Many corporate IT security experts feel frustrated that their field of expertise is treated as a low-category activity by the C-suite. But it is incumbent upon the security teams to demonstrate the value of security to the board in terms which company directors understand: key performance indicators and key risks indicators.
Frédéric Donnat, security expert and CTO at SecludIT (now part of Outpost24), says that many C-Suites think that an annual penetration test is sufficient to meet their due diligence obligations. “But that just isn’t the case,” Frédéric explains. “In the fast moving world of network security, we’re adding an average of 18 new vulnerabilities to our scan list every day. Right now, we scan for over 60,000 vulnerabilities.”
“And hackers are working round the clock, seven days a week, to probe businesses for weak spots. So a six-monthly pentest is going to be out-of-date for about 182 days, until the next pentest comes around.”
So how can security teams keep on top of the security threat, and demonstrate the value of security to the C-suite? “Automated, background, daily checks,” replies Frédéric, “combined with board level reporting that enables directors who aren’t necessarily tech experts to understand the problems, create an action plan, and measure the results. That fits the C-suite mindset of plan, implement, monitor.”
Follow the Facebook model and bake security into everything you do.
A recent article by Facebook security engineer Alejandra Quevedo (link below) explained how security is a board level priority for the world’s premier social network.
With 1.7 billion active users, Facebook is the world’s third most visited website (Google and YouTube take, respectively, the first and second places). “Imagine if Facebook were to be hacked,” says Frédéric, “it would make the half billion accounts that were compromised at Yahoo look like small change.”
And with up to 75% of consumers saying they would not forgive a company that allowed their details to be compromised, this means that - in theory at least - a mega hack could cost Facebook over a billion users. In short, the company would be finished.
That’s why Quevedo says that security is so important for Facebook that security teams have an input at the outset of developing features and services. On the subject of how to express the value of security to developers, Quevedo offers the advice: “Explain that your (security) team can help them avoid costly fixes — not by saying no to desired features, but by providing additional alternatives for risk-based decisions.”
By treating security as an integral part of our product life cycle strategy, we’re able to identify and prevent potential security issues at speed and scale. The ongoing partnership between security and product at Facebook was not dictated top-down by company leaders. Instead, it was forged by individual engineers and managers who recognized the opportunity to collaborate across the organization for improved performance, lower costs, and faster development cycles.
Facebook Security Engineer.
The shift from reactive to proactive security.
The CIS Center for Internet Security (SecludIT is a CIS sponsor) have a 5-point proactive security approach which can reduce the risk of successful cyber attacks by 85%.
- CSC 1: Inventory of Authorized and Unauthorized Devices.
- CSC 2: Inventory of Authorized and Unauthorized Software.
- CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges.
SecludIT’s Frédéric Donnat says that the company’s new KRI scanning and reporting capability is the simplest way for companies to assess their vulnerabilities and fast-track the CIS methodology.
Cyber security KPI and KRI reporting for the C-suite.
“When company directors read about hacks like Bank of Bangladesh, Target, Sony and, most recently, Yahoo, it raises their awareness of the potential cost of a network intrusion,” say Frédéric, “but it doesn’t help them understand how at risk they are, or what to do about it.”
“That’s why we developed a KPI and KRI feature for our market-leading Elastic Detector vulnerability audit software. Our KRI application deep scans a network for over 60,000 vulnerabilities and has four key advantages for the C-Suite and CISO:
- Metrics. Our KRI assigns a value to risks for key IT areas.
- The risks are prioritized, and presented in a format for the C-suite.
- There is also a remediation report for the CISO team, to fastback fixes.
- Progress can be monitored by subsequent KRI scans, to measure the decreasing risk.
SecludIT has carried out over one million network scans for businesses around the world, and over 98% of those security audits identified vulnerabilities. And yet the SecludIT package is easily installed, can be run in a morning for most networks, and has no effect on network performance for employees and web-based consumers.
Proactive security. Research reports.
Harvard Business Review / How Cybersecurity Teams Can Convince the C-Suite of Their Value.
CIS / Center for Internet Security