Connect with us

Hi, what are you looking for?


Management & Strategy

The New Driver of Security: Reputation

Whether you’re a brick and mortar retailer like Target, an e-commerce business like eBay, or independent software vendor like Adobe, nothing can damage a brand quite like a data breach. The fallout can include reputational damage, a decline in sales, diminished company valuation, and executive firings. Now for the good news.

Whether you’re a brick and mortar retailer like Target, an e-commerce business like eBay, or independent software vendor like Adobe, nothing can damage a brand quite like a data breach. The fallout can include reputational damage, a decline in sales, diminished company valuation, and executive firings. Now for the good news. The current sensitivity in the C-Suite concerning data breaches is freeing up budget dollars for new information security initiatives and defense strategies. So let’s take a look at how reputation can be leveraged to convince the C-suite to invest more in security.

According to analyst reports, investment in IT security has remained low and was not one of the top ten  IT budget initiatives in the last couple years. As a matter in fact, budget constraints led to degradation in core security capabilities for many organizations, putting them at an even greater disadvantage in the cyber war against hackers. In addition, Chief Information Security Officer’s standing in the C-Suite remains undervalued, as it is extremely rare to find a CISO who reports to the CEO. In return, CISOs often don’t have the necessary visibility and influence to lobby for changes in a company’s view of the risks associated with an underfunded security budget.

Managing IT RiskAccording to research by the Ponemon Institute, only six percent of security professionals surveyed indicated that they are able to communicate risk factors related to security effectively to senior management. To make things worse, 31 percent of respondents stated that the only time they engage with the C-suite is when a serious event has already occurred. Some organizations don’t even have a CISO in place.

The Target breach is a text-book example of how security shortcomings can affect a company’s reputation. Within days of reporting the details and scope of its data breach, and with every new piece of information revealed by the media, the retail giant’s reputation tanked, its stock price nose-dived, and eventually the company CEO Gregg Steinhafel was forced to resign. Target still hasn’t fully regained the trust of its customers and its value on Wall Street.

Since then, the company has taken a new approach to security. It appears many other companies are doing the same, to avoid becoming the next Target. This is good news for security professionals. There has never been a better time to lobby for more attention and better funding from the C-suite. However, before creating a wish list of new technology “wants”, it’s important to note that Target had invested in advanced security tools, which produced the necessary indicators that an attack was underway. It was Target’s inability to harvest the data in a timely fashion that led to the company’s demise.

Instead of focusing on a shopping list of new security tools, lead with a transformational approach to the organization’s security strategy.

Despite the fact that newer regulations (e.g., PCI DSS 2.0 and 3.0, NIST 800-137, FISMA, FedRAMP, SEC Cyber Guidance, OCC) are emphasizing a transition to a risk-based model, many companies are still using a compliance-based approach to security. The main drawback with compliance-oriented security is it does not take the business criticality of assets into consideration. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to the organization, it is difficult to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

There are three main components to implementing a risk-based approach to security:

Advertisement. Scroll to continue reading.

Continuous compliance –  includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Continuous diagnostics – implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Closed-loop, risk-based remediation – leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment in security operations personnel, purchases of additional security tools, etc.).

One of the leading factors for gaining acceptance and support from the C-suite is the ability to speak the same language as those that occupy the boardroom. To get executive buy-in, security professionals need to present data in terms business leaders understand. Metrics such as industry benchmarks or cost / losses to the business will resonate in the C-Suite. In this context, a risk-based approach to security is more aligned with corporate management agendas.

The current climate is ripe for implementing a transformational approach to security.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...