The ransomware threat posed by organized crime groups is considerable, and its impact can be devastating and threaten the entire business. This makes it imperative for boards to ensure the company has taken necessary cybersecurity precautions to resist the threat. Additionally, executives have seen the value of efficient infosec firsthand over the last eighteen months. The efforts security teams have made to keep businesses safely functioning during a global pandemic have been impressive, if not heroic.

Regardless of why the C-level is focusing on IT infrastructure and strategy, this interest presents an opportunity for security teams. I know this is true because over the last few years F-Secure’s board has been refining how we cooperate to make better decisions about our security posture and risk appetite.

At the core of this process has been the creation of questions we use to make the best use of our time together. When approached holistically and answered honestly, these queries allow us to understand if we are focused on the right things, whether we are achieving our goals, and where our gaps are.

Since we would have benefited by having a list to start with, we’re sharing five of ours now to help other organizations.

Start with the easier ones

Here are the first three questions that I expect board members to ask me whenever they get a chance:

• What are the key threats against your top assets?
• How do you protect your assets from cybersecurity threats?
• Whose responsibility is it to implement protections?

Questions that help CISOs and boards have each other’s back

Chief Information Security Officer

Capitalizing on the urgency companies have to launch new digital businesses, cybersecurity vendors create partnerships to close product gaps quickly. An understanding of how the new alliances can deliver results must be part of every CISO’s purchasing decision process. But partnerships can be something of a slippery slope.

Today, CISOs face the conflicting problem of securing operations while supporting business growth. IT and cybersecurity teams are stretched thin attempting to scale endpoint security for virtual workforces, while securing their customer identities and transactions. CIOs and CISOs are turning to vendors they rely on for immediate help. In turn, cybersecurity vendors’ quick fix is to create as many partnerships as possible to close product gaps and close the upsell or new sale.

What’s driving market demand is the pressure CIOs and CISOs have to deliver results. Companies’ boards of directors are willing to double down on digital business plan investments and accelerate them. According to the 2021 Gartner Board of Directors’ survey, 60% of the boards rely on digital business initiatives to improve operations performance, and 50% want to see technology investments deliver improved cost optimization.

Company boards have a high level of enthusiasm for technology spending in general and cybersecurity especially. As a result, Gartner predicts the combined endpoint security and network access market will be a $111 billion opportunity. For such cybersecurity companies, partnerships are a quick path to lucrative deals and higher profits.

Partnerships alone will not solve the conflicting demands for IT resources to secure a business while driving new business growth. They are not a panacea for the biggest challenges facing IT today. Trusting the wrong partnerships can cost millions of dollars, lose months of productive time, and even cause a new digital venture to fail. Due diligence of nascent cybersecurity partnerships needs to go beyond comparing partners’ financial statements and into the specifics of how multiple technologies are performing in actual, live scenarios today. Ten ways stand out as means to guide decision making.

10 ways to truth-test cybersecurity partnerships

Previous CISO related articles

CISOs library

The modern CISO

The role of CISO first emerged as organizations embraced digital revolutions and began relying on new data streams to help inform business decisions. As technology continued to advance and became more complex, so too did threat actors who saw new opportunities to disrupt businesses, by stealing or holding that data hostage for ransom.

As the years have gone by and cyberattacks have become more sophisticated, the role of the CISO has had to advance. The CISO has evolved from being the steward of data to also being a guardian for availability with the emergence of more destructive and disruptive attacks. The CISO also must be highly adaptable and serve as the connective tissue between security, privacy and ultimately, consumer trust.

The changing threat landscape

Previous blogs on CISO & vCISO

Related latest CISO and vCISO titles

Here are five signs that a virtual CISO may be right for your organization.

1. You have a lot to protect

Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.

2. Your organization is complex

Risk increases with employee count, but there are many additional factors that contribute to an organization’s complexity: the number of departments, offices and geographies; how data is used and shared; the distribution of architecture; and the life cycle of applications, data and the technology stack.

A virtual CISO offers an unbiased, objective view, and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.

3. Your attack surface is broad

For many organizations, potential vulnerabilities, especially those that share a great deal of data within the organization, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organization. And at a more granular level, they can determine if those same threats are applicable to competitors, which can help maintain competitiveness within your market.

4. Your industry is highly regulated

Organizations in regulated industries like healthcare, finance, energy/power and insurance will have data that is more valuable, which could make them a bigger target for bad actors. Exposure is even more of a concern due to potential noncompliance. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.

5. Your risk tolerance is low

An organization without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank, but an honest assessment is important in determining how much risk each organization should accept. A virtual CISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.

Cybersecurity is growing more complex, and organizations of all sizes, especially those in regulated industries, require a proven security specialist who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate security risks.

As Jack Jones, co-founder of RiskLens, tells the story, he started down the road to creating the FAIR™ model for cyber risk quantification because of “two questions and two lame answers.” As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:

“How much risk do we have?”

“How much less risk will we have if we spend the millions of dollars you’re asking for?”

To which Jack could only answer “Lots” and “Less.”

“If he had asked me to talk more about the ‘vulnerabilities’ we had or the threats we faced, I could have talked all day,” he recalled in the FAIR book, Measuring and Managing Information Risk.

In that moment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.

Some CISOs are still in the position of Jack pre-quantification – talking all day and delivering lame answers, from the board’s point of view.  Here’s a short guide to what they’re not saying – and how RiskLens, the analytics platform built on FAIR, can provide the right answers.

1.  I don’t really know what our top risks are 

I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but that’s as close as I can get. 

Top Risks is the first report that many new RiskLens users run, and it only takes minutes, using the Rapid Risk Assessment capability of the RiskLens platform. The platform guides you through properly defining a set of risks (say, from your risk register) for quantitative analysis according to the FAIR standard. To speed the process, the platform draws on data from pre-populated loss tables. The resulting analysis quickly stack-ranks the risks for probable size of loss in dollar terms, across several parameters.

2.   I can’t give you an ROI on the money you give me to invest in cybersecurity 

You see, cybersecurity is different from other programs you’re asked to invest in – it’s constantly changing and never-ending. You never really hit a point of success; you just chip away at the problem.  

With Top Risks in hand, RiskLens clients can dig deeper on individual scenarios and run a Detailed Analysis to expose the drivers of risk to see, for instance,  what types of threat actors account for the highest frequency of attacks or what classes of assets account for the highest probable losses. Then they can run the Risk Treatment Analysis capability of the platform to evaluate controls for their ROI in risk reduction.

3.  I can’t really tell you if things are getting better on cyber risk.

 I can show you our progress with compliance checklists and maturity scales, and I hope you’ll assume that’s reducing risk. 

While compliance with NIST CSF, CIS Controls, etc. is good and useful, these frameworks don’t measure performance outcomes in reducing risk – that takes a quantitative approach.  The RiskLens platform can aggregate risk scenarios to generate risk assessment reports showing risk across the enterprise or by business unit, in dollar terms – and to show risk exposure over time. It’s easy to update and re-run risk assessments, thanks to the platform’s Data Helpers that store risk data for re-use. Update a Data Helper, and all the related risk scenarios update at the same time – and so do the aggregated risk assessments.

4.  I can’t help you set a risk appetite. 

I don’t really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.  

Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) cyber risk analysis only supports vague appetite statements that are difficult to follow in practice. On the RiskLens platform, a CISO can input a dollar figure for “risk threshold” as a hypothetical, and run the analyses to rank how the various risk scenarios stack up against that limit, making a risk appetite a practical target.

5. I don’t know how to align cyber risk management with the other forms of risk management we do.

Enterprise risk, operational risk, market risk, financial risk—I’ve heard their board presentations in quantitative terms. But cyber is just different.   

Quantification is the answer – reporting on cyber risk in the same financial terms that the rest of enterprise risk management programs employ finally gives the board what it wants to hear on cyber risk management. ISACA, the National Association of Corporate Directors and the COSO ERM framework have all recommended FAIR for board reporting. As an ISACA white paper said,

The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk…FAIR can enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.

CISO’s latest titles

6 free cybersecurity tools for 2021

1: Infection Monkey

Infection Monkey is an open source Breach and Attack Simulation tool that lets you test the resilience of private and public cloud environments to post-breach attacks and lateral movement, using a range of RCE exploiters.

Infection Monkey was created by Israeli cybersecurity firm Guardicore to test its own segmentation offering. Developer Mike Salvatore told told The Stack: “Infection Monkey was inspired by Netflix’s Chaos Monkey.

“Chaos Monkey randomly disables production instances to incentivize engineers to design services with reliability and resilience in mind. We felt that the same principles that guided Netflix to create a tool to improve fault tolerance could be applied to network security. Infection Monkey can be run continuously so that security-related shortcomings in a network’s architecture can be quickly identified and remediated.”

The company recently added a Zero Trust assessment, as well as reports based on the MITRE ATT&CK framework.

Source: 6 free cybersecurity tools CISOs need to know about

CISO role is not only limited to understanding infrastructure, technologies, threat landscape, and business applications but to sway people attitude and influence culture with relevant policies, procedures and compliance enforcement to protect an organization.

#CISO #vCISO
Explore more on CISO role:

By: Melissa Musser, CPA, CITP, CISA, Risk & Advisory Services Principal, and Darren Hulem, IT and Risk Analyst The COVID-19 crisis, with a new reliance on working from home and an overburdened healthcare system, has opened a new door for cybercriminals. New tactics include malicious emails claiming the recipient was exposed COVID-19, to attacks on…Read more ›

Source: Consider a Virtual CISO to Meet Your Current Cybersecurity Challenges | GRF CPAs & Advisors

Small- to medium-sized nonprofits and associations are particularly at risk, and many are now employing an outsourced Chief Information Security Officer (CISO), also known as a Virtual CISO (vCISO), as part of their cybersecurity best practices.

vCISO model not only offers flexibility over time as the organization changes, providers are also able to deliver a wide range of specialized expertise depending on the client’s needs.

The vCISO offers a number of advantages to small- and medium-sized organizations and should be part of every nonprofit’s or association’s risk management practices.

Virtual CISO and Security Advisory – Download a #vCISO template!

Three Keys to CISO Success

CISO/vCISO Recruitment

What are enterprises seeking in their next CISO – a technologist, a business leader or both? Joyce Brocaglia of Alta Associates shares insights on the key qualities

What kinds of CISOs are being replaced? Brocaglia says that an inability to scale and a tactical rather than strategic orientation toward their role are two reasons companies are looking to replace the leaders of their security teams—or place them underneath a more senior cybersecurity executive. They are looking for professionals with broad leadership skills rather than a “one-trick pony.”

Today’s organizations want the CISO to be intimately involved as a strategic partner in digital transformation initiatives being undertaken. This means that their technical expertise must be broader than just cybersecurity, and they must have an understanding of how technology impacts the business—for the better and for the worse. And candidates must be able to explain the company’s security posture to the board and C-suite in language they understand—and make recommendations that reflect an understanding of strategic risk management.

CISOs who came up through the cybersecurity ranks are sometimes at a disadvantage as the CISO role becomes more prominent—and critical to the business. Professionals in this position will do well to broaden their leadership skills and credentials, sooner rather than later.

Source: CISO Recruitment: What Are the Hot Skills?



Interview with Joyce Brocaglia, CEO, Alta Associates

infographic via Rafeeq Rehman

PERSPECTIVES ON A ROLE

Cybersecurity Through the CISO’s Eyes

Cybersecurity CISO Secrets with Accenture and ISACA

Cybersecurity Talk with Gary Hayslip: Aspiring Chief Information Security Officer? Here are the tips

So you want to be a CISO, an approach for success By Gary Hayslip

Read how a virtual chief information security officer (vCISO) can help you uplift a struggling information security program.

Source: CISO or vCISO? The Benefits of a Contractor C-level Security Role

Webinar: vCISO vs CISO – Which is the right path for you?


CISO as a Service or Virtual CISO


The Benefits of a vCISO

Subscribe to DISC InfoSec blog by Email

The Adventures of CISO Ed & Co.

7 Types of Experiences Every Security Pro Should Have

Ten Must-Have CISO Skills

What CISO does for a living

CISOs and the Quest for Cybersecurity Metrics Fit for Business

CISO’s Library

Subscribe to DISC InfoSec blog by Email

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Risk Management Framework for Information Systems

How to choose the right cybersecurity framework

Improve Cybersecurity posture by using ISO/IEC 27032

Cybersecurity Summit 2018: David Petraeus and Lisa Monaco on America’s cybersecurity posture

CSET Cyber Security Evaluation Tool – ICS/OT

Subscribe to DISC InfoSec blog by Email

Source: Ten Must-Have CISO Skills – By Darren Death

CISO should have answers to these questions before meeting with the senior management.

• What are the top risks
• Do we have inventory of critical InfoSec assets
• What leading InfoSec standards and regulations apply to us
• Are we conducting InfoSec risk assessment
• Do we have risk treatment register
• Are we testing controls, including DR/BCP plans
• How do we measure compliance with security controls
• Do we have data breach response plan
• How often we conduct InfoSec awareness
• Do we need or have enough cyber insurance
• Is security budget appropriate to current threats
•  Do we have visibility to critical network/systems
• Are vendor risks part of our risk register

 Subscribe in a reader

What CISO does for a living by Louis Botha

It’s based on the CISO mindmap by Rafeeq Rehman, updated for 2018 and adding the less technical competencies

CISO does for living

Download of What CISO does for a living (pdf)

CISO MindMap 2018 – What Do InfoSec Professionals Really Do?

• • Recommended titles for CISO
  • CISO’s Library
  • CISOs and the Quest for Cybersecurity Metrics Fit for Business

CISO should have answers to these questions before meeting with the senior management.

• What are the top risks
• Do we have inventory of critical InfoSec assets
• What leading InfoSec standards and regulations apply to us
• Are we conducting InfoSec risk assessment
• Do we have risk treatment register
• Are we testing controls, including DR/BCP plans
• How do we measure compliance with security controls
• Do we have data breach response plan
• How often we conduct InfoSec awareness
• Do we need or have enough cyber insurance
• Is security budget appropriate to current threats
•  Do we have visibility to critical network/systems
• Are vendor risks part of our risk register

 Subscribe in a reader

By Kevin Townsend

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business
priorities.

A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren’t listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

Using metrics to align Security and Business: Information security metrics

SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

Demolishing the Tower of Babel

“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc… but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That’s the real challenge.”

Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

for more on this article: CISOs and the Quest for Cybersecurity Metrics Fit for Business

CISO’s personal library on managing risk for their organization.

English: Risk mitigation action points (Photo credit: Wikipedia)

By Tracy Shumaker

In order for CISOs to stay relevant in their field today, they must add communication and soft skills to their list of capabilities. Traditionally, their role has been to take charge of IT security. Now CISOs oversee cybersecurity and risk management systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.

Speak in a common business language

The CISO will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executives’ approval is required and this will involve presenting proposals in non-technical terms.
Being able to communicate and having the soft skills to manage people is a challenge CISOs face. For CISOs to reach a larger audience, they need to clearly explain technical terms and acronyms that are second nature and translate the cybersecurity risks to the organization into simple business vocabulary.

Get the tools to gain the skills

IT Governance Publishing books are written in a business language that is easy to understand even for the non-technical person. Our books and guides can help you develop the softer skills needed to communicate in order to successfully execute any cybersecurity or risk management system.

Develop your soft skills with these books >>

Discover the best-practice cyber risk management system, ISO 27001

This international standard sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they face in the most cost-effective and efficient way.

Find more information about ISO 27001 here >>

Top Rated CISO Books

Further, a recent Sophos survey found that the average post-attack remediation costs, including lost business, grew to nearly $2 million per incident in 2021, about 10 times the size of the ransom payment itself.

CISOs and hands-on security professionals are implementing several tactics to defend their organization, and these include proactive threat hunting and technical defenses like multi-factor authentication.

While these practices are helpful, they are focused on preventing attacks from happening in the first place while the harsh reality is that it’s no longer a question of if hackers are going to get in, but when. With so much at stake, why are data recovery and restoration often put on the back burner of the security conversation when it could be the most valuable tool in the security arsenal?

Shifting the mindset: Backup is a priority, not a project

Cloud Backup A Complete Guide

Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.

“In the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,” as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.

This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.

However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.

Table of Contents

• More effective cyber threat intelligence gathering and assessments
• Automated attack simulations and continuous testing
• Improved threat response through automated evaluation, prioritization, real-time reports, and guided responses
• Better penetration testing in virtually all aspects