How Do We Know We're Secure?
“How do we know we’re secure?”
It’s a question I’ve been asked by senior leadership at every organization I’ve been. I typically reply “how do you guarantee you won’t get into an accident this year?” The answer is you don’t.
We assess risk everyday using our mental models of the world, then gauge items that deviate. When assessing information security, there is nothing different. One of the first things senior leadership should ask their information security leadership is “how” you measure risk, not “if” it exists.
There is no right answer, as responses will vary based on the leaders’ experience, industry vertical, and a variety of other factors such as geographic location. The point of the exercise is to ensure that a thoughtful approach is used. Some security experts may choose to assess risk solely leveraging their own experience. This is a mistake. As humans, we aren’t as objective as we may con ourselves into believing and gaps aren’t always where we think it is. This is where frameworks come into the picture.
You don’t want to be working on what the business cared about yesterday.
The purpose of a security framework is to help make cyber risk decisions, which pulls together a collective body of knowledge that is communally structured. Using a security framework will not only provide an unassailable approach to assessing organizational risk, but may also prove to be valuable in legal proceedings, ensuring that the organization has a defendable stance in managing cyber risk.
A well implemented cybersecurity framework should:
1. Provide the ability to describe risk at different levels, from the board room to the data center
2. Give common definitions and common point references to show progress over time
3. Be tailored for the organization at hand, tying back to organizational goals, as each organizational values confidentially, availability and integrity differently
Where do you start? Do you use ISO 27001 to cater to the international audiences, or perhaps begin with regulatory requirements such as PCI or HIPAA. Start out by finding out what matters to key stakeholders first, conducting research - then get started. Joining local security communities such as (ISC)2 and ISACA, which typically have decent chapters across the country, can be a great way to understand what your peers are doing.
One of the most common pitfalls is not involving enough feedback from stakeholders across business units. As even top CEOs don’t know every activity within their organizations, infosec partitioners can’t possibly know of every single organizational risk. Organizations will vary as to who has the final say, but the point is to ensure that a variety of viewpoints are assessed as part of the process.
Striking that right balance is no easy task; it’s comparable to getting tens of thousands of people to agree to a pizza topping. It’s a balancing act of not being too prescriptive, but not too loose and vague either. This is one of the reasons the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a framework that has been gaining traction in recent years due to its “goldilocks” balance. In addition to its wide implementation from U.S. Federal agencies, its ability to adapt to organizational priorities is making it one of the more popularity implemented frameworks, noted for its relative ease of implementation as well its ability to deliver actionable data. Despite being the one of the newer frameworks, the NIST CSF has had several areas where it is already beginning to show its age, particularly falling short around authentication for newer technologies such as with Application Programming Interfaces (APIs). This is an area where one may choose to bolster existing controls. That’s the beauty of frameworks.
Quantitative risk frameworks such FAIR (Factor analysis of information risk) are gaining in popularity due to their ability to tie back a dollar value to specific controls, e.g. not implementing anti-virus has a 15 percent chance to cost the organization $1.2 million dollars annually. However, due to the significant resourcing needed to support such assessments, initially and on an on-going basis, such risk frameworks are typically only feasible for larger organizations. As the quality of industry data becomes better aggregated, and the security industry continues to mature, this will likely be an area that will experience much improvement in the coming years.
Once a framework is established, ensuring it is continuously reviewed is key in ensuring that industry and organizational changes are reflected in the risk assessment. After all, you don’t want to be working on what the business cared about yesterday. When presenting results, know your audience. Some senior leaders respond better to stories, others to raw data. Understanding how leadership responds best will be critical in ensuring results are well communicated, which will lead to increased support for risk reducing initiatives.
Many may refute the use of framework as they maybe an imperfect solution. As the saying goes “risk frameworks are the worst way to manage organizational risk…except for every other way.”