4 Questions the Board Must Ask Its CISODrilling Down on Cybersecurity Plans
As CISOs, the most common question we get asked by the board is, "Are we secure?" But there is a fundamental problem with this question.
See Also: Threat Horizons Report
In order to explain the problem, I encourage you to ask yourself a similar question - "Are you healthy?" - and see how you respond. Some of you probably started explaining how often you exercise, see a doctor, what you eat and so on.
"These four questions are designed to allow a board to actually understand if the organization is secure and also compare their cybersecurity posture with other companies."
Others of you would have tried to answer in terms of your family medical history, smoking/drinking habits or medicines/vitamins you take.
For others, the answer may have been "I guess I'm healthy." But no matter how you responded, I doubt the answer was a mere "yes" or "no."
The same problem exists with the "Are we secure?" question for the board. It may elicit information, such as the number of vulnerabilities, intrusion attempts, amount of spam received, devices encrypted, etc. Some of these numbers are in millions and sound impressive, but the answers do not help the board with their responsibility of "making an informed decision."
So, let's take a look at what the board must ask instead.
Question # 1: Is There an Information Security Framework in Place?
The purpose of this question is to ensure that an information security program is based on an industry recognized standard. Use of a framework ensures adequacy of controls, which is more valuable than trying to understand all technical controls, which is just not possible.
A framework helps the board with ensuring effectiveness of controls as well, through the process of internal/external audit. Thus, use of a framework ensures "due diligence" on part of the board while insulating the board from changes in CISOs (personalities), companies or technologies.
In my current role, I am using the NIST Cybersecurity Framework. HIPAA regulations refer to NIST for guidance, so we generally use NIST where applicable. Also, NIST CSF's core security functions - identify, protect, detect, respond and recover - make intuitive sense to non-technical audiences as well. Some other common security frameworks are COBIT and ISO 27K. They all map to one another, so you can use any one and still be able to map to other frameworks.
Question # 2: What is the Scope and Methodology of Risk Assessment?
All security frameworks require a risk assessment to be in place. However, common problems with risk assessments are that they either lack a holistic scope or do not follow a standard methodology. For example, the scope of risk assessment may not include vendors, suppliers or biomedical devices. Results from such a risk assessment cannot offer a 360-degree risk view and may constitute as "willful neglect" on part of the board.
So, the board has to make sure that the scope is holistic. Ensuring a standard risk assessment methodology allows the board to see how the risk is trending on an ongoing basis. And together with a well-defined scope, this will allow the board to properly execute their "advisory and risk oversight" responsibility.
For our purpose, we use the NIST 800-30 Risk Management Guide, which has a nine-step risk assessment methodology. Other security frameworks such as ISO 27K also have corresponding risk assessment methodologies, and I would recommend picking a risk assessment methodology tied to the same framework.
Question # 3: How Do You Measure the Maturity of Processes That Make Up the InfoSec Program?
A CISO is a subject matter expert and should be expected to understand cyber risk better than anyone else in the organization. This question allows a CISO flexibility to highlight key security processes, which may be more relevant to the business, from his or her perspective. It also encourages a CISO to explain an information security program in terms of business-aligned security processes, rather than technology, which can get complex and cause the board to shy away from discussing cybersecurity.
The question also gives CISOs an opportunity to leverage existing business process improvement methodologies, such as Six Sigma and Lean, for process maturity. And there is a good chance that the board is already familiar with such methodologies. CISOs should also be encouraged to include investments made or needed to improve process maturity. This permits the board to see return on security investment, in line with their "fiduciary responsibility."
I have carved my information security program into six high-level security processes: threat management, which includes security monitoring, incident response, vulnerability management and patch management; security operations; security architecture; risk management, which includes risk assessment; policy lifecycle; and security awareness. I also use COBIT 5 for process modelling and maturity assessments.
Question # 4: What Are We Doing to Respond to a Particular Threat That's Making Headlines?
This is an open-ended question that provides an opportunity for both the board and the CISO to discuss threats trending in the media or threats that were previously unknown. For example, this question can facilitate a discussion on advanced persistent threats, including some of the cyberattacks we've been seeing.
The focus on "response" in the question is also an acknowledgement from the board that anyone can be compromised by a determined adversary, and the CISO needs to focus on response and recovery, as much as detection and prevention.
I have used this question to facilitate a discussion on advanced persistent threats, and our company's ability to handle breaches such as those that hit Sony, Target, Anthem and others, or the ransomware attacks that are causing havoc in the healthcare industry.
Ultimately, these four questions are designed to allow a board to actually understand if the organization is secure and also compare their cybersecurity posture with other companies.