Retain Your Relevance: Study Cybersecurity
Asdemonstrated in this year’s Security 500 Report, cybersecurity continues to be a clear area of concern for enterprise security executives, but as attention and demand for expertise in this field grows, so do the options for education and awareness, especially at the executive level.
Information security has been an integral part of organizations for decades. So if CSOs need to be more involved now, the question is: what changed?
“In many respects, the areas that were under the protection of physical security in the past now are highly reliant on good cybersecurity controls,” says Eddie Schwartz, CISA, CISM, CISSP, ISSEP, PMP, International Vice President of nonprofit information security professional advocacy group ISACA. In the past, a CSO used to focus on using security officers and surveillance cameras to protect the enterprise’s assets, but because so many assets are digital today, CSOs are now looking at how they can ensure cybersecurity controls are adequately protecting manufacturing control systems and other business-critical processes, he says.
According to Dr. Rae Hayward, Director of Education for cybersecurity education and certification organization (ISC)2, “There are a lot of reasons why protecting key information assets is of critical importance to the sustainability and competitiveness of any organization, especially as we continue to see technology advance, access to information increase, and more and more of us are going to digital assets.”
Schwartz adds: “It really is about the crown jewels. If you’re in a manufacturing organization, it’s the intellectual property protection, or the secrets of manufacturing or the products being created. Or maybe the way those services are delivered. It really is the ultimate value that is being created or delivered by the organization. That value is important to the enterprise’s shareholders, owners or citizens. Certainly the CEO is going to care about the protection of the assets, as well as anyone at the board level. They will want to know what those key assets are, how many of them are in the cyber realm, and what levels of protection can be afforded in terms of providing resources to the right people. Budget, training, cyber insurance – all of that needs to be considered by the CEO, CSO, CFO and others at the C-suite.”
After a number of high-profile data breaches and daily reports on new cybersecurity threats, enterprise stakeholders are also getting more involved in researching cybersecurity threats and demanding robust preparedness measures.
“For far too long, businesses have been forcing the IT staff to determine their company’s security posture and therefore its risk posture, even though the tech folks usually don’t have the strategic management tools to incorporate business considerations into their judgement,” says CrowdStrike, Inc. General Council and Chief Risk Officer Steven Chabinsky, who also writes Security magazine’s monthly Cyber Tactics column. “Cybersecurity enterprise risk management needs to become, and is becoming, a shared responsibility between IT security, legal, HR, Finance, and the list goes on. Those who get it will be tomorrow’s leaders. We’re already seeing those who don’t get it lose their jobs, all the way to the CEO.”
According to Hayward, CSOs and the C-suite need a fundamental perspective into cybersecurity, not necessarily a technical one. The C-Suite needs to understand:
- What critical assets the enterprise has
- Who might compromise that information
- What security risks can and will impact the value of the organization
“The CEO has a responsibility to the business’s shareholders,” says Dr. Tom Johnson, Associate Vice President, Chief of Strategic Initiatives and Interim Dean for Webster University in St. Louis, Missouri, which has newly established a graduate degree program in cybersecurity management. “It’s now apparent to U.S. corporations that they cannot afford to lose any more intellectual property to data breaches or under-supported cybersecurity initiatives.”
An enterprise’s adversaries are also changing due to the shift of valuable assets from physical to logical. CISOs and CSOs must remain aware of the threats of both a hacker intruding onto the enterprise’s network and what that malicious actor might do once inside. For example, Johnson says, if a hacker were to infiltrate a pharmaceutical company’s network, he or she could potentially alter a chemical formula or disrupt the stable conditions needed for storing or manufacturing medication, which could lead to massive ramifications for the enterprise.
“We see the rise of advanced threats, including sophisticated criminals that are attacking private enterprises and who are looking to steal money or personal identifiable information or trade secrets,” says Schwartz. “We see the emergence of cyber terrorism around the world and organizations looking to disrupt or destroy activities. We see hacktivists come into organizations around the world and, because of a social or political agenda, try to take them down. We no longer have people demonstrating in front of your building where you have to put guards out front; now you have demonstrators that are logical demonstrators that are trying to take down your network instead.
“A lot of things have moved to the cyber realm, and it really is about protecting against these advanced threats that have emerged, and moving away from compliance-based approaches and approaches that worry about checking boxes and moving toward approaches that can really deal with these advanced threats and advanced adversaries,” he adds.
CSOs and CISOs are finding themselves in merging and collaborative roles, especially in areas such as fraud. Many frauds are now strictly accomplished with ones and zeroes, and while a CSO might be responsible for investigations, there can be heavy crossover between physical and information security departments. Cybersecurity knowledge can lead to better, more robust collaborations, Schwartz says.
According to Hayward, “It really comes down to enterprise-wide risk management and awareness for the entire organization, accountability for everyone. If you have a risk-aware organization, it will be embedded into the organizational culture, and it will be beneficial in many ways, from strategic, financial and operational perspectives. Decision-making is improved; you’re going to mitigate your losses, and you will be able to respond to any issues like breaches because you’ll have contingency plans in place, and your reaction time will improve.”
For example, in a risk-aware enterprise, the decision to enact a Bring Your Own Device (BYOD) policy is not a blind nod. For each device added to the network, the enterprise has added another end point and another layer of risk, Hayward says. Ensuring that the C-suite understands this risk is important, so they can be involved in the decision to accept this risk and so they can allocate resources appropriately.
“The more people that you have on your team that understand the game that you’re playing, the better you’ll be able to execute your controls and program,” she says.
The first person who needs to understand the game, however, is you – the enterprise security leader.
There are a number of education opportunities that a security leader, or an aspiration security leader, can pursue. There are more than 180 NSA-credentialed cybersecurity programs at U.S. universities, from undergraduate programs to Master’s degrees, and organizations such as (ISC)2 and ISACA offer regular training sessions, classes, webinars and other programs. It all depends on how much knowledge you wish to attain, and how long you have to spend on it.
“If somebody only had an hour’s time to learn about cybersecurity risk considerations, I would point them to the NIST Cybersecurity Framework,” says Chabinsky. “Weighing in at 17 pages without the appendix, it’s a great primer.”
In any case, there are a few aspects to information security management that Schwartz recommends any CSO know:
- What constitutes a successful cybersecurity program? How does this compare to my enterprise’s program?
- How does information security rate to other parts of the enterprise?
- What is the cyber to physical security relationship within the enterprise – both in technology and personnel management?
- What does successful risk management look like for my enterprise?
- What do the internal and external threats look like?
- How is this organization vulnerable?
Any education that a CSO or security leader pursues should bring them closer to answers to these questions.
In addition, Hayward says, cybersecurity education and training “should not be a ‘one and done’ campaign. Ongoing education throughout the organization and the C-suite improved awareness and accountability.”
“Technology has become a key driver and a critical risk of business, which wasn’t always the case,” says Chabinsky. “When I started in this space, very few people even had email, much less chips embedded within their biomedical implants or their most sensitive information repeatedly requested, digitized, retained and accessed. As a result, securing the confidentiality of the world’s secrets and protecting the integrity and availability of our tech-dependent products and services has become a business issue. Today’s leaders, regardless of background, must understand and tackle cyber risk if they are going to remain relevant to their organizations.”