THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Transcription

1 THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

2 Download the entire guide and follow the conversation at SecurityRoundtable.org

3 Collaboration and communication between technical and nontechnical staff, business lines and executives Wells Fargo & Company Rich Baich, CISO You can have brilliant ideas, but if you can t get them across, your ideas won t get you anywhere. Lee Iacocca Delivering results is a key metric of success for any leader. Exceeding revenue goals, meeting hiring and retention goals, or ensuring operational budget goals are well known and understood results. These goals are clear, easily measurable, and most importantly all individuals understand their role in achieving these results. These goals often are established with limited collaboration and a single communication to the appropriate leaders with minimal tolerance associated with not achieving the goals. The language used when establishing these goals and publishing the results transcends technical and nontechnical executives. This information must be understood and actionable; regardless of the executives background, having this information available allows them to make an informed decision. Leaders need the right information, at the right time to collaborate, communicate, and ultimately make the best decision. Information enables the executive to use a decision process or framework of reasoning to help rationalize the data and choose the best course of action. As the topic of cybersecurity rapidly moves to the top of every C-level executive s agenda, cyber leaders must embrace the importance of collaboration and communication while building bridges to ensure decisions are understood and actionable. Establish a cyber risk decision framework We live in a time of acute and persistent threats to our national security, our economy, and our global communities. The number of reported cyber incidents continues to grow. The threat of a cyber catastrophic event continues to lurk in the distance. New cyber vulnerabilities are reported each day and the frequency of zero-day threats is increasing. New victims make the headlines 1

4 CYBER RISK AND WORKFORCE DEVELOPMENT weekly. As a result, cyber leaders continue to be asked if their organizations are spending enough to address cyberthreats. To answer this question, cyber leadership must have the facts to establish a decision framework to guide them. Having a firewall, purchasing the latest technologies, growing the number of cyber professionals, and having information security policies do not adequately provide all the information needed to answer this question. Knowing what data to collect, demonstrating the ability to get the data in a timely fashion, operationalizing the data, and ensuring the data get to the right decision maker can provide an actionable framework. The following are a few examples of what information is needed to enable a framework: What risks will be mitigated if these additional funds are provided Specific cyberthreats are known, monitored, and integrated into the risk prioritization decision process. Vulnerabilities are identified, prioritized, remediated, and validated in a timely manner. Critical assets are well known, accountability is clear, and responsibility to ensure those assets meet defined protection criteria are met. The likelihood of a specific exploit, attack, or significant occurrence is understood and utilized in the cyber risk prioritization framework. Having trustworthy data is the foundation to all cybersecurity decision frameworks. It is important to have a framework to help support the fundamental changes required to enhance cyber practices and enable communication. Scenario: Cyber risk decision framework Today, the media announces a new zero-day exploit that has been identified. Business executives want to know: What do they need to do to respond to the exploit? How vulnerable are their products and solutions to this exploit? Is there any potential for business impact to customers or suppliers? Do they need to contact their third parties to see if they are secure? Will this affect their ability to service their own third-party relationships? Using the following framework formula to explain an approach could be helpful: Risk = Vulnerability Threat Asset Value Probability of Occurrence Having the trustworthy data readily available can allow cyber executives to quickly and confidently communicate throughout the organization and the third parties. For example, a quick query of the asset inventory indicates there are 50 instances of this exploit in the current infrastructure and five within the third-party ecosystem. Of those 50 internal instances, only three are external facing, and the remaining 47 are internal to the network. All the third-party instances are internal to the partner s network. The associated vendor to the zero-day exploit has provided a patch and recommended an immediate application of the patch. The internal cyberthreat team has reviewed the external intelligence, and there are already indications of potential miscreants scanning for the newly identified vulnerabilities. Additional intelligence and analysis suggest exploit code is already being crafted to take advantage of this new exploit. If successful, the exploit can be used to deliver malicious code throughout the organization providing kinetic and nonkinetic damage to an organization. Armed with this information, cyber leadership can quickly move to gain consensus, communicate recommendations, and influence the mitigation activities required to address the threat. Defining your stakeholders Trustworthy data are a key foundation to establishing cybersecurity creditability. 2

5 COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES Performance of executives, regardless if they work in a line of business, in corporate staff, or in technology, is often measured by results. Achieving results in cybersecurity requires others taking action. Effective leaders can motivate groups of like-minded people to come together and rally behind a cause to achieve a goal. Finding those individuals in the organization is critical to success. Identifying individuals who will become stakeholders in the cybersecurity journey provide the support needed to drive change. The following is a list of potential stakeholders to consider: chief executive officer (CEO) chief financial officer (CFO) chief auditor chief administration officer (CAO) chief communication officer (CCO) chief risk officer (CRO) member(s) of the board of directors chief information officer line of business leader audit committee chief technology officer (CTO) line of business leaders, CIO, CTO, risk leaders In addition to individual stakeholders, establishing a cybersecurity steering committee with cross-organizational representation can provide an additional platform for collaboration and communication. The purpose of the committee should be to promote cybersecurity awareness, provide a forum in which cybersecurity topics can be discussed, and to solicit cyber feedback to help evolve cyber practices and mature over time. In addition, the committee will seek to identify cybersecurity topics that may affect the broader applicable industry and the emerging trends that may affect the organization. The cybersecurity committee could: 1. review cybersecurity strategic direction and planned initiatives 2. discuss major milestones for cybersecurity initiatives that are in process of being deployed 3. assess business impact of material cybersecurity program changes 4. discuss lessons learned and situations in which program adjustment is prudent 5. identify potential areas of conflict and/or resource constraints between cybersecurity program and business priorities 6. discuss impacts from and/or to the larger applicable industry. Stakeholders want the facts and reassurance that the information being reporting is trustworthy and actionable. Risk management is everyone s responsibility, and individuals take great pride when helping reduce risk. Proactively removing risk before the risk evolves in negative consequence is a significant measurement for success. Providing a stakeholder with the data that clearly demonstrate a risk was remediated before it was significant will win the trust of most individuals. Scenario: Defi ning stakeholders You have been asked by a line of business leader to provide information regarding a third party before a contract is signed. Due diligence is done for third parties before any contracts are signed; that is a leading industry practice. However, what if you and your cybersecurity team were able to provide cyber intelligence that suggests the potential third-party partner is on a top-five easiestto-hack organization list being posted in credible underground forums? Having information without being able to make it actionable often results in a very heavy paper weight being created. In this scenario, having the cyber intelligence to provide the stakeholders helped provide transparency into cyber risks that can produce measured results. Maintaining a results-oriented mentality coupled with the right stakeholder group can help enable a cyber support culture. Delivering the message Effective communication, especially during a time of change, requires frequent touchpoints. Having a communicator or a communication 3

6 CYBER RISK AND WORKFORCE DEVELOPMENT team specifically aligned with the cybersecurity team can provide immense benefits. There is delicate balance associated with the frequency and content that is communicated to stakeholders. The fundamental goal is to tell the cybersecurity story throughout the organization through clear, concise, targeted communications through the most effective dissemination channels. Some will want more frequent communications, whereas others will desire less communication. Some will prefer pull communications and others will want the information pushed to them. Cultural appetite, tone from the top, and organizational commitment help drive the various required communication delivery techniques to ensure stakeholders are aware. Some examples include the following: publish monthly newsletters to various stakeholders create a robust intranet presence with tools and communications celebrate success stories of collaborative achievements provide platforms for cyber champion recognition track, measure, and report the effectiveness of the communications through a cyber communication dashboard Having a venue into the corporate communications team provides cybersecurity the opportunity to align, influence, and enable the influx of cybersecurity into normal business communications. It is critical that the corporate crisis communication team be part of the cybersecurity incident response team because of the potential reputational impact associated with a significant cyber incident. During a time of crisis, concise and timely communications to key stakeholders and customers can often be the difference between an incident being managed and an incident being exaggerated. Tactically positioning the cybersecurity story within the organization through effective education and awareness while addressing the latest trends in cybersecurity can help build collaboration by demonstrating how individuals can partner with cybersecurity to address customer needs. Regardless of the industry, customers want to know their information is safe and the organization that has their data has a clear plan to achieve that goal. Adding cybersecurity reminders in existing individual customer communications begins to demonstrate that commitment to the customer. It takes a long time to earn trust, but it only takes a second to lose it. This also holds true for internal stakeholders. Often the information and measurement of results reported by the cybersecurity team may not be perceived as positive news. For example, the cybersecurity team may implement new technology that provides an enhanced visibility into the health and hygiene of various technology assets. If these assets have never had this improved visibility, it is possible that the results may provide awareness of critical vulnerabilities or weakness associated with the platform. Consequently, when reporting these results, others may take offense to these perceived negative results. However, this is a great opportunity to educate leadership by explaining that it is far better to find these opportunities internally rather than be told about these vulnerability gaps from a law enforcement representative. Don t pass up the opportunity to build a champion; one champion can quickly lead to two, which, in turn, can often grow to thousands. Conclusion During times of conflict it is proven those countries that have aligned themselves with the right allies have prevailed and overcome grave challenges. These are challenging times; cyberthreats are real and present significant risks for most organizations. Communicating these risks to technical and nontechnical executives can often be a daunting task that requires additional background and context to successfully communicate the message. Executives are results driven and appreciate other executives who are proactive when dealing with risks. The ability to provide 4

7 COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES trustworthy data and a cyber decision support framework enables cyber executives to translate a new language to other executives. These actions can positively enhance cybersecurity s internal reputation by strengthening trust and credibility across the organization. Taking the time to include, educate, and collaborate with stakeholders can build alliances. Having the right information is powerful, and those stakeholders who get accurate, timely, and meaningful data will have the opportunity to lead change. SecurityRoundtable.org 5

8 CYBER RISK AND WORKFORCE DEVELOPMENT Wells Fargo & Company 420 Montgomery Street San Francisco, California Tel Web RICH BAICH Chief Information Security Officer Rich Baich is Wells Fargo s Chief Information Security Officer. Prior to joining Wells Fargo, he was a Principal at Deloitte & Touche, where he led the Global Cyber Threat and Vulnerability Management practice. Mr. Baich s security leadership roles include retired Naval Information Warfare Officer, Senior Director for Professional Services at Network Associates (now McAfee) and after 9/11, as Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). He recently retired after 20+ years of military service serving in various roles such as a Commander in the Information Operations Directorate at NORAD/Northern Command Headquarters; Commanding Officer Navy Information Operations Center (NIOC), Denver, Colorado; Special Assistant at the National Reconnaissance Office (NRO), Real Time Military Analysis Center, the Reserve Armed Forces Threat Center, the Center for Information Dominance, and the Information Operations Technology Center (IOTC) within the National Security Agency (NSA). Mr. Baich was also selected as an advisor for the 44th President s Commission on Cybersecurity. 6