Elements of a mature security strategy in plain language

1. Determine what needs protecting and who

holds the keys.

Companies begin their journey to resiliency by identifying and prioritizing the assets they must protect. What do cyber criminals want that they can get from us and why? Do employees handle intellectual property that could make or break us competitively? Do we collect personally identifi able informa- tion that cyber criminals could sell to iden- tity thieves? Do we store customer account information? How would someone take command and control of our infrastructure or systems?

It is equally important to know where those coveted assets are located. Many boards are surprised to learn that the infor- mation security team is fending off hackers across the entire enterprise, even outside it: for example, in a supplier’s network, on a home computer, or on an employee’s iPad, where he or she just reviewed a proprietary schematic. Hackers are capable of scanning for vulnerabilities wherever someone con- nects to the Internet, and business leaders must operate under the assumption that even they are a target.

As with sensitive fi nancial information, only those who need access to the assets should have it, and policies should be in place to ensure stringent controls. Administrator passwords are gold to cybercriminals, and increasing the number of people with access to them effectively multiplies the ways that hackers can attack.

2. Prevention is not an endgame.

It’s tempting to think that we can eliminate breaches if we just put more effort into pre- vention at the front end, but information security professionals know that eliminating the possibility of a breach is an unrealistic goal in today’s environment. Preventative tools such as fi rewalls play an essential role because they provide the fi rst layer of defense: they ‘recognize’ and stop the threats the tools to harvest valuable intellectual

property. It’s funded by organized crime and actors within nation-states that not only operate beyond any jurisdiction but also have access to billions of dollars of capital to invest in these criminal operations.

The robust cyber black market offers sto- len goods—from credit cards to personal identities—in large quantities at reasonable cost. Sellers also offer money-back guaran- tees on the quality of their goods. Buyers can obtain tutorials for hacking or for using sto- len data, and they can even hire subcontrac- tors to do the dirty work.

It’s not always about the money. From attacks based on sectarian hate between nation-states to sabotage from a bitter, laid- off employee, motivations for hacking run deep and wide. Anger about environmental policies and resentment against the excesses of Wall Street are among other examples. Whatever their reasons, hackers are focused on stealing, disrupting, or destroying data every moment of every day. There are thou- sands of cyber criminals around the globe. They work around the clock, for free or for hire, on speculation or with a known pur- pose, trying to invent new ways to steal or harm a company. They have the funding and technology to be not only persistent but also highly adaptable, and the barrier to replicat- ing their cyber weapons is low in contrast to the physical world. They have the luxury of always being anonymous, always on offense, and seldom prosecuted.

Companies, on the other hand, are highly visible, and by virtue of being connected to the Internet must operate in an environment where being attacked by hackers is the norm. Companies must prevent, detect, defend against, and take on the threat with- out the luxury of knowing when they’ll be attacked, by whom, or on what front.

A mature cybersecurity strategy prepares for and responds to this challenging envi- ronment. Breaking that strategy down into its core elements provides boards with a use- ful framework for discussing risk assump- tions with the chief information security offi cer.

DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS

4. Stay a step ahead: The future won’t look like

the past.

To stay one step ahead of the threat, an infor- mation security program should also be able to predict what the adversary will do next. To make fi nancial predictions, business lead- ers apply internal and environmental intel- ligence to test assumptions. In the case of cybersecurity, security teams should apply “threat intelligence,” which tells them the intent and capabilities of current, real-world hackers who may want to harm them. Gathered from a company’s own environ- ment and often supplemented with much broader environmental intelligence from a third party, threat intelligence can be applied to cybersecurity technologies and human procedures. As a result, the enterprise is able to anticipate the nature of forthcoming attacks and more effectively allocate limited resources to stop them.

Companies with the ability to predict can also defend earlier with less effort and recov- er faster when a breach occurs. When boards and management discuss metrics like breach frequency, response time, and potential impact, it’s helpful to know if the security team is applying threat intelligence to help them make their assumptions.

5. Educate and train vigilant employees.

One of the most important defenses against cyberattack is an informed, vigilant employ- ee population. Employees and executives are often targeted with carefully crafted emails designed to be relevant to the employee’s personal or work life. In reality, these phish- ing emails are often loaded with malicious code. One click by a less careful individual can deploy a cyber weapon into the compa- ny’s network and execute various actions that shut down critical business functions or steal information and accounts. Similar tac- tics may be used over the phone to get employees to divulge confi dential informa- tion such as client lists, which can then be paired with other stolen data to complete a set of stolen identities.

we already know about. As we already established, however, hackers are highly adaptive. No one piece of technology can provide a complete defense. A good security program assumes that at some point preven- tion will fail and the business will have to deal with threats in its network.

Detection then becomes the focus. Companies need the right technology, pro- cesses, programs, and staff to help them detect what has happened so that they can fi nd the threat and respond more quickly to contain and eradicate it. The question is not if the hackers will get in but when. Board members may test this assumption by asking their security team, “Do we know if hackers are inside our defenses right now? How do we know when they get in?”

3. You can’t defend with your eyes closed.

No one wants to be blindsided. If a compa- ny’s security team can’t “see” what is hap- pening on the network and across all of the endpoints such as work stations, point-of- sale terminals, and mobile devices, then the company will have little chance to detect or respond quickly to an attack when preven- tion fails. Visibility across the enterprise is an essential attribute of the cybersecurity strat- egy because it helps companies respond to unusual activity more quickly, reducing down time and related costs.

Business leaders should know that hav- ing visibility means collecting large amounts of data from all of those places. Unfortunately those data are useless if the security team doesn’t have the bandwidth to analyze and act on it. The information security industry has responded to this problem, and services are available to manage the data, do the heavy lifting, and sort out what is actionable. The actionable data can then be fed back to the information security team to more effi - ciently zero in on the threats that need their immediate attention. Boards may ask if their security team is managing all the data itself, and, if so, does it still have the bandwidth to focus on the actual threats.

7. Measure effectiveness, not compliance. It is impossible for a company to know how effective its security program is against real- world attackers unless it conducts real-world exercises to test its defenses. Compliance frameworks can improve rigor in many areas of cybersecurity, but it is folly to assume that following a compliance man- date (or even passing a compliance inspec- tion) is commensurate with resilience. No matter how well architected a security pro- gram is against recommended standards, no two companies’ environments are alike.

That’s why it is so important to battle-test one’s own environment. Network security testing emulates actual hackers using real- life tactics such as phishing to validate how well defenses work against simulated attacks. By learning how hackers penetrate security defenses, companies can determine actual risk and resource cybersecurity opera- tions accordingly. Testing also helps compa- nies meet compliance mandates. Compliance should be a by-product of an effective secu- rity program, not the other way around.

8. Emphasize process as much as technology.

Technology is only half the solution to mak- ing a company resilient. Breaches can occur as the result of human and process errors throughout the enterprise. Take the example of recent high-profi le cases in which weak- nesses in a supply chain or a business part- ner’s security allowed hackers to access the parent company’s network and do signifi - cant damage. Leading practice today is for companies to insist, by contract, that their business partners meet the same security requirements.

However, what if a business line leader fails to insist on contract requirements in the interest of going to market quickly? What happens when business enablement trumps security in the far reaches of the business, where people think, “No harm done”? Adequate checks and balances should be in place to ensure that IT security and business procedures are being executed, and policies The bottom line is that human behavior

is equally as important as security tech- nologies in defending against the threat. Boards should know whether employee awareness and training programs are in place and how effective they are. The best programs will simulate how hackers may trick an employee and provide on-the-spot training if the employee falls victim. An open dialog in these cases helps employees and the organization as a whole learn from mistakes. It also builds a culture of security awareness.

6. Organize information security teams for

success.

Defending and responding effectively against cyber adversaries also depends on manpower and expertise. Technologies cannot be used to full advantage without highly skilled people to correlate, analyze, prioritize, and turn the data into actiona- ble intelligence that can be used to increase resilience. A properly organized and staffed security team needs people with many different types of expertise and skills. It requires people to deploy the technologies, understand what the threats are, determine what hackers are doing, fix system and software vulnerabilities, and counter active threats. Although these professional capabilities are interdepend- ent, they are not all interchangeable, requiring different training and certifica- tions. Information security leaders also need the management skills to put the right governance processes and proce- dures in place, advocate for security requirements, and communicate risk to senior management.

Boards are encouraged to inquire as to whether the security team has the band- width and manpower to be able to respond and remediate a crisis, as well as to handle day-to-day operations. Security teams should be organized to focus on what mat- ters most—immediate threats—and other resources should be considered where there are gaps.

DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS

element of cybersecurity, but it is a by-product of a good program, not the measure of effec- tiveness. Nor is it a guarantee of security, as illustrated by many recent high-profi le breaches in which companies had already met the requirements for one compliance mandate or another.

Diffi cult decisions about funding can be made more easily by discussing how exist- ing resources are allocated. Many business leaders fear that “we’ll never spend enough,” but experience shows that a pragmatic approach to funding the security program is to focus on effectiveness and prioritization:

 Determine actual vulnerabilities by

regularly testing defenses.

 Detect the perpetrators more quickly by

increasing visibility.

 Predict and mitigate risks more quickly and

effi ciently by applying threat intelligence.

 Apply time, attention, and funding

accordingly.

Companies may also want to consider third- party providers to monitor, correlate, and analyze the massive quantity of data that a mature security program generates. This allows valuable, and sometimes scarce, human resources to focus on the actual threats. A reputable third party can also pro- vide the testing that determines effectiveness and be a helpful validator of the program.

Armed with an understanding of what a mature security program looks like and how it plays out across the entire enterprise, boards will be better equipped to discuss the company’s current strategy and inquire about assumptions in the metrics.

should hold relevant business leaders and employees accountable for implementation. How do you know when procedure isn’t fol- lowed? Real world testing confi rms not only the effectiveness of your defenses but also the process, policies, and procedures that keep those defenses in place, operational and optimized for resilience.

■ Summary: A framework for oversight