Companies Need to Accept Risks Given Business Imperatives

Cybersecurity is all-pervasive. It touches every business process and function; but just as business processes rely on valuable information, they also create vulnerabilities that attackers can exploit. For example, product development decisions often can increase the sensitive customer data collected and procurement decisions can lead to new vendors who may not treat sensitive intellectual property with the required care.

Companies need to make sophisticated trade-offs between these risks and competitive imperatives. As one investment banking CISO said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime brokerage business would cease to exist.”

The questions companies must ask themselves when implementing cybersecurity programs include:

• Will more rigorous password controls for online portals slow customer acquisition?
• Will in-line network controls increase latency and noticeably worsen the customer experience?
• How tightly are we willing to limit access to proprietary intellectual property (IP) used in product development processes?
• How intrusively will we monitor employee activity in order to reduce the risks associated with insider threats?
• How will remediation of insecure applications be prioritized against new business functionality?
• When can data be purged and when should it be retained because of its potential analytic value?
• How much will increasing vendor security requirements reduce the pool of eligible bidders for key services, hurt negotiating power, and therefore increase procured costs?

Action Needed Far Outside the Cybersecurity Function

Most of the critical levers companies must pull to achieve digital resilience extend beyond the cybersecurity team. We have already seen how operations functions have to adopt new business processes; marketing and corporate communications teams need to be primed in the event of a breach; and application development groups have to adopt secure coding techniques and fix insecure applications. There are many more examples. All these actions require new ways of working and thinking in each business function and many of these changes will require substantial one-time project capacity.

Breaking through the noise to spur frontline managers to action can be difficult. Frontline managers often feel overwhelmed by an endless stream of corporate initiatives: Sarbanes-Oxley, Anti-Money Laundering, Six Sigma, organizational restructurings, cost programs—the list goes on. To cut through this, the most senior members of the management team, including the CEO, must be actively engaged in supporting the CISOs and the chief information officers (CIOs). It is only they who can make decisions about the overall level of appetite for cybersecurity-related risk; it is only they who can prioritize information assets and make the trade-offs between risk reduction and operational impact; and it is only they who can prioritize remediation activities over all the other business priorities that fall on the shoulders of frontline staff.

Getting the Right Level of Business Engagement Is Tough

The arcane nature of cybersecurity makes it hard to engage effectively with the senior executive team. Senior business executives already consider IT managers to be a priesthood that uses impenetrable jargon to describe mysterious issues such as software development life cycles, agile development, data architecture, and cloud computing. Cybersecurity is even more confusing. Even those senior executives who feel they have a solid grasp of concepts like applications, data centers, networks, and desktop devices may throw up their hands in frustration when the discussion turns to access controls, machine learning to combat insider threats, and intrusion detection.

The limitations in quantifying cybersecurity risks make it even harder to engage senior executives. They are frustrated by the lack of the type of meaningful metrics they use to assess productivity, quality, or risk in other areas. A banking chief risk officer (CRO) can tell the rest of the management team that the institution has a capital adequacy ratio of 7.5 percent while its peers are in the 7.7 to 7.8 percent range, and the regulator is pushing for 8 percent.¹ A mining CRO can tell her board that the company has averaged two accidents per 10,000 operational full-time equivalents, and that an investment of a few million dollars might reduce that to 1.8.

A CISO does not have these numbers at hand. There is no single metric like value at risk for cybersecurity, and this makes it much harder to communicate the overall level of risk to senior managers and engage them in decisions. Cybersecurity defies this type of precise quantification because it involves so many different types of risks. Some, like cyber-fraud, regulatory fines, legal exposure, and remediation costs, can be directly tied to an immediate financial impact. Others cannot, like the reputational impact or the loss of IP. If a foreign competitor steals the plans for a new manufacturing process, how can the company quantify how much of a product’s value depends on the new process, let alone the extent to which the competitor could exploit the information. Companies simply cannot answer these questions confidently and precisely.

Quantifying the likelihood of the risks and the impact of remediation can be even more challenging given the paucity of historical data, especially for major breaches that will occur rarely at any one institution. CIOs and CISOs cannot credibly say, “Currently, there is a 22 percent likelihood of a major breach over the next two years and that could go down to 15 percent if we spent an additional $100 million next year.”

At one major financial institution, the CISO was asked to come up with three cybersecurity metrics to add to the CEO-level scorecard. Given the scorecard’s design criteria, all the options he considered were deemed either less than relevant (e.g., pace of attacks), too narrow (e.g., fraud losses), or too subjective (e.g., qualitative risk assessment). As the chief financial officer (CFO) at another institution told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”

With all these challenges, it is no surprise that the levels of engagement between senior management and the cybersecurity function vary enormously. We heard about companies where the CISO meets the CEO every few weeks, and we heard about companies where the CISO reports to the CTO (who reports to the CIO, who reports to the CFO) and has never met with the CEO. Even where the C-suite acknowledges the gravity of the issue, CIOs and CISOs still hear the plea, “Just tell me that it can’t happen here.”

Use the Resiliency Program to Drive Business Engagement

Given the challenges of achieving tighter business collaboration and stronger engagement, companies have to explicitly design their resiliency programs to address this vital issue.

A typical program starts by assessing the state of play and from there developing a perspective on information assets and business risks. Immediately, this helps senior business leaders understand what is at risk and why it’s important. Defining an aspiration around business themes rather than technology will also improve the understanding of and commitment to the change required. Providing pragmatic options, with different risk and resource implications, will draw out senior management’s implicit risk appetite—and make sure the program as a whole is aligned with it. Building modules into the project plan to engage with each individual business line on differentiated protections will help ensure that business managers take responsibility for making decisions on cybersecurity risks. Finally, governance structures that enable senior managers to weigh in on the dozens of cybersecurity decisions will further emphasize that these issues are owned by the business, not the high priests of IT.

Start with Information Assets

There is a natural inclination to want to benchmark cybersecurity. There is, after all, some psychological safety in numbers. However, even institutions in the same industry can have very different risk profiles based on the data they have, the countries they operate in, their public profiles, and the business and technology strategies they pursue.

It is impossible to have an intelligent perspective on how well a cybersecurity function performs without understanding what it needs to protect. A cybersecurity function that makes perfect sense for a mid-market consumer packaged goods company would, for example, be laughably inadequate for a large bank.

Failing to start with information assets and business risks leads to the wrong downstream choices. One financial institution started its program with an assessment of regulatory requirements. Two years later, it had spent a lot of money and made some technical progress but had devoted almost all its efforts to protecting consumers’ personal information to the exclusion of other types of important information assets.

Earlier in this book, we laid out a set of principles and an approach for identifying and prioritizing information assets—that should be applied in the earliest days of any cybersecurity program. Depending on the size and complexity of the institution, it may be necessary to prioritize information assets and business risks in phases, starting with a comprehensive prioritization across all business and then drilling in to perform a detailed evaluation of each business in turn.

Assess Risks in an Integrated Way

An attacker does not have to defeat an institution’s I&AM or intrusion detection environment—she has to defeat a system of defenses that spans many different types of controls, and she will have a much harder time if those defenses interlock.

Unfortunately, many assessments are structured so that there is a separate score for each element: intrusion detection, I&AM, data protection, incident response, and the like, but no way to look at how these controls combine to protect important information assets. By contrast, looking at how well or badly the combination of password controls, encryption, user training, and DLP currently protects financial transaction data for high-net-worth customers (to take one example) naturally leads to decisions about how to put the right set of differentiated protections in place for such a critically important information asset.

Address the Full Set of Capabilities

We often hear CISOs say, “I want to do a security control assessment.” Immediately, that frames the assessment around a tactical set of issues: how good is the intrusion detection or antimalware environment? By excluding strategic alignment, risk management processes, security architecture, and the overall delivery system, the assessment can end up delivering changes only within cybersecurity, when what is needed are changes to business processes much more broadly.

Off-the-shelf accreditations and guidance such as ISO 27001² and the U.S. National Institute of Science and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity”³ can be extremely valuable in broadening how organizations think about assessing cybersecurity, but even they have their scope limitations. They underemphasize, for example, product security and many types of third-party risks. In fact, almost all such frameworks focus on technology-related risks at the expense of business process changes like purging sensitive information that is no longer required, creating a secure process for higher-risk transactions, or creating incentives for customers to engage with the company in a more secure way, all of which can have tremendous benefits.

An effective cybersecurity capability assessment must credibly answer the following questions:

• Strategic. Is the overall direction of the cybersecurity function consistent with the principles of digital resilience? Are there mechanisms being put in place to prioritize information assets, drive cybersecurity considerations across business processes, enlist frontline users, respond to breaches across business functions, build security into broader IT architectures, and implement active defenses?
• Governance. Does the institution have the facts and processes required to make intelligent risk management decisions about cybersecurity policies? Does it understand its assets, attackers, and vulnerabilities? Can it prioritize risks and evaluate potential defense mechanisms objectively?
• Controls. What is the level of sophistication and capability across the full range of potential controls (e.g., I&AM, DLP, encryption, application security, network security, infrastructure security)?
• Security architecture. To what extent is the technology platform that underpins cybersecurity controls comprehensive, coherent, integrated, and modular and able to incorporate rapidly evolving new tools and vendor offerings?
• Delivery system. To what extent does the cybersecurity function have the right structure, processes, capabilities, performance management systems, and sourcing arrangements to operate in a sustainable and efficient way and to continue to improve capabilities?

Many companies have not answered these questions fully, even as they launch their cybersecurity programs. The result is that they do not understand the systemic changes they need to put in place.

Connect Digital Resiliency Levers to Business Risks

This book has laid out a set of levers that are critical for companies driving toward resiliency. Asking how to use each lever to address high-priority business risks will highlight the capabilities that are needed in the target state.

Let us imagine that a bank’s assessment prioritizes the risk that staff—either its own or those from vendors—compromise the confidentiality of the customer information it uses to underwrite loans to corporate customers. Each digital resiliency lever has a role to play in managing this risk.

• Prioritize information assets based on business risks. Business managers need to determine what criteria determine whether a particular loan might be especially high risk, for example, whether the loan is related to high-profile merger and acquisition (M&A) activity or is for a controversial business project.
• Provide differentiated protection for the most important assets. Use DLP controls to log (and in some cases block) e-mail and printing of documents that are related to highly sensitive transactions, and digital rights management (DRM) controls to prevent unauthorized users accessing them.
• Integrate cybersecurity into enterprise-wide risk management and governance processes. Negotiate requirements about how vendor-provided staff handle documents related to sensitive transactions into the vendor contracts.
• Enlist frontline personnel to protect the information assets they use. Provide targeted training for underwriting professionals on the value of the data they touch, the impact if it fell into the wrong hands, and the standard procedures for handling sensitive data—and encourage people to speak if they see those procedures being violated.
• Integrate cybersecurity into the technology environment. Create a well-functioning document management capability, so underwriting professionals do not have to use e-mail to store and transmit sensitive loan documents.
• Deploy active defenses to engage attackers. Build analytics to identify potential risks; for example, an employee who recently had a poor performance review, has been accessing large numbers of files not related to his current projects, and has generated multiple DLP alerts may represent an elevated risk for using sensitive documents inappropriately.
• Test continuously to improve incident response across business functions. Develop protocols for communicating with customers and collaborating with law enforcement in the event of a breach.

By looking across each lever for each priority business risk, cybersecurity managers can ask themselves two important questions: (1) will the set of actions, in aggregate, sufficiently address the risk; and (2) are there any duplicate actions that can be removed, given the nature of the risk?

In particular, given many companies’ history of focusing on external attackers, CISOs need to make sure a resiliency program fully addresses insider threats.

Use Business Process Changes As Well As Technical Controls

Once cybersecurity managers have applied the seven digital resilience levers to each of the most important business risks in order to identify a broad set of potential actions, they have to make sure they are considering the right mix of controls.

Mechanisms to protect information assets fall into three categories:

1. Business process controls. These are changes to end-user behavior and business processes beyond IT. They include actions such as purging data and improving training, creating secure paths for sensitive assets, programs to change customer behavior, vendor policies, M&A/joint venture security processes, war gaming, and business product security architecture.
2. Broader IT controls. These are changes to the broader IT architecture and operating model and include secure public and private cloud services, secure coding, secure application architecture, secure infrastructure operations, and secure mobility/end-user devices.
3. Cybersecurity controls. These are the technology capabilities and processes focused on protecting information. They include encryption, I&AM, threat management, perimeter security, security analytics, and security operations.

Achieving digital resilience requires using all three types of controls in concert but, given traditional mind-sets, there is a strong tendency in many programs to lean heavily or exclusively on the cybersecurity controls alone. But this can make the cybersecurity program more expensive and intrusive than it needs to be. New cybersecurity controls carry with them the time and cost of implementing a new technology system; business process controls such as purging data or creating secure paths for sensitive data can be implemented more quickly and cheaply. New cybersecurity controls can add complexity to a company’s technology architecture, while broader IT controls such as private cloud services and software-defined networking can simultaneously improve security and agility.

Synthesize the Required Changes into Themes

Applying all the digital resilience levers to all the priority business risks will inevitably generate a list of potential actions, but the list will be too long, with too many overlaps, and be too complex for any organization to rally around. Companies find they more readily get organizational buy-in and make faster progress when they synthesize the broad set of improvements they need to make into a short list of major themes.

To develop the themes, cybersecurity managers need to consolidate similar or duplicate actions and then prioritize by scoring the remaining actions in terms of how many priority business risks they address and how much change they will require compared to the current state. Once managers strip out those actions where the reduction is risk is too low given the complexity of implementation, they can aggregate the remaining actions into broader themes.

One health care provider developed nine strategic themes (a typical number), each of which contained specific initiatives and actions. They included:

• Protect personal health information across the entire business system from patient to doctor, through the hospital and, when relevant, to supporting vendors.
• Scrutinize insider activities, both accidental and intentional, at the same level as external activity.
• Minimize corporate “surface area,” by rationalizing applications and systems.
• Detect and respond to cyber-events in order to minimize business harm and disruption to care delivery.

These themes enabled managers to describe the program to senior management, rally staff around a program of change, and ultimately track progress.

Streamlining Operational Processes

Cybersecurity includes a set of operational processes, from updating access rights for accounts to assessing vendor security capabilities to reviewing application security architectures. Historically, business and IT managers have seen these processes as slow and cumbersome and as a brake on the rest of the organization’s ability to get things done quickly. Many aspects of digital resilience will place additional stress on these processes. For example, as a company starts to place different protections in place for its most important information assets, it will need to be able to implement much more granular policies on passwords and access rights. That could swamp existing processes, reducing business agility and frustrating business and IT managers even more.

Cybersecurity teams may find that applying lean IT mechanisms to drive waste out of security processes would be extremely profitable.⁴ An insurance company segmented requests by complexity, eliminated rework, and ran activities in core security processes in parallel, improving both productivity and response time by 30 percent.

Align on the Required Organizational Structure

Not long ago, IT security was just another technology domain in many organizations’ IT infrastructure function. Just as the head of IT infrastructure had a manager for the data center, the network, and for desktop domains, he also had an IT security manager responsible for technologies such as remote access, antivirus, and firewalls.

Much has changed since then. Most, but not all, companies have appointed a CISO and expanded the remit of their security organizations. However, the novelty of these changes means that there is still a lot of variation and often fragmentation in cybersecurity organizational models, which can minimize the effectiveness of a digital resilience program. As they put such programs in place, companies need to consolidate cybersecurity resources, determine the right reporting and role for the CISO, and create structures that facilitate interactions with business units on security strategy.

Cybersecurity is a technologically sophisticated domain that depends heavily on tools, and companies need to use both their expertise and the tools across businesses rather than fragment them. Yet some companies still have substantial cybersecurity activity in each business unit. One bank found that it had as many cybersecurity personnel embedded in the businesses as in its central security organization, with as much as 15 percent redundant through overlaps. Leading companies are starting to consolidate cybersecurity strategy, architecture, management of technologies, operations, and I&AM and vendor governance, while continuing to maintain a much smaller number of decentralized staff to perform business-specific activities such as project governance. This setup yields both capability and efficiency benefits.

Deciding to consolidate is relatively straightforward, but selecting the right role and reporting relationship for the CISO’s organization is much more complicated. There are four fairly common models:

1. Traditional. The CISO has organizational ownership for all aspects of cybersecurity and reports to the head of infrastructure.
2. Mainstream. The CISO has organizational ownership for all aspects of cybersecurity and reports directly to the CIO.
3. IT risk. The head of IT risk has organizational ownership of all aspects of cybersecurity plus responsibility for other IT risk issues (e.g., disaster recovery, quality, IT compliance) and reports directly to the CIO, possibly with a dotted line to the CRO.
4. Strategic. The CISO has organizational ownership for strategy, policy, and governance and reports to the CRO; operational aspects of cybersecurity are typically owned by the head of infrastructure.

Fewer and fewer companies that are serious about cybersecurity use the traditional model, in which the CISO reports into the head of infrastructure. The structure simply does not provide the seniority and visibility that the security team needs to drive resiliency. It underscores a company’s view of cybersecurity as a “technology” rather than a “business” issue, and makes it much harder to recruit high-quality cybersecurity talent.

Most companies use some variant of the mainstream model, with the CISO reporting to the CIO, sometimes with a dotted line to the CRO. This gives the CISO more visibility and seniority without the complexity of developing a common approach across different IT risk domains or teasing apart the cybersecurity team into its strategic and operational components. This option tends to work well for organizations that are further behind in terms of cybersecurity maturity and need to pick up speed.

Both the IT risk and strategic models require additional organizational sophistication. Getting full value from the IT risk model requires developing common approaches for managing risk across cybersecurity, vendor risk, disaster recovery, and compliance. Obviously, this can be enormously powerful and allows the CISO to look at issues across a variety of domains, but success requires some degree of maturity in each individual IT risk domain.

Likewise, the strategic model can be powerful in that it can ensure that short-term operational imperatives do not crowd out risk prioritization, strategy development, and governance. Having the CISO (or head of IT risk) report directly to the CRO also emphasizes that cybersecurity is a business risk just like any other risk. However, it also requires splitting out the operational aspects of cybersecurity from the strategy and keeping them firmly in IT—no CIO can afford to let staff from risk, or indeed from anywhere outside his organization, touch IT operations directly.

A major health care company decided that creating a strategic CISO would enhance its focus on protecting the confidentiality and integrity of patient data. It had already invested for several years to get to a basic level of cybersecurity maturity and felt comfortable breaking apart the cybersecurity organization, with the more technical and operational activities remaining in the infrastructure function. Naturally, the CISO and the senior IT team invested in real-time mapping out the links between the new cybersecurity group and the IT organization in order to ensure that the strategies and policies the new group developed continued to be relevant.

Upgrade Skills and Resources

As noted earlier, achieving digital resilience will require new types of skills. The cybersecurity labor market is tight, so improving the function’s skills and resources may be both one of the most challenging and most important aspects of a digital resilience program. There are four techniques that leading organizations use to upgrade the capabilities of their cybersecurity teams.

First, they focus relentlessly on retention, given that every employee who leaves represents one more slot the CISO has to fill. Basic managerial hygiene matters a lot, especially when high performers have so many options. In addition, some companies place a sharp focus on exposure, career paths, and community participation. They deliberately give high performers the opportunity to interact with senior business leaders and sometimes the board. They create well-articulated career paths for security professionals, sometimes including the opportunity to rotate through application development, infrastructure, and business functions. They also provide the time and space for high performers to participate in industry and technology forums focused on cybersecurity.

Second, they draw from nontraditional talent pools. Not only do they recruit relatively young professionals from the military and intelligence communities to specialize in security intelligence and data analytics, but they also poach intrinsically strong problem solvers from elsewhere in the IT organization and sometimes from business functions as well. Realizing that they have to take a long-term view, they establish relationships with colleges and universities (and, in a few cases, high schools) to create a pipeline of technical talent in the areas they operate.

Third, they minimize the time devoted to lower-value activities by automating wherever possible. As we saw in the chapter on active defense, they are building arrangements with managed security service providers who can perform operational activities such as security monitoring or basic triage, thereby releasing internal staff for more value-added tasks.

Fourth, and most importantly, leading cybersecurity organizations build capabilities by doing. The best way to build capabilities in war gaming is to conduct a war game. The best way to understand how to prioritize information assets is to pick a line of business and work with its leadership team to assess those information assets and business risks. Cybersecurity organizations that are lagging behind let the absence of a capability stand in the way of developing that capability. Leading organizations aggressively push themselves to advance their capabilities in business engagement, security architecture, war gaming, active defense, and other areas.

Apply Traditional Program Management Rigor

All the practices critical to the success of any major business-technology program are equally important for a cybersecurity program. A company must appoint a single a responsible leader for the overall program, in this case typically the CISO. It must define work streams with specific actionable initiatives. Each initiative must have a manager who will be accountable and devote real effort to the initiative, a charter that lays out expected outcomes, and a work plan that articulates milestones, dependencies, and resource requirements. The initiatives must be synthesized into an overall road map that provides insight into resource requirements and the interdependencies across initiatives.

Sequence the Plan Based on Business Risks

Traditionally, cybersecurity plans have been based on the different types of controls that need to be implemented or upgraded. However, to truly integrate cybersecurity into business processes and strategies, a full digital resilience plan would include initiatives aligned by business as well as by technology controls. For example, an insurance firm originally designed its cybersecurity program around regulatory requirements and developed a plan to implement a series of technology controls. As a result, the program did not focus on the most important assets and did not drive change in individual business units—most senior executives barely knew what it did.

After the insurer invested the time to think through its most important information assets and business risks, it redesigned and resequenced its plan. In addition to putting in place new technology capabilities, it also laid out initiatives to roll through each business in its portfolio over 18 months to assess their information assets, identify business process changes that would protect critical information, and implement differentiated controls. It tackled these actions in order of risk impact. Phase 1 applied the highest impact controls to the businesses with the most important information assets. Phase 2 applied the second tier of controls to the first tranche of businesses and the first tier of controls to the second tranche of businesses. That way, the insurer could both ensure real change at the individual business level and accelerate risk reduction impact, even in the face of constraints that prevented the company from trying to do everything in parallel (Figure 8.1).

Integrate Cybersecurity Program with a Broader Set of IT Programs

As noted in Chapter 5, many potential IT improvements, such as the private cloud, desktop virtualization, software-defined networking, and enhanced application development have contributed mightily to reducing vulnerabilities and improving companies’ overall security posture.

None of these initiatives will live on the cybersecurity road map, yet the program leadership must invest time with the leaders of these other technology programs to understand existing plans, influence them to maximize security impact, and ensure they are in line with the broader cybersecurity program. In some cases, there may be opportunities to shape these programs to accelerate risk reduction, for example, by prioritizing applications with sensitive information that run on out-of-date infrastructure for remediation so that they can be migrated to a private cloud environment.

Create Top-Down Program Oversight

Any cybersecurity program for a sizeable institution will involve hundreds of individual granular design and implementation decisions. These will include questions such as what types of data should DLP tools stop employees from sending to external recipients; what types of documents must be controlled in document management systems; and which users must migrate to virtual desktop environments?

Getting the answers right can mitigate vulnerabilities, protect important data, and improve a company’s risk position. However, they can also affect employees’ and customers’ experiences in using technology, which can mean a lot of additional energy is absorbed by requests for more analysis and more stakeholder consultation. Putting in place senior, cross-functional program oversight that can cut through disagreements between different organizations will accelerate decision making and enhance the cybersecurity program overall.

One health care company estimated that taking a consensus-driven approach to implementing cybersecurity changes could add several hundred million dollars to the overall program by slowing implementation and demanding the use of less than optimal solutions. To overcome this, the company put in place an executive steering committee comprising the CIO, CISO, CFO, and a couple of business unit executives and gave it a mandate to accelerate decision making. The committee created a fast-track process for decisions that would have a large business or security impact but where the required investment was less than $10 million. So while the decision whether to restrict sending health records via external e-mail and strengthening employee password controls was fast-tracked, the decision whether and how to implement network access control was not, as it had a significantly larger investment budget and therefore had to be addressed in a more traditional decision-making process (Table 8.3).

For each fast-track decision, the relevant managers took up to two weeks to put together a simple business case that laid out the situation, the proposed change, the rationale, and the high-level implications. This made it much easier for the steering committee to make a fact-based and final decision. In the preceding example, they agreed to establish a policy that no personal health information should be transmitted via external e-mail, that DLP should be used to block large numbers of personal health records from leaving the company via external e-mail, and to invest in collaboration tools that made it easier to share health records with outside parties such as specialist physician groups and diagnostic labs.