Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 43 of 59

44 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. SECURING THE GRID also address insider threats. Failure to identify and mitigate insider risk can have significant consequences on an organization's customers, employees, business operations, legal exposure, reputation and bottom line. Moreover, security programs in many organizations are often bifur- cated between physical and information assets rather than threat. These stovepipes can obscure the detection of potentially important insider risk indicators. Likewise, insider threats by definition have some level of authorized access. Detecting the misuse of authorized access involves a more nuanced capability set than detecting bright-line cases of unauthorized access, and thus requires focused planning. • Resiliency. Since there is no such thing as risk elim- ination, resiliency (the ability to withstand and recover from an attack) becomes critical. Therefore, it is imperative for management to have a firm view and understanding of the effectiveness of preparedness, as well as, response and recovery capabilities, for two reasons. First, being prepared helps limit the extent of actual harm to the com- pany – consider how ransomware can cause massive damage if not rapidly contained. Second, management's ability to effectively manage a crisis – cyber or otherwise – serves as a proxy for its broader management capa- bilities and thus can influence a brand's reputation. Years ago, in its 2012 Reputation Review Report, Oxford Metrica analyzed long-term mar- ket value impacts of major corporate crises (cyber and non-cyber) and found that "[a]t times of crisis, substan- tially more information is forthcoming on a company and, in particular, on its management, than is usually available. This new information is used by investors and other stakeholders to re-assess their expectations of future behaviour and performance." The report went on to conclude: "It is in the first few days following an event that the market makes its judgement on whether a company is going to emerge as a Winner or a Loser." 11 In addition to the above factors – four other issues often trip up organizations: 3. Operational Overwhelm As operational capabilities to defend the organiza- tion are implemented, these capabilities can quickly become overwhelmed by the sheer volume of data on potential threats and vulnerabilities. Effective use of these tools is heavily dependent on risk-based priori- tization – e.g., based both on the inherent risk of the asset in question and severity of threat. 4. Technology Dependencies Cutting edge security tools are of limited use without increasing maturity in management of the underlying technology environment. Conversely, effective technol- ogy management can help meaningfully reduce opera- tional alerting through (1) security-conscious develop- ment processes, (2) strong visibility into devices, code and accounts active inside the organization's technol- ogy environment, as well as (3) compliance with secure baseline standards. 5. Stakeholder Alignment Business leaders play a key role in advancing a secu- rity program. IT organizations often depend on line- of-business leaders to provide necessary funding and address customer-related impacts associated with new security controls. It is thus critical that line-of-business leaders understand and prioritize security risks and resources into their business plans. Business leaders also need to be prepared for their crucial role when addressing customers and the general public during a crisis situation. Indeed, major 2017 cyber incidents not only caused operational disruption, but also led to customer flight. Equifax's 2017 earnings report noted that: "Certain of our customers have determined to defer or cancel new contracts or projects and others could consider such actions unless and until we can provide assurances regarding our ability to prevent unauthorized access to our systems and the data we maintain." 12 Thus, to be successful, a security program should – as a foundational matter – articulate how it protects the customer against adaptive threats. This articulation represents a key opportunity for senior management and the board to align business, security and technol- ogy executives on the vision for the enterprise-wide security program. 6. Monitoring for Effectiveness Controls without meaningful evaluation can decay over time, all-the-while affording a false sense of security. Likewise, a program must ultimately be measurable in some form to be managed. And yet such metrics can be confusing to management (e.g., what are the latest vulnerability management statistics telling us about our residual risk?). In our experience, it can be helpful to view programs through several lenses includ- ing basic levels of visibility, risk-based hardening and vulnerability management trends, effectiveness against defined threat tactics, techniques and procedures, and business-centric security maturity. » Cutting edge security tools are of limited use without increasing maturity in management of the underlying technology environment. «

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018