COMMENT
Security corrective measures, such as patching and configuration changes, are an important task. It’s the difference between a threat actor penetrating a network or being stopped in their tracks. But it’s not on the agenda of the council chamber. No CEO would say, “Profit and loss looks great, but I’m really losing sleep over how we’re approaching CVE-2021-44228.” For CEOs, a single issue like this is too specific.
But is it? Apart from that CVE for Apache Log4j remaining unpatched in many organizations and recording at least 77 exploits in 2023, security remediation measures are now commonplace in a broader way. Why? One chief information security officer (CISO) I spoke with had a mandate from his CEO to resolve all outstanding issues within a three-month deadline. If the goal was not achieved, it would impact their business with a major client worth millions of dollars per year.
This level of support can be welcome, as it unblocks processes that hinder performance and encourages teams to work together. At the same time, just having this attention is not enough.
What hinders repair performance?
This CISO is not alone. More and more security leaders are being asked to provide information on how they are managing risk from a business perspective, so the board can understand what is being done. This will lead to difficult questions, particularly about budgets and how they are used. And it will potentially lead to some difficult discussions about what “good” or “great” security actually means.
In this situation, you can use information about your IT security (number of broken issues, updates deployed, critical issues resolved), but it is difficult to put it into context. Without engaging with other business risks and issues, it can be difficult to maintain focus and demonstrate that you are getting results.
To overcome these problems, we must use comparisons and contextual data to tell a story about risk. Providing basic numbers on the number of patches deployed does not describe the enormous effort that went into fixing a critical issue that jeopardized a revenue-generating application. It also doesn’t show how your team performs compared to others. Essentially, you want to demonstrate what the board looks like and how you continue to deliver over time.
Along the way, you can use metrics to educate the board on some of the reasons why IT isn’t as simple as it might seem. Take asset management: every CISO will want to say, “We’re safe.” But without an accurate list of all IT resources and their status, this statement cannot be maintained. At the same time, obtaining an accurate list of assets and keeping it accurate is an onerous task. Being 100% accurate across all IT assets at all times is a near-impossible task for enterprise IT deployments, given the vastness of networks, the variability of assets, and the increasing complexity and speed of change within modern applications.
Benchmarking Risk
The solution to this problem is to ensure that the board knows that the answers to any question cannot be summarized into binary answers. Looking at asset management, no CISO can claim to have complete, 100% accuracy in their inventory lists. One security leader I interviewed said his organization thought it had about 8,000 servers, but discovered they actually had 9,000 running. Second Gartner, 60% accuracy is the industry average. Likewise, how many departments have joined software-as-a-service applications or implemented multiple systems in the cloud outside the purview of IT? But that doesn’t mean we shouldn’t try.
However, accuracy improvements of up to 85% or 90% visibility can be achieved quickly with the right sponsorship and internal support. The challenge is to keep the visibility accurate and then improve the accuracy up to 95% or 96%. Every one percentage point improvement represents a huge effort. Ensure the board understands that the level of commitment depends on how you compare your safety to that of others in your industry.
Beyond that, getting a unified view of risk across IT can make it easier to understand which issues are most important to address immediately, which are urgent, and which are of lower priority. This can happen regardless of where such issues exist within IT, from the data center to cloud deployment, and be used alongside other business risk insights to provide a holistic view. By making it clear to the board what risks exist, what steps you are taking to address them, and how you have a long-term vision for risk overall, you can withstand scrutiny.