Secure? Says Who?

by | Feb 29, 2016

If you’re a board member concerned about cyber risk, you regularly ask “how secure are we from a cyber breach?” Is the answer delivered in technology metrics or a measurement of business risk?

“I’ve been in boardroom meetings where as soon as the CISO’s metrics presentation flashed on screen, eyes rolled heavenward and email was surreptitiously checked.”

Terri Curran

CGI Security expert, in TechTarget

Measuring and monitoring current practices vis-à-vis best practices and standards can ensure two things: (1) that cybersecurity efforts are focused on improving business practices, and (2) that technology deployment priorities are driven by business objectives. With this type of context, the board of directors is able to actively oversee the progress of the firm toward cyber maturity.

Directors pursuing their fiduciary duty of mitigating risk are increasingly frustrated. Despite an estimated $70 billion spent on cyber technology and services last year, the potential fallout from cyber breaches is increasing. In a recent NYSE survey of 276 public board members, 60% expect an increase in shareholder suits and 72% expect more regulation related to cyber risk governance.

Secure? Says who?Personal and corporate liability for breaches is a hot topic. The current buzzword in board discussions is “active engagement.” To protect the company in the event of shareholder suits after a breach, evidence must show that the company had been working diligently to mitigate cyber risk before the breach, and that the directors had been actively engaged in overseeing the process.

The realization that technology alone won’t solve the problem has led boards to seek third-party evaluations of their company’s cyber status. Most assessments are of two forms: (1) an evaluation based on an external examination of defenses, or (2) an internal audit by a large consulting firm.

The external evaluation is conducted by a technology firm that rates the company’s defenses by examining externally available data gained via its own testing combined with data from a variety of other sources. An internal audit is usually an expensive, disruptive process that deploys interviewers across the organization to answer hundreds of questions usually held in a proprietary spreadsheet. Each provides a point-in-time snapshot of the organization’s cyber readiness, based upon the judgment and expertise of the firm conducting the assessment.

Performing these evaluations resembles checking the safety of a house. The external assessment is like peeking in through the bathroom window to see what’s visible. The internal exam corresponds to taking a walk inside to check locks and how things are stored. While the first may point out current failings, the inside inspection gives a more comprehensive understanding.

In either case, the big question is “says who?” How can you know that what you’re being told is reliable? To what standard are the examinations being held?

Bodies of experts have developed and defined a number of cybersecurity frameworks. These highly regarded standards identify and describe measures that help an organization achieve greater cybersecurity through risk management. Although the standards bear different names (NIST, C2M2, ISO, HIPPA, PCI, etc.), they all share a common DNA. Each allows comparison of actual practice against best practices in order to highlight gaps that create unnecessary risk exposure.

The standards require the measurement and monitoring of what are known as “controls.” Simply put, a control is a policy, process, or procedure that should be implemented to mitigate risk. By monitoring hundreds of these controls and comparing the thousands of their potential states against the most rigorous standards, a company’s board and management can know how well the company is protecting itself against cyber risk. Some standards are general (e.g. NIST, C2M2, ISO), while others apply to specific industries.

Standard Governance Domain Purpose
NIST Cybersecurity Framework National Institute of Standards and Technology All Gold standard for high level reporting
C2M2 (Cybersecurity Capability Maturity Model) U.S. Department of Energy All Integrates deeper reporting under the NIST Framework
ISO 27001:2013 International Standards Organization All Certification of information security management systems
HIPAA Health Insurance Portability and Accountability Act Healthcare Significant portion devoted to proper handling and protection of electronic records
FINRA Securities and Exchange Commission Financial Assess financial services firms’ approaches to managing cybersecurity threats
PCI Payment Card Industry Security Standards Council Card Processing Increase controls around cardholder data to reduce credit card fraud
FERPA Family Educational Rights and Privacy Act Education Gives families control over the disclosure of information of their children’s education records

Assessments delivered without comparison to these standards are simply opinions. So the question of the day is this: if you’re being told that the right measures are being taken to improve the cybersecurity posture, ask yourself – says who?

Be notified of new Journal entries in your email box or Follow us on Twitter.