By Dave Venable
We all know that the traditional defenses your customers have deployed to prevent cyberattacks – including firewalls, antivirus software and intrusion-detection systems – are being outpaced. The proof is undeniable: Just in the past few months, we’ve seen dozens of organizations hit by catastrophic cyberattacks. In many cases, such as the U.S. Democratic National Committee and Yahoo, which lost personal data on a billion accounts, the affected organizations were for months unaware they had been compromised.
Why is it seemingly so easy for everyone from state-sponsored actors to lonely script-kiddies to waltz through costly defenses? Mainly because the tools used by cybercriminals today are measurably better and cheaper than what was available even a couple of years ago. Unconstrained by any central authority, legal regulations or budget limits, cybercriminals can double the effectiveness of their tools for half the money every few months — similar to the way Moore’s Law increases chip performance while driving down the cost to produce semiconductors.
That reality is driving many cyber-defense professionals to rethink the way they protect customers, and their own organizations. The tactics currently used by the majority of corporate IT teams just aren’t working. During my tenure at the National Security Agency and in my current role as VP of cybersecurity at Masergy, my view has been that every organization needs a well-defined security process that is standardized and repeatable.
Of course, standardization and repeatability have always been core to how solutions providers operate, and that familiarity can help convince customers that have been hesitant to outsource security. The fact is, the amount of time, money and effort needed by internal IT teams to maintain their current cyber defenses often precludes CISOs from stepping back and developing comprehensive corporate cybersecurity strategy — let alone brief the CEO and board of directors on security strategy and tactics.
It’s a vicious cycle that seems impossible to break: Cyber criminals know it’s hard for a CISO to make changes. But unless CISOs get motivated to take the steps needed to change, attackers can exploit weakness.
As an adviser with insight into the business, you’re in a position to help. Here are the four critical steps to align security strategies with business priorities, and in the process get much-needed support – and spending authority – from corporate board members.
1. Understand High-Priority Security Gaps
Help customer CISOs concentrate their efforts appropriately by identifying the biggest business risks to their particular companies. Consider common indicators of security threats that the organization may not be well-equipped to address. Can you help identify outdated security suppositions or poorly implemented capabilities that are due for an update? In a world where the assumption should be that every business is compromised, what is the critical data that must be protected?
2. Determine 3- to 5-Year Goals
Every business will evolve in that timeframe in terms of growth, globalization, workforce and likely everything else. Partners can help customers understand how technological and other changes will impact their risk profiles.
You don’t need to start from scratch. Leverage the NIST Cyber Security Framework, the ISO 27000 series, and the 20 different CIS Critical Security Controls in context. For a start, use CIS to help customers fulfill short-term security demands and defend against the highest-impact threats. Move up to meeting midterm goals by excerpting from ISO 27000 controls. You’ll have a head start, as about 44 percent of them map to the CIS model. For the long term, work to implement NIST controls.
3. Track Security Status
I’ve developed a security maturity model based on the industry-standard Capability Maturity Model (CMM), which measures five levels of progress across five spectrums of security: Policy, Technology, Human Factors, Risk and Vulnerability Management, and Support.
Level 1 identifies security as an individual effort. Level 2 represents repeatable efforts, and Level 3 indicates processes that are institutionalized across the organization. Level 4 represents managed functions, where you’re looking for areas to do continuous process improvements. Optimization is the focus at Level 5, where you’re looking to subtly tweak an already smooth-running environment.
To determine a customers’ status, grade the five CMM metrics (policy, technology, human factors, risk and vulnerability management and support). Score a measurement at zero points if they’re at Level 1, up to 20 points for Level 5 performance, for a total score of 0-100. Download a copy of the same worksheet I use to measure current CMM metrics with guidance on determining levels for each metric. View the video of a workshop I gave at Black Hat USA 2016 to learn more about this security model.
4. Share Security Progress with Business Leaders
Translate your security-infused language to something that makes sense to customer business leaders and boards. Give them the visuals about security status. Make sure your language conveys that your sole aim is to provide information to make decisions based on understanding the risks that security gaps present to business performance, funding and shareholder value.
Security integration shouldn’t be a DIY effort for partners, either. Leverage external expertise to help with gap analysis, risk assessment, consolidated views of a customer’s security posture and even managing your SOC. Outside specialists can be your best friend in this challenging effort.
David Venable is VP of cybersecurity for Masergy Communications, where he is responsible for protecting a global network infrastructure as well as advising multinational companies about protecting their vital digital assets. David is a former intelligence officer with the National Security Agency, with extensive experience in computer network exploitation, information operations, digital network intelligence, and cryptography.