CISOs are asked how secure their organization is against cyberattacks. Instead of trying to determine that, though, Mars’ CISO said he prefers to reframe the question, and with a note of caution.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
“It’s not, how secure are we, it’s how ready are we to respond?” said Andrew Stanley, who was one of three CISO participants in the MIT Sloan CIO Digital Learning Series panel discussion Wednesday on “Keeping our organizations cyber-secure in the COVID-19 environment. How secure are we?”
Yet, even with great, in-depth defense, issues are bound to come up “and undermine all the great work we’ve done,” Stanley said. So it’s a matter of how well a CISO can anticipate security events “and ultimately, your ability to respond and restore.”
While that may drive debate with an organization’s board, he added, “I’ve found that that has … been ultimately successful for me.”
The panel also consisted of Katie Jenkins, CISO of Liberty Mutual, and Danny Allan, CTO of Veeam Software.
The panelists were asked by moderator Keri Pearlson, executive director of cybersecurity at MIT’s Sloan School of Management, what factors they include when evaluating how secure their organization is.
“I don’t think there’s one definitive view on how secure we are,” Jenkins responded, and said her approach is to do both a self-assessment and independent assessment. There has to be a holistic view that includes looking at a variety of elements, including how secure your partners are and the people you do business with, she said.
This is a question that typically comes from a board of directors or a CEO, Allan said. “The simple answer is, we’re never as secure as I’d like us to be because there is so much complexity and so many components to being secure.”
SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)
Allan said there are two questions he likes to use: Are we more secure than we were yesterday? “Ultimately, security is an iterative process so we’re always looking for the ‘yes’ on that.” He said he also tries to gauge whether his security team is being proactive or reactive. “You never want to be reactive,” he said.
The pandemic has changed the lens, but not the position of how secure Liberty Mutual is, Jenkins said. “It’s put us in a position of rapidly assessing new types of risk that could change our security posture,” for example, third-party risk and the security of collaboration platforms like Zoom, she said.
Her team changes its anti-phishing exercises every quarter, so the latest one was to send employees an email branded to look like it came from Zoom asking employees to update their credentials. If they did, they were notified that they failed the exercise, Jenkins said.
Anti-phishing exercises have been “super controversial on our team,” Stanley said. “Part of me wanted to leverage the crisis” and show employees that they’re more vulnerable now, he said. But “in the Mars culture, that’s deeply alienating,” and leadership felt it was unfair and exploitative, he said.
While the security team normally does these exercises every six weeks, Stanley said they waited for 10 weeks because of the pandemic, “and we saw an increase in vulnerabilities” as a result. But, he said, they also found a willingness to change behaviors as a result.
In response to a question about the metrics the security leaders use, Allan said his organization uses the NIST Cybersecurity Framework, which advocates for measuring, protecting, and responding.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
“There is no single metric that gives me comfort,” Jenkins said. “We look at the failure rate of phishing exercises, but they can be deceiving.” She said it’s important to “peel the details back” to see if, for example, within the total population, it turns out new hires are failing more frequently. “That tells me they need proper training to fix that. I look at the story behind the metric to understand what’s going on.”
Managing risk in an organization involves a discussion around how much money the organization wants to spend, said Stanley. That inevitably leads to trying to quantify how much the organization will get in return for its spend, he said. “We still argue and debate whether we should get to a quantification point and put a dollar figure on it. I’m resisting against it. If anyone pushes me to quantify it, it will be from an insurance carrier.”
Risk is almost impossible to quantify, Allan agreed. “Everyone wants the same outcome and for the organization to do well, so if you can agree on that framework and provide awareness and transparency then you can build on, ‘what do we do next?”’ he said. “Everyone has some acceptance of risk.”
But if a security leader can provide transparency on what and where the risks are to the lines of business, that can help the organization determine what it’s willing to accept, he said. “Security shouldn’t be making that determination, but the lines of business.”