FireEye Technical Briefing 19th March 2015 part 2

Ensuring Security is a boardroom imperative

This is a topic I’ve mentioned before, for security to be successful in a business it must be discussed, understood and supported at a boardroom level.  The below notes from this talk highlight some thoughts that very much align with my own around how we need to engage with the board to gain their buy in for security and security initiatives;

 

Security must be discussed with the board in business terms that they understand.

– need to consider your audience

– where do they get their knowledge from – e.g. non expert media and audit partners

– Consider things like Financial Integrity, Human Capital, Cash Flow Stability, Operations, Growth opportunities etc.

 

Educate that Compliance is not Security!

Note;

This is an absolutely key point for me, not just in relation to the board, there is often a perception at all levels of the business that meeting a compliance requirement equals security.  While there is definitely a place for regulations and compliance, I have had so many conversations where there is a push back on doing security right as a half way ouse to meet compliance requirements has already been planned or implemented.

My take is – Do security right and you’ll largely achieve complaint as well.  Do compliance and you will not be secure.

 

Do we understand their risk appetite?

– Do they actually know their own cyber risk appetite?

– Do they know how much cumulative risk they are carrying?

– These conversations need to happen..

 

Its about appropriate level of security.  Detection and incident response are key – you may / will be breached so this focus is critical.

We can’t deal in absolutes, it is about risk reduction and breaches being inevitable.

– Executives need to be brought on board with this mind-set.

 

Today’s Security paradigm;

– Breaches are inevitable

– Cyber security is mission critical, yet non core for the vast majority of organisations

– Your processes and response procedures must stand up to external scrutiny

– Security is a business risk issue, not a technology problem

– You need partners, not just products

 

Notes about current attacks;

– They are targeted

– Across EMEA, frequent attacks consistently seen in UK, Germany and Saudi Arabia – 5 countries account for about 60% of all attacks seen in these regions

– 4/5 of the largest EU countries by GDP are attacked across many verticals

– Government and Financial Services are targeted – 50%+ of all attacks across just 3 verticals

 

Spend is not a proxy for security.

 – Must do things right and have good processes as well as ther correct tool set

 

Security is like chess – complex but with a finite set of ‘moves’ – and remember the best people can still beat computers at chess!

 

Even if you do things right you may still be breached.

Need to raise Cyber Consciousness – guide your execs to quality reading and reporting, base on knowledge, not fear.

We must manage expectations, and define the win – base decisions on sound business rationale – such as the TFL DR plans for if Oyster compromised during peak times like Olympics or key football matches; These involved just opening the gates in the event of an issue and taking the potential hit for that day rather than interrupting key events

Successful Organisations…

– Don’t have changing stories – if breached be honest and consistent

– Can demonstrably prove diligence in responding to an attack

– Can articulate why we failed

– Are typically not afraid to talk about what happened in a more transparent way that builds confidence

– But need to be mindful of legal framework and ramifications

– Don’t take 200+ days to find an attack!

– Don’t wait for others to tell them about the attack – use good threat intel etc.

– Don’t let others control the disclosure

– Are able to withstand 3rd party inspection

 

Be bold, engage with your executives in terms they understand, do Security not Compliance, have great processes as well as tools, using intelligence and have great monitoring and incident response!

K

ISF congress post 6: Secure change by changing security

Secure change by changing security; how to express security value to boards so they make it part of their change strategies

Presentation by Jamie Rees from Government of New Brunswick Canada

The process they followed is outlines below, along with some thoughts for what you can do to make use of this process;

Define;

  • The Challenge – For them this was around multiple boards and ensuring the CISO has access to all of these
  • The executive office – CISO – Managed to get the CISO onto all the boards (health authorities, transport, education etc.)
  • For you – define your challenges in your business – not ensure board representation? Politics? Lack of budget?

Prepare;

  • What do we want to tell the the board?
  • How do we get ready to tell them?
  • They created roadshows, had one on one discussions, practiced a lot – eve practicing in the actual rooms they would present in, made point to appear very professional.
    • Also created hand outs, collaboration sites, follow on messaging, got involved in local security events to raise profile, research online and magazines – be prepared for surprise questions.  They even published an actual book of their architecture.
    • Everything they do is now vetted through the execs, no surprises on either side.  Security now has a dedicated security architecture slide on the government strategy and EA roadmap.
    • Utilised SOMIA – Strategy, Objective, Measure, Initiative, Action plans

Engage;

  • What do they want to hear?
  • Aligning what we want to say with what they want to hear!
  • They formalised the relationship between the risk and the outcome – link key operational items to the outcomes the board expect, this included results of threat and risk assessments, public body (ISF) health check results, number of outstanding security exceptions
  • The primary message is “risk exists and it threatens your expected outcomes in this way”
  • Bring Solutions!
    • The second message needs to be “if you are uncomfortable with the potential impacts on your outcomes, we have some solutions for reducing them”

Review;

  • What have we learned?
  • Welcome the regular 5-10 minutes on the board agenda over the 1 hour irregular meetings – this helps you become one of them, and keeps your issues at the top of their minds.
  • If they start talking amongst themselves – don’t interrupt, let them generate their understanding organically.  It is their meeting, not yours, don’t try to ‘get them back on track’

 

This all aligns with the ISF framework for board engagement;

Screen Shot 2013-11-04 at 11.28.25

 

In addition, the below is very worthwhile extra reading on this topic

Screen Shot 2013-11-04 at 11.34.22

 

https://www.isflive.org/docs/DOC-6311

You may need an ISF account to access this document.

This is valid information, and in line with other discussions on this topic.  The main message is that we need to understand the key issues and concerns of our board.  We then must translate security issues into language they understand and then relate these back to how they will impact the key concerns of the board.

K