As companies become more connected, CISOs are being squeezed between increasing accountability and decreasing control. Here’s what you can do about it.
As companies make their way through their digital transformations, and weave technology into every aspect of doing business, CISOs have seen their executive exposure explode. Many CISOs now regularly report to the Board of Directors and cyber security has risen to a top strategic priority. According to Cybersecurity Ventures, security budgets have increased 35X over the past 13 years, and are estimated to grow 12-15 percent year-over-year through 2021.
As fast as the CISOs’ accountability is expanding, their visibility and control are shrinking. Networks have become dynamic, borderless, and ambiguous. Everyone from suppliers and vendors, to customers and contractors can have direct access to your systems and data. CISOs often do not have clear insight into the security practices of these groups, and don’t have the authority to exercise control over them, if they did.
All of this places CISOs in a security catch-22. They assume all the risk and responsibility of a security breach, but don’t have the authority or tools to manage that risk. Although there is no perfect answer to this dilemma, here is some practical guidance.
Map Your “Elastic Attack Surface”
From BYOD, to cloud services, to emerging IoT devices, the composition of your network, vulnerabilities, and exposures are constantly changing. Dark Reading calls this an “Elastic Attack Surface,” and understanding it will help you manage your risk, your security, and your executives. They define six categories that can help you get started mapping your attack surface (see graphic below).
Beyond developing an inventory of assets, you need to consider factors that impact visibility and control over your attack surface. You can use the categories listed below to help identify the assets, systems, and data that impact your network. Be sure to include components that are owned and/or managed by your technology constituencies (e.g, suppliers, contractors, customers). For each element, ask yourselves the questions to gauge your span of control and visibility.
Assess Your Risk
Once you have your arms around elements in your attack surface, you will need to get a clear idea of the risks they pose to your security. To do this, you will need to understand how each element of your attack surface relates to business operations, and which ones are most critical. Assess the impact if they are compromised, from a technical level, and a business operational level. For a more complete discussion about risk frameworks see our blog about protecting your corporate crown jewels.
Once you understand the impact of your attack surface elements, you will need to understand the likelihood of compromise. By conducting security tests, such vulnerability scans, penetration testing, social engineering, and network assessments, you can get a good understanding of the exposure you have from the elements over which you have direct control. However, it will be more difficult to assess elements that are controlled by your technology constituencies. If you cannot easily obtain a clear understanding of the likelihood of a compromise, you should assume it is high.
Build a Span-of-Control Heat Map
You can combine the risks in your attack surface with what you know about your span of control to create a Span-of-Control Heat Map. The map combines your level of risk, with your level of control, and tracks those across different constituencies (e.g., suppliers, vendors, contractors). It reveals not only which parts of your attack surface are most at risk, but also which constituencies represent the most vulnerable parts of your attack surface.
Below is an example of a summarized version of the map. These maps are useful for both planning and for clearly conveying your risk posture to senior executives and your Board of Directors.
Address Your People Problem
When it comes to span of control, you have a people problem. Although you can control your own security technology, you cannot dictate how your constituencies manage theirs. Many CISOs are not sure how to drive behavior across their constituencies, and are often uncomfortable dealing with them directly. However, reducing risk across your attack surface will involve driving the people to adopt security best practices.
Each constituency has different motivations, and will need to have a customized approach. However, here are some general guidelines you can use as you broaden your span of control:
- Develop the right dynamic – Foster collaboration, trust, importance, and a sense of urgency
- Define what’s in it for them – Define the motivations for each group and why they benefit from working with you
- Proactively manage expectations – Set clear expectations early and often about best practices, capabilities, limitations, roles, and responsibilities. Many communications challenges can be avoided by constantly and clearly defining expectations
- Use every contact point – Organizations communicate with their constituencies in a multitude of ways. From advertising, to emails, call centers, social media, and personal meetings, every contact point is an opportunity to reinforce messaging, drive engagement, and promote best security practices
- Go beyond awareness and training – Drive active engagement – simple awareness will not be enough
- Write better contracts – Pay close attention to how you write your contracts. Many organizations provide only vague guidelines for cyber security. Be clear, comprehensive and specific about your expectations
- Make the bad guy, the bad guy – Position yourself as a partner with your constituencies to combat cyber threats together
- Develop trusted communication channels – Create communications mechanisms that are specifically used for cyber security. Much like the fraud alerts people receive from their credit cards, these channels are only used to collaborate for cyber security (i.e., no sales or marketing). These will help develop a trusted relationship and drive best practices
As the world gets more connected, automated and dispersed, CISOs will increasingly be caught between the expectations of leadership and the realities of managing their attack surface. The only way out of this security rock and hard place, is to know how to identify, assess, and broaden your span of control.