When it comes to defending against today’s most sophisticated criminals, it truly takes a village. And I don’t mean solely ensuring employees use strong passwords and avoid clicking on suspicious links. Security teams, line-of-business application owners and boards of directors all must proactively make security their business. Each stakeholder plays a role in ensuring the most severe threats are mitigated and most critical vulnerabilities are remediated, both of which are based on the value of the systems and applications at risk. That’s the only way to strengthen the state of the organizational security union.
So how does each of those stakeholders accomplish that task?
Let’s start with the security team, which includes CISOs and the security practitioners they manage. CISOs are like the quarterback of a football team. They facilitate the risk management process and rely on their team members to follow through. CISOs must design their security programs so that they center around the company’s crown jewels. Those are the assets that, if compromised, could cause the most damage to the company. It may sound rudimentary, but surprisingly many security teams are so focused on layering various siloed technologies to protect every application and network within their environment, they overlook the valued assets that need the most protection.
How can security teams protect their most valued assets if they do not know where those assets live? Security teams must first identify where their valued assets live and then the line-of-business application owners who govern them. Line-of-business application owners are not part of the security team, yet they’re in charge of the company’s crown jewels. Those individuals have the best understanding of the valuable assets under their governance, which includes who has permission to access those assets, how and when they access them, and other contextual information needed to effectively manage risk.
Incident responders in Security Operations Centers (SOC) are inundated with countless threat alerts daily. They try to pull out the important ones that security tools label as high severity, yet because the alerts lack contextual information, responders don’t really know which ones are the most critical. They chase down threats that oftentimes turn out to be low in severity while the true high severity ones slip under the radar. To remediate this problem, some alerts, particularly those generated from user behavioral analytics that represent anomalous activity surrounding valued assets, should automatically be sent to the line-of-business application owner in charge of the valued asset at risk. Application owners are more familiar with who typically accesses assets under their governance so they would know if the user activity is indeed suspicious. If the application owner confirms the user should not be accessing the asset, only then would it go to the SOC marked as high severity.
Line-of-business application owners must also proactively play a role in the vulnerability lifecycle management process. After a scan, security teams receive an endless list of vulnerabilities within their infrastructure. Instead of just going through each one in no particular order, they should prioritize the list by matching the vulnerabilities to the value of the asset at risk. The vulnerabilities that could lead to a compromise of the company’s crown jewels should be automatically sent to the line-of-business application owner who governs that asset. That individual should then be held accountable for making sure the vulnerability is patched immediately.
Where do boards of directors play a part in all of this?
If CISOs and their teams implement the risk-based approach I outlined above, the board will receive the cyber-risk data they need to make informed investment decisions. As a recent Osterman Research survey notes, 89 percent of board members say they are very involved in making cyber-risk decisions and 74 percent say cyber-risk information is reported to them weekly. Boards speak the language of risk. They want to know about the threats and vulnerabilities to companies’ most valued assets, how they were mitigated and what needs to be done to minimize risk to those assets. They want to see how their decisions have reduced risk over time by looking at metrics that are traceable and truthful. They can then make investment decisions accordingly.
Boards of directors also must hold CISOs accountable for successfully facilitating the risk-management process. If CISOs cannot take a risk-based approach to security that focuses on the company’s most valued assets, and if they cannot report their progress in a language that the board can understand, then they must face consequences. After all, a healthy cyber risk appetite begins at the top.