Why Is Security Reporting Still Failing?

Uploaded on 2024-04-05 in NEWS-Cybersecurity News, FREE TO VIEW

Accountability is now a major force in cybersecurity. We’ve seen the Securities and Exchange Commission (SEC) hold the SolarWinds CISO. Timothy Brown, to account, accusing him of overstating cybersecurity practices and failing to disclose known risks while Uber’s former CISO, Joe Sullivan, narrowly escaped going to jail for failing to disclose a breach. Stateside, the SEC introduced new incident reporting requirements with respect to timely disclosure last year and closer to home NIS2 will also introduce accountability requirements for corporate management in October which could see them fined and banned or discharged from executing a managerial function.

What this means is that the pressure to effectively communicate risk to the board has increased enormously yet it’s still an area that many struggle with.

From the CISO’s perspective, there’s a difficulty in communicating abstract concepts to a technically challenged board. According to the Voice of the CISO Report 2023, 62% believe cybersecurity expertise should be a board-level requirement to prevent this issue, revealing that technical knowledge is lacking in the board room.

On the other side of the divide, a PWC Pulse Survey found only 32% of corporate directors say they are completely satisfied with the information they are given on cybersecurity, suggesting that the way information is imparted is impairing decision making. Another recent survey found only 69% said they see eye-to-eye with their CISO and the Voice of the CISO report found only 51% of CISOs feel they have their board’s backing compared to 71% the year before.

Resolving this disconnect will not be easy. Nearly a quarter (24%) of all UK businesses do not feel confident communicating cyber risk to directors, trustees and senior managers according to the UK government’s Cyber security skills in the UK labour market 2023 report. Moreover, 35% said management don’t understand the staffing needs nor the cyber risks facing the organisation. And 40% do not think their senior leaders understand when cyber security breaches need to be reported externally or the steps needed to manage a breach.

Failing to adequately communicate risk can negate any security gains and seriously undermine security initiatives and jeopardise budget.

But it also sees an over emphasis on statistical outcomes and how effective the business is at stopping attacks rather than the acceptance of risk and a focus on resilience. After all, attacks are inevitable and it’s how these are dealt with and their potential impact that matter. So, the problem for the CISO becomes one of educating the board and interpreting technical jargon all before they can get on to the nitty gritty of how risk is being assessed.

It's here that CISOs are making their biggest mistake and during which they will often lose their audience. The board will switch off when confronted by such intangibles as risk scores and matrices and vectors, even if those numbers are presented well. For them, it’s all about sustaining business as usual and preventing disruption. So, the most effective way to communicate cyber threats and mitigation is to focus on the risk to those business processes and the associated business impacts. Understanding the impact radius of a breach or attack can provide the context needed to then justify the need to refine processes and controls.

For example, instead of using a “Red/Amber/Green” (RAG) status or numbers to indicate a perceived risk, reporting should focus on the actual outcomes of a risk occurring and what this would mean to the business in practical terms – in essence the potential costs. This might be in the form of a loss of business, reputational damage, financial loss or non-compliance and punitive measures i.e. penalties. Such impacts are easier to relate to and if the risk is more easily quantified and understood then it is much more likely to secure the resources needed to control it, which is ultimately the CISO’s goal.

Measurements do of course have a place but being able to draw upon comparisons helps demonstrate progress made. An example here might be assessing the cyber maturity of the business which is typically evaluated against a risk framework such as the NIST CSF. It features six easily understood categories (identify, protect, detect, respond and recover alongside the overall theme of governance) and the framework itself aims to “provide a common language for communicating inside and outside the organisation about cybersecurity risks, capabilities, needs and expectations”. In the case of a maturity assessment, those six categories are rated on a sliding scale with recommendations for improvement to move the business forward in its journey towards cyber maturity.

Conducted on a regular basis, this type of easily intelligible information can then help evaluate current provisioning and guide future spend and investment.

The maturity assessment is just a single – albeit important – facet when it comes to reporting to the board. In addition, CISO’s usually routinely provide updates on changes to the risk landscape and how these are being prioritised, security incidents and projects and initiatives, provided on a quarterly, six monthly or annual basis. The RSAC Executive Security Action Forum (ESAF) delves into these other areas in more depth in its report, “What top CISOs include in updates to the board” and provides some interesting insights into ways in which information can be conveyed more meaningfully from using hypothetical scenarios to qualitative observations.

Interestingly, how the CISOs in the report present their information is usually determined by their accountability to the board. So those that believe they should show progress over time were more likely to resort to metrics, those focused on delivering results resorted to a roadmap and those looking to manage and prioritise risk tended to use a risk framework. Of course, the emphasis towards greater accountability is likely to see them need to deliver on all three fronts.

If we go back to the Uber case, however, Sullivan says there are some clear lessons to be learnt. He has since gone on record as saying the company did as advised, observing the terms of its Directors and Officers (D&O) Insurance policy which is supposed to indemnify senior management against prosecution in such scenarios. As specified in the data breach policy, the legal and communications teams were called, and the CEO kept informed. Their mistake, he says, was that the company didn’t call in a third-party investigator to review how the breach was handled, ensuring true transparency.

It's a situation that no CISO wants to be in but when it does happen, those communication skills and being aligned with the board can make all the difference. It gets both on the same page, is more likely to lead to effective decision making and to help make the call when the time comes to bring in the specialists.

Phil Robinson is Principal Consultant at Prism Infosec

Image: Ideogram

You Might Also Read:

Cyber Security Governance Is A Leadership Responsibility:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.