Addressing Cyber Security Strategically
By David L Stevens, CIO, Maricopa County
As the problem is becoming more and more prevalent, companies are trying to determine what they can and should do to reduce the likelihood or else they will be the next victim. The biggest problem is the lack of visibility associated with the root cause of the incidents, namely that most companies lack a cybersecurity strategy to execute against. In the Global State of Information Security Survey: Key Findings and Trends, published by Price water house Coopers, LLP (PwC), only 42 percent of respondents reported ever having an overall cyber security Strategy that the Board of Directors was aware of. Moreover, only 40 percent of Boards have endorsed a cybersecurity budget, to address this growing concern. It can be inferred from these statistics that most companies have no visible strategy nor do they support cybersecurity initiatives at a strategic level. The result is that the problem and associated solutions are not well understood, which will likely result in more and more issues over the coming years.
A Strategy addresses most problems by outlining an approach to meet long-term goals and objectives. Without a strategy and appropriate performance metrics to measure the results, there is no meaningful direction for an organization to achieve success. Using the statistics outlined in PwC’s report, 58 percent of Boards of Directors around the globe do not understand how they will address the cybersecurity risk. This may imply they are unaware that their organizations are vulnerable. A strategy that is visible to organizational leadership will ensure an understanding of the scope of the problem, as well as the action plan, that if executed will address the risk.
A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for the organization
These leaders also need to understand the complexities associated with cyber security, which include the fact that all risks cannot be remediated. This is due to the fact that new vulnerabilities are being discovered daily, factored with human error and the need to have a public presence. Cyber security is then having the ability to reduce the likelihood of something happening, by implementing controls and mitigating known vulnerabilities.
A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for an organization. The Cyber Security leader must be cognizant of how the risks and issues are communicated to the Board of Directors so as to not create unnecessary panic. This is accomplished by defining what Cyber Security is, through a vision statement that is easily understood. A vision statement might be that “the organization will identify, manage, and mitigate the risk of Cyber threats.” The next question is of course, how, which is derived through the statement itself. An organization must be able to identify cybersecurity threats and vulnerabilities, determine what to do about them, and take action to remediate the possibility of breach or reduce the impact of one. This logic will result in the establishment of a Cyber Security Monitoring capability to address the identification gap, creation of a Risk Management program to quantify the root cause of incidents realized and a Security Architecture capacity to implement processes and technologies to mitigate the root causes identified.
Addressing cybersecurity from this perspective ensures that Board members and senior organizational leadership understand that there is a need to identify, quantify, and remediate threats. With this understanding, there is buy-in and support to establishing programs to support these efforts. With the programs established, board members and senior executives will understand the need to support the resources and needs of them, in order to realize their benefits. These programs, however, need to include measurements, so that senior leaders can quantify success and failure. This is where cyber security leaders have to be willing to institute processes, which may put them in a compromising state. For example, if you report on the number of threats that have compromised the network, senior leadership will expect that their risks have been fully remediated. However, in cyber security, once the threat has been identified, the incident has likely already occurred. As a result cyber security leaders need to convey an understanding of what really needs to be done to address the root cause of an incident, namely through investment in technology, processes, and education that support the strategy.
Furthermore, demonstrating that there is a problem through measurements will result in investments into the portfolio of programs. These investments need to be measured and should always demonstrate support for the goals and objectives defined in the strategic plan. This ensures accountability for the cyber security organization as well as demonstrating the current state of risk posture that an organization maintains. The goal, in the end, is to reduce the likelihood that something will occur through the execution of strategic initiatives. Therefore, cyber security is really a risk management issue, whereby problems and issues are addressed by reducing the risk of their occurrence. With Senior Management recognizing that cyber security is a managed risk vs. one that cannot be completely eliminated, and the cyber security leader understanding that they must be accountable for what is to be accomplished, then the return on investments in the portfolio will be realized through a reduced risk profile.
Founded in 1871 in Phoenix, Arizona, Maricopa County offers employment, justice, health and wellness, and public safety services.
The Tao of Cyber Security in today's reality
Marc DeNarie, CIO, NaturEner USA & Canada
New Defensive Measures against HACKERS Efficiencies
Dawn Roth Lindell, CIO, Western Area Power Administration
Preventing Cyber-Attacks in Universities with Operational Collaboration
Michael Corn, Deputy CIO & CISO, Brandeis University
Ever-Changing Cyber Security of Business Community
Jim Sills, CIO/Cabinet Secretary, State of Delaware