"Begin at the beginning," the King said gravely, "and go on till you come to the end: then stop." (1)
Risk mitigation is not an easy task. It comes at a cost, sometimes a high cost. It is therefore necessary to find mechanisms to gain political favor in order to access the necessary resources to remedy the right vulnerabilities, in the right systems, for the right reasons.
Here are some ideas for achieving this goal. Let's begin.
The CISO's office has a few mandates. One of them is to do everything possible to prevent a security breach. To fulfill this mandate, it is necessary to manage risk, which involves, among other things, mitigating risk. Risk mitigation may involve protective controls, one protects that which is weak, vulnerable. Another way is to identify those weaknesses, those vulnerabilities and eliminate them, remediate them.
This mandate has to be executed following some principles and although they are not universally agreed upon, we can recognize some relevant principles of the practice, which apply to practitioners.
The first one is related to the coverage: Comprehensivity “Am I covering all of my bases?” Identify and account for all relevant systems, actors, and risks in the environment. (2)
The second is related to the relationship between the effort (cost) to protect versus value of the asset to be protected: Proportionality "Is this worth it?” Tailor security strategies to the magnitude of the risks, accounting for the practical constraints imposed by the mission and the environment. (2)
The key seems to be in knowing how to find the right equation between these two principles, so that when asking the organization to act in the direction of mitigation (which has an associated cost) there are no obstacles, resistance or friction.
So there are certain things that have to happen before, at the beginning. They are related to the first mandate and related to the term “relevant”.
To be honest, there are few organizations where the CISO is really sure about what all the business processes are, the infrastructure underlying each of them and the contribution of each one to the expected revenue for the organization. Then there is another variable to consider. That's why I bring this here to contextualize it and put it in plain text.
If we first talked about the principles of practice, we must now remember that the principles of the domain recognize three properties that must be preserved: Integrity, Availability and Confidentiality. Unfortunately, only two of them are reversible and although they have an associated cost, it is also true that organizations are aware of them and, being a shared responsibility, there is much more at stake for each of the actors.
Confidentiality is a non-reversible property; it can be lost even without impacting the other two. The impact of its loss may not be properly understood and may not even materialize immediately. But unless your organization is a monopoly (i.e. your customers have no choice) the loss of trust will erode the value proposition and expected revenues. Not to mention the potential direct or indirect legal consequences of a cybersecurity data breach demonstrating compromise and exposure of sensitive information in custody.
So, the CISO must not only know the business processes that have a significant contribution to the company's revenue, but must also be clear about which business processes (even those of marginal contribution) involve information that must be protected.
And that is the beginning.
At the end of the day, you will have a small number of systems, highly critical either because of their contribution to revenue or because they contain sensitive information, over which you will have to have a concrete oversight capability, over which you will have to understand the vulnerabilities in continuous monitoring, and over which you will have to rigorously promote the management of those vulnerabilities. Obtaining the necessary political and economic support under the premise that once certain types of vulnerabilities have been identified, it is not possible not to do what is necessary to mitigate them.
Here enters and becomes evident another necessary line of work in which expertise is required, but also evidence, information. Let's keep in mind that estimating risk itself is not an exact science as there is a lot of information that is not available.
You can model risk and assume or guess, but you will not be able to deliver exact values. We said that you can determine the contribution of a business process to a company's profits, so it is possible to determine what an organization stops earning for every hour that process is unavailable. It is also possible to determine the cost of “turning on” contingent systems. But there is no way to know if we will be targeted by a criminal organization, or how many criminal organizations have the ability to exploit the vulnerability we have identified. Here's the point.
The way to avoid the logical fallacy of “absence of evidence is evidence of absence” associated with availability bias is to bring a compensatory cognitive exercise to the negotiating table.
It sounds difficult, but it is actually very simple. It is a tool that should be part of the CISO's toolbox and is called a Pre-Mortem exercise. It is like a forensic analysis but in reverse.
Let's start from the assumption that a security breach has already occurred and that it was determined that the attack vector was on the vulnerability that had been identified, but that the Board of Directors determined that it was not a priority to remediate and therefore did not instruct the rest of the organization to act, nor did they have the means to perform such mitigations. The question is, Who will assume the responsibility in front of the shareholders/owners indicating that even having sufficient information, they decided not to act. Who will communicate to customers that their sensitive information was exposed because they did not act in a timely manner?
It is necessary to “Name” the problem in order to discuss it. It is necessary to make explicit who voted in favor and who voted against, beyond the fact that they act as a collegiate body.
Ultimately, the decision to act or not is not up to the CISO, who has to bring the relevant information to the risk committee (regular or extraordinary) for a decision to be made. If it is decided not to act and a breach occurs, the CISO is (at least) legally covered.
Therefore, it is not only necessary to know the business, the critical processes (due to their contribution or the sensitivity of the information they process or store) but also to be clear about the vulnerabilities, the existence of exploits in the wild, the existence of criminal organizations that use them and the steps to be taken to mitigate, correct or eliminate such vulnerabilities. This must be available in a timely manner so that informed decisions can be made, also in a timely manner, and finally, action can be taken.
Call to Action.
1) Identify which are the key processes to prioritize (either because they contribute significantly to revenue or because they contain information that should not be exposed.
Normally, no more than 40% of the processes meet one or both of these conditions, but it is important to distinguish between these systems and the others.
2) For systems that contribute to profits, seek clarification of how much and what contingency plans you have in case of an incident (you should consider the contingency plan or system as part of the main system to be monitored).
3) For systems that store or process sensitive data. Understand if there is sensitive data of customers or other 3rd parties in custody, covered by regulation or whose compromise could harm such 3rd parties (and consequently result in a legal claim).
4) Determine also if your organization depends on customers staying or leaving due to possible security breaches, it is not the same for a system to be unavailable for a period of time, as it is for the information in custody to be compromised.
5) Determine roles and responsibilities of the BoD in the event of a compromise and include this in presentations to the risk management committee. Make sure that the people taking responsibility are the right people and that they have sufficient information to make decisions. This is the most important part. Directors are often liable with their own assets, while managers and other executives at most only put their jobs at risk.
Final thoughts.
Not all systems are equally important, so you have to understand which ones to focus on, which ones are NOT negotiable. Consequently, not all vulnerabilities are equally important (but here the criterion is contextual to the system in which they were identified).
The risk management process ends only when the mitigation is validated or when it is assumed based on adequate and sufficient information.
You may not like the final result, but if the process is correct, you will have the right to feel proud of your work and that is very important because it is a process that must be repeated over and over again on a continuous basis and not only because it is part of the Mandate, but more importantly, because you know it is the right thing to do.
And that is the end.
- "Alice's Adventures in Wonderland" Lewis Carroll
- Information Security Practice Principles, Center for Applied Cybersecurity Research, Indiana University > https://cacr.iu.edu/principles/index.html