Today’s CISOs And Other Security Leaders Must Translate Cybersecurity Threats Into The Language Of Business Risk We live in the era of the digital business, which operates on a complex, dynamic, and highly fragmented matrix of on-premises, cloud, and hybrid infrastructure, applications, data, mobile, internet of things (IoT), and IT/OT converged systems. Every digital business must protect this sprawl of interconnected technologies that make up the modern attack surface. Yet for all the industry’s cybersecurity advances and investments, there is a massive disconnect in how businesses understand and manage cyber risk. Digital transformation has woven the threads of intellectual property and technology together. The modern CISO can no longer focus on just one thread; s/he must advocate for security of both the technology and the business — evolving from a technology expert to a business-aligned security leader. 1- Cybersecurity threats thrive amid a climate of uncertainty, making it a topic worthy of board-level visibility. Most executives (94%) say their firms have experienced a business-impacting cyberattack or compromise within the past 12 months — that is, one resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. Roughly two-thirds (65%) say these attacks involved operational technology (OT) assets. 2- Business leaders want a clear picture of their organizations’ cybersecurity posture, but their security counterparts struggle to provide one. Just four out of 10 of security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence. 3- There is a disconnect in how businesses understand and manage cyber risk. Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. Only half (51%) say their security organizations work with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Four out of 10 (43%) report they regularly review the security organization’s performance metrics with business stakeholders. 4- Cybersecurity needs to evolve as a business strategy. This can’t happen until security leaders have better visibility into their attack surfaces. Just over half of security leaders report that their security organizations have a holistic understanding and assessment of their firms’ entire attack surfaces, and fewer than 50% state that their security organizations are using contextual threat metrics to measure their firms’ cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on asset criticality and threat context is limited. The Future Belongs To The Business-Aligned Security Leader When security and business leaders are aligned on agreed-upon contextual data, they deliver significant, demonstrable results: 1- Business-aligned security leaders are eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations’ level of security or risk. 2- Most execs at business-aligned organizations (80%) report having a business information security officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts. 3- Business-aligned security leaders are also more likely than their more reactive counterparts to have a defined benchmarking process: 86% have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups, compared with just 32% of their non-aligned peers. 4- Business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points. 5- 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers. To achieve alignment, CISOs and other security leaders need the right combination of technology, data, processes, and people. Cybersecurity Threats Thrive Amid A Climate Of Uncertainty We struggle to predict the future, now more than ever. Even the nature of work is shifting rapidly and without warning. But in this time of uncertainty, there is one thing enterprises can count on: Cyberthreats will proliferate, exposing every organization to significant business risk. Nearly every security and business leader says their organization had experienced a business-impacting cyberattack or compromise within the past 12 months, i.e., one resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. Nearly half weathered five or more attacks. Further, more than two-thirds of executives say business-impacting cyberattacks have increased over the past two years — a grim trend roughly eight out of 10 executives expect will continue over the next 24 months. Enterprises Battle Many Forms Of Business-Impacting Attacks Enterprises are not only combating a greater number of cyberattacks, but the types of attacks are more varied, with the average organization experiencing five different methods of attack. According to the executives we surveyed, fraud, data breaches, ransomware, and software vulnerabilities were among the most common types of attacks executed on enterprises over the past 12 months. Despite being just months into 2020, a surprising 41% of execs say their organizations fell victim to pandemic-related malware or phishing — making it the No. 1 mode of compromise. Loss Or Compromise Of Data Tops The List Of Business-Impacting Events Organizations rarely emerge unscathed from a cyberattack, and respondents’ organizations are no exception: Just 1% of business and security leaders say the attacks and compromises of the past year have had no impact. Cyberattacks can have a damaging impact on the business. While loss of productivity, financial loss, and identity theft are among the top consequences of attacks, over one-third of surveyed executives reported a loss of employee or customer data, and 31% experienced compromise of other confidential data. Business Leaders Want A Clear Picture Of Their Firms’ Cybersecurity Posture Security leaders are called upon to keep business leaders and board members apprised of their organizations’ threat posture, but many struggle to obtain an answer to that question, let alone accurately communicate this information. Our study revealed that just four out of 10 of security leaders can answer the question, “How secure, or at risk, are we?” with a high level of confidence. Further, a whopping 66% of business leaders are — at most — only somewhat confident in their security teams’ ability to quantify their organizations’ level of risk or security. In the current climate of uncertainty triggered by the global COVID-19 pandemic, digital business clearly requires a new way to measure and manage cybersecurity as a strategic business risk. There Is A Disconnect In How Businesses Understand And Manage Cyber Risk Reactive, siloed, and tactical security strategies hinder security leaders’ ability to get a clear picture of their organizations’ cybersecurity health and an understanding of which threats pose the greatest business risk. The study revealed a core issue: Cybersecurity initiatives are seldom aligned with business objectives. Security leaders are challenged to prioritize where they focus — not just when it comes to vulnerabilities but their entire cybersecurity strategy in general. When this strategy is disconnected from business goals, the message of risk is often lost in translation. Business And Cybersecurity Strategies Are Seldom On The Same Page Six out of 10 business executives report their security leaders are, at best, only somewhat effective in communicating the risk cybersecurity threats pose to their organizations. So, what’s the disconnect? The study revealed: • Just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. • Fewer than half of security leaders consult business executives all the time or very frequently when developing their cybersecurity strategies. • On the flip side, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations’ business strategies. • Just 47% of security leaders say they always or very frequently consider business priorities when defining cybersecurity priorities. • Fewer than half of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk Security Leaders Need To Speak The Language Of Business Risk • “For the business leaders, money’s the currency — literally and figuratively. That will [make risk] resonate for them. The technical needs to go out the window entirely. No one understands it; no one cares. They care about dollars to their bottom line.” • “[Business leaders] have the capability but not the know-how. . . They don’t understand the value [of cybersecurity] unless it’s in their language. They don’t own the risk because they don’t understand it belongs to them.” • “You need to message it to [business executives] so they receive it. At the same time, don’t sell them fear — fear shuts people off. They say, ‘You’re full of it, you’re paranoid, you’re crying wolf. No way.’ If you start saying, ‘We probed your system and we found these holes,’ that becomes real.” • “If you’re going to sit in the C-suite and talk about what you’re doing, if you’ve lined it up with what the organization has committed to being its key objectives, then that conversation will be easier.” • “If you address the high-priority business risks and align your security program with those, you’re going to get a lot more buy-in from the executive team.” Security Leaders Have An Incomplete Picture Of Their Attack Surfaces And Criticality Of Assets To be effective strategic partners to the business, security leaders must have a holistic understanding of all their entire attack surfaces within the context of business risk. And while these leaders have been given the remit to manage risk across the entirety of their organizations’ critical assets, ecosystem complexity and limited visibility hinder their efforts. CONVEYING THE LEVEL OF BUSINESS RISK IS DIFFICULT DUE TO THE COMPLEXITY OF THE MODERN ATTACK SURFACE ENTERPRISES MUST PROTECT Security organizations must protect a dynamic and highly fragmented matrix of on-premises, cloud, and hybrid infrastructure, applications, data, mobile, IoT, IT, and OT systems — not to mention employees, contractors, and third-party partners. Not only did the pandemic force organizations to rethink how they do business, but it also made it even more challenging for security teams: 64% of execs say their organizations currently include remote and/or work-from-home employees in their attack surfaces. In fact, 67% of leaders are very or extremely concerned that COVID-19-related workforce changes will further increase their organizations’ level of risk. AN INCOMPLETE VIEW INTO ENTERPRISE ASSETS PREVENTS A HOLISTIC UNDERSTANDING OF RISK Limited visibility into assets beyond the traditional perimeter make it difficult for security teams to comprehensively assess risk: Employees, partners, and contractors — as well as mobile and IoT technologies — expose enterprises to considerable risk. The study found: • While roughly 70% or more of security leaders say they have high or complete visibility into their organizations’ applications, data, IT, and cloud platforms, just six out of 10 have a similar level of visibility into OT, IoT, and mobile devices. • Six out of 10 report high or complete visibility into on-premises employees to assess risk, but only 52% can say the same when employees are remote or working from home. • Security organizations have limited visibility to assess the risk posed by contractors and third-party partners and vendors, with just 51% and 55%, respectively, reporting high or complete visibility into these parties. As a result, few security leaders have a holistic understanding of their organizations’ attack surfaces and most critical assets Security Leaders Lack Confidence That Current Tools Can Predict Business-Impacting Cybersecurity Threats Security leaders must ensure their organizations are prepared to tackle oncoming threats, but many lack the technology, data, and processes to do so. Over half of security leaders lack confidence they have the technology or processes to predict cybersecurity threats, and roughly two-fifths are unsure they have the necessary data. This could, in part, be due to a lack of vulnerability management (VM) process automation: No more than half of security leaders say they have significantly automated VM assessment processes. Of note, only 44% of security leaders apply business risk management objectives to vulnerability prioritization practices. Additionally, three out of 10 security decision makers say their firms still primarily use manual reviews of spreadsheets to track cybersecurity performance. Cybersecurity Metrics Often Lack Business-Risk Context Few security organizations use threat metrics that speak to business risk. At the heart of the issue is a lack of partnership between security and business leaders to ensure alignment between cybersecurity metrics and objectives with business priorities. The study revealed: • Only half of security leaders say their security organizations work with business stakeholders to align cost, performance, and risk reduction objectives with business need. • Four out of 10 report they regularly review the security organization’s performance metrics with their business counterparts. A Limited Approach To Benchmarking Makes It Difficult To Communicate Business Risk Many security leaders fall short when benchmarking their cybersecurity programs against external data — or even against internal peers. Benchmarking against industry frameworks can be useful but may be highly qualitative and limited by the scope of the database used; fewer than half of security leaders consider the industry benchmarking frameworks they use to be very effective in accurately reporting on business risk. Security organizations lack consistent proficiency in benchmarking security practices. While over half of security leaders give themselves good marks for internal benchmarking practices, just 46% rate their capability to benchmark cybersecurity practices against external peers as good or excellent. Similarly, fewer than half say they are doing an adequate job benchmarking their security controls. Cybersecurity Needs To Mature As A Business Strategy Cybersecurity cannot only be an act of activity-based defense. Today’s digital business requires a new way to measure and manage cybersecurity as a strategic business risk. This new approach needs to be focused on both understanding the current risk posture and predicting the greatest threats to the business. These insights empower more informed risk-based decisions and focus security on what matters to the business. We asked security leaders to rate their security practices across various areas of oversight, technology, process, and people — areas based on a proactive, predictive approach to cyber risk that is aligned to the business. The study found that security leaders who excel in these areas are much better equipped to speak the language of business risk. These business-aligned security leaders are 8x as likely as their more siloed peers to be highly confident in their ability to answer the question, “How secure, or at risk, are we?” Business-Aligned Security Leaders Manage Cybersecurity As A Strategic Business Risk So what sets business-aligned security leaders apart from their more reactive and siloed peers? Our study revealed that: • BUSINESS-ALIGNED SECURITY LEADERS ARE MORE LIKELY TO ALIGN CYBERSECURITY INITIATIVES WITH BUSINESS OBJECTIVES. Business-aligned security leaders ensure their strategies are in lockstep with business priorities. They collaborate with business leaders not only to develop strategies and metrics to support organizational goals but also to inform, set, and make decisions related to business strategies. To that end, eight out of 10 business-aligned security leaders say they have a business information security officer (BISO) or similar executive to ensure each line of business works to minimize risk, maximize protection, and increase the value of the organization’s business information assets. BUSINESS-ALIGNED SECURITY LEADERS HAVE A COMPREHENSIVE VIEW OF THEIR ORGANIZATIONS’ ATTACK SURFACES AND MOST BUSINESS-CRITICAL ASSETS. It’s difficult — if not impossible — to accurately determine the degree to which your organization is secure or at risk without having a full understanding of your attack surface and asset criticality. Business-aligned security leaders not only are far more likely than their more siloed counterparts to have a holistic understanding of their organizations’ entire attack surfaces, but they also have better visibility into the security of their most critical assets. This knowledge informs their approaches to remediation, where a combination of asset and vulnerability criticality factors into prioritizing remediation efforts. BUSINESS-ALIGNED SECURITY LEADERS ARE MORE CONFIDENT THEY HAVE THE NECESSARY RESOURCES TO IDENTIFY AND PREDICT THREATS. Attempting to communicate business risk when you lack confidence in the tools you have at your disposal can be a futile effort. Yet few reactive and siloed security leaders are completely or very confident they have the technology, processes, and data to identify the risk level that cybersecurity threats pose to the business. Conversely, roughly eight in 10 business-aligned leaders are highly confident they are well-equipped across all three of these areas. Similarly, while more than six out of 10 business-aligned security leaders are highly confident they have the technology, processes, and data to accurately predict the likelihood of a cybersecurity threat impacting the business, fewer than half of their more reactive peers can say the same. BUSINESS-ALIGNED SECURITY LEADERS TAKE A PROACTIVE APPROACH TO VULNERABILITY ASSESSMENT BY AUTOMATING KEY PROCESSES. Malicious actors are continuously finding new ways and opportunities to infiltrate businesses, as illustrated by the wave of COVID-19-related malware and phishing attacks. Security leaders cannot afford to sit back and react to the next attack; they must shift their approaches from reactive to proactive. Business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points. BUSINESS-ALIGNED SECURITY LEADERS WORK WITH BUSINESS STAKEHOLDERS TO ENSURE CYBERSECURITY OBJECTIVES AND METRICS ALIGN WITH BUSINESS NEED. Cyber risk management has long been measured based on tactical efforts and technical cybersecurity metrics. But to offensively manage cybersecurity risk and drive better decisions, security leaders must standardize on metrics that speak to business risk. Business-aligned security leaders don’t define metrics in a vacuum: They are six times as likely to review performance metrics with business stakeholders than their more siloed counterparts. Eight out of 10 say they partner with the business to ensure close alignment on cost, performance, and risk reduction objectives compared to just 16% of their peers. BUSINESS-ALIGNED SECURITY LEADERS BENCHMARK BOTH THEIR INTERNAL AND EXTERNAL CYBERSECURITY PERFORMANCE. It’s difficult to gauge the maturity of your cybersecurity program if you aren’t benchmarking it both internally and against external peers. Business-aligned security leaders are more likely than their more reactive counterparts to have a defined benchmarking process: 86% have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups, compared with just 32% of their reactive and siloed peers. This results in stronger internal and external cybersecurity benchmarking capabilities: Business-aligned security leaders outpace more reactive leaders by margins of +15 to +47 percentage points. BUSINESS-ALIGNED SECURITY LEADERS DEMONSTRATE THE VALUE OF THEIR CYBERSECURITY INVESTMENTS. In this unprecedented climate of economic uncertainty, security leaders must also be ready to demonstrate the impact of cybersecurity investments. Strategies and practices built around understanding business risk give business-aligned leaders confidence in their ability to demonstrate the impact of cybersecurity investments. Most business-aligned security leaders are very or completely confident in their ability to demonstrate that their cybersecurity investments are positively impacting their business performance compared with just over half of their more reactive and siloed counterparts. This confidence is, in part, rooted in their use of metrics to track cybersecurity ROI and impact on business performance. Recommendations 1- Communicate clearly and with confidence. A whopping 66% of business leaders are — at most — only somewhat confident in their security teams’ ability to quantify their organizations’ level of risk or security. However, business-aligned security leaders are eight times more likely than their siloed counterparts to be highly confident in their ability to answer the question, “How secure, or at risk, are we?” 2- Align cybersecurity initiatives with business objectives. Enlist a BISO or equivalent executive in collaborating with the leaders of each line of business to develop strategies, goals, and metrics to maximize the protection of business information assets. Organizations that have tight alignment between business and security are 2.3 times more likely to have a BISO or similar executive. 3- Benchmark both internal and external relative cybersecurity performance. Articulate expectations about cybersecurity performance and demonstrate continuous process improvement relative to both peer companies and internal groups. A limited approach to benchmarking makes it difficult to gauge cybersecurity performance. Business-aligned security leaders are more likely than their more reactive counterparts to have a defined benchmarking process: 86% have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups, compared with just 32% of their peers. 4- Prioritize vulnerability assessment by automating key processes. Prioritization based on business risk context will help focus your efforts. You can accomplish this by automating vulnerability assessment processes — including monitoring and incorporating threat intelligence and applying business risk management objectives to vulnerability prioritization practices utilizing a predictive approach — and by conducting vulnerability assessments on a frequent basis using automated tools. Business-aligned security leaders are 3.3 times more likely to use a combination of asset criticality and vulnerability factors when prioritizing remediation efforts. Such leaders are also seven times more likely to automate the application of business risk management objectives to vulnerability prioritization practices. 5- Develop a comprehensive assessment of the organization’s most business-critical assets. A robust prioritization strategy for business impact mitigation requires a holistic understanding of the organization’s entire attack surface, including remote workers, OT, and cloud deployments, as well as insight into which assets pose the greatest business risk if compromised. Business-aligned security leaders are 3.3 times more likely than their more siloed counterparts to have a holistic understanding of their organizations’ entire attack surfaces. 6- Define metrics to demonstrate the value of cybersecurity investments. Few security organizations use threat metrics that speak to business risk. At the heart of the issue is a lack of partnership between security and business leaders to ensure alignment between cybersecurity metrics and objectives with business priorities. Gain confidence to demonstrate the value of cybersecurity investments to business leaders by cultivating and consuming cybersecurity metrics for both ROI and the impact on business performance. Businessaligned security leaders don’t define metrics in a vacuum: They are six times as likely to review performance metrics with business stakeholders than their more siloed counterparts. Eight out of 10 say they partner with the business to ensure close alignment on cost, performance, and risk reduction objectives compared to just 16% of their peers. And 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.
Mohamed is an info sec expert with over 12 years of experience in financial and IT corporations. He started his career path as a red teamer then he continues his career path in DFIR, Threat hunting.