Boardrooms are finally buzzing with serious discussion around cyber security. Massive loss as a result of countless high-profile breaches have executives asking more questions than ever. I call these people security obligated executives (SOE). They are being pulled into the fray of cyber security out of obligation, not by choice. They are forced to take ownership of the issue with little training and even fewer tools to help them. As a result, the SOE tries helplessly to make sense of the escalating litany of security threats.
Successful executives have always valued business information. They seek to obtain it, oversee it and execute plans based on it. However, those same executives hold an unclear view of their role as an SOE. What security information should they pay attention to? Should they receive briefings, reviews or dashboards to remain informed? Is a daily, monthly or quarterly security posture briefing appropriate? Is today's headline-grabbing attack something that should concern them? Are they properly spending to safeguard the organization? Should they know about all of the latest cyber attacks against their company? Should they even care? The answer is a definitive…maybe.
In the face of such potentially dire consequences, why such a vague answer? The answer is largely internal, not external. Executives must first understand their internal landscape, then apply an external backdrop to it.
For example, consider how you would traditionally monitor a stock portfolio. Even though all monetary news is somewhat linked, you would initially pay particular interest to those news events that have an impact on your key holdings while relying on macro indicators to understand overall market health. In other words, risk directly associated with your holdings captures your attention while risk associated with the market-at-large can be monitored via indices or other broader trending information. Likewise, understanding generic threats and vulnerabilities is important, but understanding which of these threats and vulnerabilities are aligned to key areas of the business is what should matter most to an SOE.
| “Successful executives have always valued business information.” – Michael Fey, SVP of advanced technology and field engineering at McAfee |
What should be protected determines what should concern the SOE. For example, key corporate resources – such as manufacturing floors, corporate research, trade secrets, merger and acquisition information, customer data, and employee records – may all be supported by different systems, carry different risk profiles and receive widely varying protection schemes. To start with, the SOE must get an inventory of those items that need protection. Unfortunately, most companies naively expect the security team to have clairvoyant insight into all of the key resources that the company holds dear. Rather, this is best determined by line-of-business (LOB) experts, not the security teams. It's likely that the LOB experts will not understand the backend systems which drive their business, nor will they know how to protect those systems. However, they will have a clear view on what resources are valuable in their business and can guide the SOE to those resources.
A successful security initiative must begin with the LOB experts. This is a surprisingly simple process and the approach I employ is called “Riches, Ruins and Regulations,” where the LOB experts are asked three simple questions:
- What company information or systems access could you leverage to get rich from?
- What company information or systems access could you leverage to ruin the company?
- What regulations must the company adhere to?
Essentially, by playing “Riches, Ruins, and Regulations,” we are asking the LOB experts to play hacker without needing to understand how to hack. By doing this you have aligned an understanding of the business that executives can comprehend and appreciate within a construct the security team can use to manage and mitigate risk.
Using this information, the security team can overlay supporting systems, their associated vulnerabilities, possible attack vectors and available countermeasures to provide a viable business-focused view that executives can digest. This allows the executive team to be able to judge the impact of a potential breach using this same common understanding. Executives are ill-equipped (and rightly so) to receive broad, technically-focused reporting around the potential attack landscape. Instead, they should have a window into the key areas of concern and the state of those areas. This approach allows executives to (finally) appropriately understand cyber security risk while allowing security teams to (finally) focus limited resources on the areas that matter most.
For too long, executives have been able to pass-off the acceptable risk profile of their company to their security team. Instead the security team should be provided key areas of risk and then focus their resources on protecting those assets fervently. However, in return, the security team must present the evolving risk landscape in terms of business impact that can be understood by the leaders of the business, not just the CISSP of the group. Companies that do this well will have the best security posture while remaining appropriate for the needs of the business, balancing cost, business impact and risk harmoniously.
