Whether you’re a brick and mortar retailer like Target, an e-commerce business like eBay, or independent software vendor like Adobe, nothing can damage a brand quite like a data breach. The fallout can include reputational damage, a decline in sales, diminished company valuation, and executive firings. Now for the good news. The current sensitivity in the C-Suite concerning data breaches is freeing up budget dollars for new information security initiatives and defense strategies. So let’s take a look at how reputation can be leveraged to convince the C-suite to invest more in security.
According to analyst reports, investment in IT security has remained low and was not one of the top ten IT budget initiatives in the last couple years. As a matter in fact, budget constraints led to degradation in core security capabilities for many organizations, putting them at an even greater disadvantage in the cyber war against hackers. In addition, Chief Information Security Officer’s standing in the C-Suite remains undervalued, as it is extremely rare to find a CISO who reports to the CEO. In return, CISOs often don’t have the necessary visibility and influence to lobby for changes in a company’s view of the risks associated with an underfunded security budget.
According to research by the Ponemon Institute, only six percent of security professionals surveyed indicated that they are able to communicate risk factors related to security effectively to senior management. To make things worse, 31 percent of respondents stated that the only time they engage with the C-suite is when a serious event has already occurred. Some organizations don’t even have a CISO in place.
The Target breach is a text-book example of how security shortcomings can affect a company’s reputation. Within days of reporting the details and scope of its data breach, and with every new piece of information revealed by the media, the retail giant’s reputation tanked, its stock price nose-dived, and eventually the company CEO Gregg Steinhafel was forced to resign. Target still hasn’t fully regained the trust of its customers and its value on Wall Street.
Since then, the company has taken a new approach to security. It appears many other companies are doing the same, to avoid becoming the next Target. This is good news for security professionals. There has never been a better time to lobby for more attention and better funding from the C-suite. However, before creating a wish list of new technology “wants”, it’s important to note that Target had invested in advanced security tools, which produced the necessary indicators that an attack was underway. It was Target’s inability to harvest the data in a timely fashion that led to the company’s demise.
Instead of focusing on a shopping list of new security tools, lead with a transformational approach to the organization’s security strategy.
Despite the fact that newer regulations (e.g., PCI DSS 2.0 and 3.0, NIST 800-137, FISMA, FedRAMP, SEC Cyber Guidance, OCC) are emphasizing a transition to a risk-based model, many companies are still using a compliance-based approach to security. The main drawback with compliance-oriented security is it does not take the business criticality of assets into consideration. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to the organization, it is difficult to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.
There are three main components to implementing a risk-based approach to security:
Continuous compliance – includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.
Continuous diagnostics – implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.
Closed-loop, risk-based remediation – leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment in security operations personnel, purchases of additional security tools, etc.).
One of the leading factors for gaining acceptance and support from the C-suite is the ability to speak the same language as those that occupy the boardroom. To get executive buy-in, security professionals need to present data in terms business leaders understand. Metrics such as industry benchmarks or cost / losses to the business will resonate in the C-Suite. In this context, a risk-based approach to security is more aligned with corporate management agendas.
The current climate is ripe for implementing a transformational approach to security.