Why Is Security Reporting Still Failing?

Uploaded on 2024-04-05 in NEWS-Cybersecurity News, FREE TO VIEW

Accountability is now a major force in cybersecurity. We’ve seen the Securities and Exchange Commission (SEC) hold the SolarWinds CISO. Timothy Brown, to account, accusing him of overstating cybersecurity practices and failing to disclose known risks while Uber’s former CISO, Joe Sullivan, narrowly escaped going to jail for failing to disclose a breach. Stateside, the SEC introduced new incident reporting requirements with respect to timely disclosure last year and closer to home NIS2 will also introduce accountability requirements for corporate management in October which could see them fined and banned or discharged from executing a managerial function.

What this means is that the pressure to effectively communicate risk to the board has increased enormously yet it’s still an area that many struggle with.

From the CISO’s perspective, there’s a difficulty in communicating abstract concepts to a technically challenged board. According to the Voice of the CISO Report 2023, 62% believe cybersecurity expertise should be a board-level requirement to prevent this issue, revealing that technical knowledge is lacking in the board room. 

On the other side of the divide, a PWC Pulse Survey found only 32% of corporate directors say they are completely satisfied with the information they are given on cybersecurity, suggesting that the way information is imparted is impairing decision making.  Another recent survey found only 69% said they see eye-to-eye with their CISO and the Voice of the CISO report found only 51% of CISOs feel they have their board’s backing compared to 71% the year before.
 
Resolving this disconnect will not be easy. Nearly a quarter (24%) of all UK businesses do not feel confident communicating cyber risk to directors, trustees and senior managers according to the UK government’s Cyber security skills in the UK labour market 2023 report. Moreover, 35% said management don’t understand the staffing needs nor the cyber risks facing the organisation. And 40% do not think their senior leaders understand when cyber security breaches need to be reported externally or the steps needed to manage a breach. 

Failing to adequately communicate risk can negate any security gains and seriously undermine security initiatives and jeopardise budget.

But it also sees an over emphasis on statistical outcomes and how effective the business is at stopping attacks rather than the acceptance of risk and a focus on resilience. After all, attacks are inevitable and it’s how these are dealt with and their potential impact that matter. So, the problem for the CISO becomes one of educating the board and interpreting technical jargon all before they can get on to the nitty gritty of how risk is being assessed.

It's here that CISOs are making their biggest mistake and during which they will often lose their audience. The board will switch off when confronted by such intangibles as risk scores and matrices and vectors, even if those numbers are presented well. For them, it’s all about sustaining business as usual and preventing disruption. So, the most effective way to communicate cyber threats and mitigation is to focus on the risk to those business processes and the associated business impacts. Understanding the impact radius of a breach or attack can provide the context needed to then justify the need to refine processes and controls.

For example, instead of using a “Red/Amber/Green” (RAG) status or numbers to indicate a perceived risk, reporting should focus on the actual outcomes of a risk occurring and what this would mean to the business in practical terms – in essence the potential costs. This might be in the form of a loss of business, reputational damage, financial loss or non-compliance and punitive measures i.e. penalties. Such impacts are easier to relate to and if the risk is more easily quantified and understood then it is much more likely to secure the resources needed to control it, which is ultimately the CISO’s goal.

Measurements do of course have a place but being able to draw upon comparisons helps demonstrate progress made. An example here might be assessing the cyber maturity of the business which is typically evaluated against a risk framework such as the NIST CSF. It features six easily understood categories (identify, protect, detect, respond and recover alongside the overall theme of governance) and the framework itself aims to “provide a common language for communicating inside and outside the organisation about cybersecurity risks, capabilities, needs and expectations”. In the case of a maturity assessment, those six categories are rated on a sliding scale with recommendations for improvement to move the business forward in its journey towards cyber maturity.

Conducted on a regular basis, this type of easily intelligible information can then help evaluate current provisioning and guide future spend and investment.

The maturity assessment is just a single – albeit important – facet when it comes to reporting to the board. In addition, CISO’s usually routinely provide updates on changes to the risk landscape and how these are being prioritised, security incidents and projects and initiatives, provided on a quarterly, six monthly or annual basis. The RSAC Executive Security Action Forum (ESAF) delves into these other areas in more depth in its report, “What top CISOs include in updates to the board” and provides some interesting insights into ways in which information can be conveyed more meaningfully from using hypothetical scenarios to qualitative observations. 

Interestingly, how the CISOs in the report present their information is usually determined by their accountability to the board. So those that believe they should show progress over time were more likely to resort to metrics, those focused on delivering results resorted to a roadmap and those looking to manage and prioritise risk tended to use a risk framework. Of course, the emphasis towards greater accountability is likely to see them need to deliver on all three fronts.

If we go back to the Uber case, however, Sullivan says there are some clear lessons to be learnt. He has since gone on record as saying the company did as advised, observing the terms of its Directors and Officers (D&O) Insurance policy which is supposed to indemnify senior management against prosecution in such scenarios. As specified in the data breach policy, the legal and communications teams were called, and the CEO kept informed. Their mistake, he says, was that the company didn’t call in a third-party investigator to review how the breach was handled, ensuring true transparency.

It's a situation that no CISO wants to be in but when it does happen, those communication skills and being aligned with the board can make all the difference. It gets both on the same page, is more likely to lead to effective decision making and to help make the call when the time comes to bring in the specialists.

Phil Robinson is Principal Consultant at Prism Infosec

Image: Ideogram

You Might Also Read: 

Cyber Security Governance Is A Leadership Responsibility:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Helping CISOs Embrace Artificial Intelligence
Amazon Invests $2.75bn In AI Startup »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Data Security Council of India (DSCI)

Data Security Council of India (DSCI)

DSCI is a premier industry body on cyber security and data protection in India, committed to making the cyberspace safe, secure and trusted.

PrivateVPN

PrivateVPN

PrivateVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Cyber Security Audit Corp (C3SA)

Cyber Security Audit Corp (C3SA)

C3SA specializes in architecting, operating, managing and improving defensible and resilient IT infrastructures for Canada's public and private sectors.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

K2 Cyber Security

K2 Cyber Security

K2 Cyber Security delivers the Next Generation Application Workload Protection Platform to secure web applications and container workloads against sophisticated attacks.

Ultra Electronics

Ultra Electronics

Ultra specialises in providing application-engineered bespoke solutions. We focus on mission critical and intelligent systems in the defence, security, critical detection & control markets.

SIXGEN

SIXGEN

SIXGEN provides incident response, operational and penetration testing, red teaming, tool development, cyber training development and continuous monitoring.

Dectar

Dectar

Dectar (formerly 4Securitas) is a cybersecurity company that provides solutions that predict, detect, defend and react against cybersecurity threats.

Flotek

Flotek

Flotek is an IT & Comms service provider delivering SMEs with trusted, innovative and cost effective cloud technology, with confidence, clarity and clout.

Security Compliance Associates (SCA)

Security Compliance Associates (SCA)

The sole focus of SCA is safeguarding critical information and complying with information security regulations.

Lineaje

Lineaje

Lineaje solves critical Software Supply Chain security problems faced by every organization that builds, uses or sells software.

ARC Risk and Compliance

ARC Risk and Compliance

ARC Risk and Compliance is a consulting company comprised of a team of AML Specialists completely focused on anti-money laundering compliance and the technologies used to support compliance programs.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.

Cyber Dagger

Cyber Dagger

Cyber Dagger is a cybersecurity company driven by a mission to protect digital infrastructures and close the cybersecurity skills gap.