“It’s not if, but when,” has become the cybersecurity mantra. But organizations continue to struggle with preparing for ever-changing threats. How are business and IT leaders designing effective cybersecurity programs today? “It’s really like a military or law enforcement organization,” says computer security software company McAfee’s CTO Steve Grobman. “Part of it is not having just a plan for the known scenarios but exercising the team to condition them to know how to handle all sorts of unexpected situations. Then, when they happen in real life, it’s nothing more than looking to the drills that we’ve executed all along.”
Grobman was joined by fellow panelists Andy Ozment, CISO, Goldman Sachs and Judith Pinto, Managing Director, Promontory Financial Group at Tuesday’s WSJ Pro Cybersecurity Executive Forum to discuss preventative and preparatory steps to take before a breach occurs.
On how cyber threats have changed over the years, Ozment warned forum attendees, “They get worse. They get scarier. They get more aggressive every day.”
One way in which threats are changing has to do with how businesses operate today. As organizations rapidly move to the cloud, new risks emerge. “It’s not only looking at how do we deal with a new set of sophisticated threats, but how do we defend new ways that we’re working?” explained Grobman.
Here are four considerations for business and IT leaders as they prepare for current and coming threats.
Strategically structure your security staff
According to Ozment, Goldman Sachs uses a “three lines of defense” model. “The first line of defense is my organization. I report to the CTO, we are embedded into the technology organization and, so, we lose a little bit of the independence, a little bit of the ability to think totally freely. That’s the bad side. The upside of it is we’re embedded in the processes; we’re part of the conversation from day one. And we’re doing operational IT.”
“Line two is an independent risk division. Part of that independent risk division is focused on information security or cybersecurity. Much smaller team but they provide that independent perspective, they report independently from the CIO, CTO.”
Finally, line three is internal audit who reports to the board.
Ozment realizes that not all organizations can afford this model. He suggests that, if an organization has a CISO, to give him or her at least give two lines of defense: one line that’s inside of the IT construct and another independent line that’s outside of that construct.
Empower employees to report
Many companies are very focused on their phishing training, which can serve as an indicator of how alert their users are. These companies are interested in measuring how many of their users are clicking on fake phishing emails.
Instead of focusing on this metric, companies should measure the percentage of users who are reporting fake phishing emails.
“What I really want is for my users to report phishing emails and then my team can handle them, can search for other examples of them, update our systems. And so, really, I want to track how many of users report that email,” says Ozment.
“You can view your users as either bricks in a wall and if one brick is missing, then the wall crumbles. I would argue that’s not a very good model, because there will always be bricks missing. Or you can view your users are censors. All you need is one censor to tell you about a problem and then you can fix it everywhere.”
Measure the right metrics
The percentage of users who click on or report fake phishing emails is one of several valuable metrics. An obvious example is number of major incidents. Ozment says that Goldman Sachs uses three thresholds to determine the appropriate response.
“If you reach this level on this metric, you have to report it to internal management. If you go higher than that to this level, you have to report it to an internal risk committee. And if you go higher than that, you’ve reached the final level, then you have to report it directly to the board.”
Ozment says this system is incredibly useful because it takes away the human judgment element.
Another common metric is number of vulnerabilities on internet-facing systems, such as web servers or email servers. A related metric is the number of significant vulnerabilities that have not been patched within a particular window of time. Yet another important metric is the percentage of hardware and software that is nearing end-of-life (EOL), when a manufacturer stops supporting it with any updates. This leaves it vulnerable to security attacks.
Plan for the loss of everything
One of the things that organizations don’t plan for enough is a total loss of technology. “There’s always an assumption that a phone is going to work, you can send an email. Planning for the worst case scenario doesn’t happen enough,” says Pinto. “How would you still communicate? How do you coordinate with your external council or your critical third parties that will help you respond?”
Fortunately, Pinto says we’re beginning to see a closer alignment of cybersecurity response with business continuity. Business continuity, which Pinto points out has always contemplated worst case scenarios such as the loss of a building or the loss of technology, should be brought into cybersecurity planning and into response planning.
Unfortunately, business leaders have yet to crack the code on effectively measuring cybersecurity success. There are lots of methodologies out there to quantify cyber risk in dollars, but they remain fairly laborious and rely on the judgment of experts
“I don’t think anybody’s reached the point where they’re deeply comfortable with [the methodologies],” says Ozment. “Some companies have embraced them and, like any tool, if you embrace it, you really invest in it and use it consistently you can get a lot of value out of it but I wouldn’t say that anybody in the cybersecurity industry believes that we’ve really cracked the code on measuring success or even measuring cybersecurity.”