How to develop a datadriven, risk-based cybersecurity program

Why read this white paper?

It’s an anecdote retold in a thousand and one security-conference keynote addresses and cited in a million and one articles about cybersecurity: The chief information security officer (CISO) shows up to brief the leadership and Board of Directors about the state of the company’s or agency’s cybersecurity. He or she breaks out a big black binder brimming with baffling metrics. Eyes glaze over as pie chart after pie chart of key risk indicators (KRIs) is reviewed, and people start checking their smartphones as page after page of scatter-plot charts is presented.

By the time the CISO gets to the appendix full of colorful histograms, the story goes, they’ve lost the audience—and quite possibly lost the confidence of leadership as well.

Being able to tell a meaningful, actionable, data-driven story about your organization’s cybersecurity posture is one of the most important skills a CISO can develop. But this white paper isn’t exactly about that. Instead, this paper aims to help securityprogram stakeholders and influencers—board members, C-suite executives, government officials and senior businessline managers—become more discerning and demanding consumers of security data so that they can more effectively contribute to their organization’s response to cyber risk.

As more organizations adopt a risk-based approach to cybersecurity, it’s critical that stakeholders and influencers ask for and get the data they need for strategic decision-making.

We need to talk.

Digital transformation has forced an entire generation of non-IT business and government leaders to become conversational, if not fluent, in the language of information technology. The relentless pace of digital transformation over the last 20 years— the advent of e-commerce, the sudden ubiquity of mobile apps and the routine integration of artificial intelligence into business processes—has permanently torn down the walls between “the business line” and IT departments. Product development, manufacturing processes, sales and service delivery, and customer retention—every last element of an organization is now deeply intertwined with and reliant on IT and the interpretation of data. Close collaboration between non-IT leaders and their IT peers has become commonplace as they work to drive the organization toward achieving its goals.

But collaboration between non-IT leaders and their organizations’ cybersecurity teams (long derided in some circles as “the Department of Saying No”) remains a pain point for many organizations. The EY Global Information Security Survey 2020 reported that 59% of surveyed organizations stated, “The relationship between cybersecurity and the lines of business is at best neutral, to mistrustful or nonexistent.” Furthermore, “cybersecurity is involved right from the planning stage of a new business initiative” in only 36% of surveyed organizations.

These survey results are troubling and are not dissimilar to the findings of many other surveys and industry reports that examined this dynamic.

That being said, non-IT executives have become keenly aware that the confidentiality of sensitive information, the integrity of data and the systems where that data resides, and the uninterrupted availability of both internal and customer-facing applications are as important to them as their balance sheets and profit-and-loss statements. But if the security team isn’t getting involved at the start of an initiative, or if the department has a “neutral” (or worse) relationship with the security team, it’s unlikely that the organization as a whole will achieve its strategic objectives.

Security data, when presented to stakeholders in an actionable business context, is key to closing the communication/relationship gap between program stakeholders and the CISO’s team.

But what kind of data, exactly?

Data, data everywhere

There is no shortage of data to be found in the realm of cybersecurity. Each time an employee logs in to the network, connects to an external website or attempts to access a database or shared file, or even when a suspicious inbound email gets quarantined, those actions create data that tells part of a bigger security story. Even the smallest of organizations is swimming in security data, simply by being open for business from 9 to 5.

But not all data is created equally, at least not as far as securityprogram stakeholders and influencers are concerned.

Some security data, such as raw event logs collected from security tools like email filters, firewalls, antivirus systems and web proxy devices, is rich in tactical, operational value. A 24/7 team working in an organization’s security operations center (SOC) may oversee the analysis of tens of millions of security events every year, with the assistance of complex analytical tools such as security information and event management (SIEM) systems. This type of data helps security analysts hunt for hackers, identify system vulnerabilities and calibrate cyber defenses accordingly. But this data is of little immediate strategic value to stakeholders. It’s when the CISO and his or her team start analyzing individual data points that they begin to extract information that’s actionable and relevant to program stakeholders. Here’s a simple but illustrative example: Explosive growth in the number of security alerts after a recent acquisition, merger or major project was initiated, the CISO and team seek funding for additional headcount or ask the board for additional capital investments to scale their SOC/SIEM operations.

That’s the kind of synthesized, contextualized data that securityprogram stakeholders—especially those overseeing the budget— should ask for and expect, instead of a big black binder bulging with raw metrics.

Listen to the data.

Outside the boardroom or councils of government, businessline managers and government leaders should regularly ask for and receive contextualized security data that helps them better understand and mitigate the risks specific to their operations. While the SOC team, by design, must sift through massive amounts of threat intelligence data to make tactical decisions, just a small amount of synthesized data can have a big impact on business-line managers’ decision-making.

Verizon’s annual Data Breach Investigations Report (DBIR), for example, analyzes the techniques behind tens of thousands of real-world security incidents and thousands of confirmed data breaches, boiling all that information down into insights that are easy to digest, actionable and industry specific. For example, year after year, the annual DBIR shows that healthcare is the only industry where insider threats outweigh external attacks. Healthcare managers can use this DBIR data to modify business processes that lend themselves to countering insider threats, such as sending personal health data by unsecured fax machine “because that’s the way we’ve always done it.” Knowing that, according to the 2020 DBIR, a large majority of reportable HIPAA violations are caused by deliberate employee misuse of his or her access to private health data, a healthcare businessline manager can invest in additional training and awareness programs to amplify messaging about the consequences of access abuse. The CISO can use that same data to justify deploying scarce resources to coordinate more frequent privileged access reviews.

Trust the data, not your feelings.

Smart organizations know that when it comes to cybersecurity, you simply can’t do it all, nor should you try. Though the methods of cyberattack appear limitless— every day it seems that a creative new hack leads the news—the resources needed to defend an organization are anything but limitless. Precious security resources must be deployed in a manner that mitigates cyber risks to levels acceptable to stakeholders across the entire organization. That’s data-driven decision-making.

The value of data-driven decision-making may seem obvious—who wouldn’t want data to help them make a good decision? But in many organizations, cybersecurity decision-making is still influenced by a dogmatic adherence to industry best practices and even sometimes by fear. Remember:

• Rigidly following set security-industry best practices can result in a security program that tries to protect against anything that can possibly happen, rather than what the data shows is more likely to happen. While there’s a feeling of safety in being able to say, “But we followed the best practices” after a data breach, that feeling is misguided. One size security does not fit all

• Headline-grabbing data breaches can spur panicky C-suite executives or agency leadership (under pressure from the board or other high-maintenance customers or constituents) to make resource demands on the CISO based solely on what they heard on the news, and not on actual data that quantifies the likelihood of interruption to their own companies. Don’t be that leader

Here are some additional examples: The DBIR—called “the gold standard” by Forrester Research—shows that certain industries are more prone to distributed denial-of-service (DDoS) attacks than others. With this DBIR data at hand, a CISO in such an industry could advocate for more investment in DDoS protection, while his or her business-line management peers can use the data to justify more frequent business continuity/incident response exercises in the face of that persistent DDoS threat. When the DBIR shows that a certain industry is highly likely to have its web applications attacked, the business-line or department manager who relies on the app can join forces with the CISO to help ensure that robust people-process-technology safeguards are in place, during app development and after launch.

“Listening” to data allows the security program to focus on likely threats rather than on a wide range of possible threats. A solid governance program that mandates frequent interaction and information exchange between the business lines or operational teams, and the security team fosters the development of that listening skill. This matters even more now that law enforcement, insurance companies, regulators and oversight entities routinely assess the degree to which an organization showed informed diligence in applying reasonable security measures to avoid breaches.

To read full download the whitepaper:
How to develop a datadriven, risk-based cybersecurity program


Previous articleThe Enterprise Guide to Scaling on Demand
Next articleThe Complete Guide to AWS Reserved Instances