passwords — are omitted from the checklist because they are deemed too difficult to measure. More generally, individual security practitioners routinely make arbitrary decisions to accept critical risk factors on their checklists, often because IT has not figured out how to mitigate these factors and still keep the environment operational. This leads to a systematic buildup of risk that the CIO or CISO is not aware of. Cybersecurity checklists lull you into a false sense of security.
What Should We Do?
I am not going to give you a checklist of three or four bulleted initiatives. Instead, here is a playbook of questions you can ask in cybersecurity meetings.
1. Do we have a real-time inventory of our assets, including mobile devices, unmanaged assets, cloud services and IOTs?
2. Are we able to continuously observe all relevant security attributes for our assets?
3. Assuming some internet-facing asset is compromised, how quickly will the attack propagate before being detected?
4. What is the likelihood and impact of a major breach?
5. Can we quantify our cyber-resilience (i.e., ability to limit the impact of attacks in time and space)?
6. What proactive steps have we taken to improve cyber-resilience?
7. Can we estimate proforma ROI of our security initiatives, quantifying the expected decrease in breach risk?
Consider setting up a separate audit function, perhaps reporting directly to the CFO or CIO, to produce an alternate measurement of risk and resilience. This will go a long way in keeping cybersecurity conversations honest and impactful.
If you are unhappy with the answers to your questions above, your organization should spend more time measuring and auditing the network to better understand risk. This will create clarity around actions that need to be taken to in order to reduce breach risk.
