tashatuvango - Fotolia
In recent years, boards of directors have become more interested in understanding their organizations' level of risk and whether their CISO and security teams are doing everything they can to defend against potential threats. In fact, according to the recent Gartner 2021 Board of Directors Survey, cybersecurity vulnerabilities were identified as the second-highest source of risk for an enterprise, surpassed only by regulatory compliance risk.
With increased cybersecurity interest at the board level, CISOs must be prepared to speak with their boards regularly to communicate the level of risk their organizations face and describe the types of preventive measures being taken to reduce that risk.
The need for cybersecurity testing
CISOs should communicate to their boards that, while the organization may have the right security tools in place, vulnerabilities often go undiscovered until organizations have the time, patience and resources to investigate and poke holes in their own systems. In addition, the software installed on these complex platforms and networks can be difficult to update without impacting day-to-day business. Organizations often run outdated software, which can leave holes open to bad actors. As a result, security testing is a fundamental pillar for organizations to strengthen their security posture, spot unknown threats, and defend against internal and external vulnerabilities.
Guide to communicating about cybersecurity testing
To help enable your board of directors to understand your organization's cybersecurity risk through security testing, CISOs should be prepared to address the following five key areas
- Describe the type of cybersecurity testing you have performed. Often, CISOs begin by immediately jumping into descriptions of the organization's risk level, but I recommend taking a step back and beginning by describing what type of cybersecurity testing you performed to identify the risk in the first place. Describe to the board whether the threat is something easily defined, such as a known vulnerability, or something more sophisticated, such as an advanced persistent threat. Discuss whether it was discovered through routine penetration testing or the security team was investigating a specific application. Address the likelihood of whether the vulnerability has already been exploited. If it has not yet been exploited, discuss how likely your organization is to be targeted by cybercriminals.
Organizations dealing with highly regulated data or that own sought-after intellectual property are more likely to be targeted than others. This background provides important context to help the board better understand the severity of the risk facing the organization.
- Explain how often testing takes place. Another important topic to discuss with the board -- one that often comes up after a breach -- is how often testing takes place. The answer will often depend on whether you are conducting penetration testing for regulatory compliance purposes or for everyday security. In most cases, for a vulnerability assessment, security teams should ideally be examining the environment in near-real time, as long as it doesn't jeopardize the quality of the network or the validity of the data. This is because any little change in an environment, especially externally, creates new risk, and changes to IT systems, networks and cloud environments are happening more and more rapidly in businesses today.
Automated security options can be ideal for continuous testing and for staying on top of application patching cycles. CISOs should aim to strike a balance between automated and manual testing, however. While automated security products are great for finding known threats, having a well-trained set of human eyes with a diverse range of experiences to seek out unknown threats still has immense value.
For this reason, anytime major changes are made to the environment -- such as bringing a new network online -- it is useful to perform a thorough penetration test of all systems or hold a red or purple team exercise. Ultimately, striking the right balance between automated and manual, continuous or occasional testing will depend heavily upon the security budget. As they determine their testing schedule, CISOs should keep in mind that, due to rapidly changing environments, pen testing just once a year likely will not put them in an advantageous position in the event of a breach.
- Detail the potential impact of the threat. It's also important to not only describe the risk, but also explain to the board the potential impact of that risk to the business if it were to be exploited. An external vulnerability facing into the organization is typically a more serious problem than an internal vulnerability. But CISOs also should educate the board on how a relatively minor internal vulnerability can be leveraged by cybercriminals to create a greater threat further down the line. For example, smart cybercriminals will chain vulnerabilities together, using low- or medium-value information to gain access to more high-value data by exploiting user access and authorization vulnerabilities to work their way up the chain. This is why it is important for cybersecurity teams to explore further up the security stack when conducting penetration tests because it enables them to discover the actual impact of a vulnerability by seeing what data and systems attackers could work their way into.
- Identify internal processes that could mitigate the risk. When discussing cybersecurity risk with the board, one question CISOs often get asked is whether they should accept the risk rating assigned by a third-party partner or if they should instead use a risk rating determined by the internal security team. I always recommend keeping the risk rating your third-party partner has provided. This rating is based on the cleanest and most independent analysis possible and provides a snapshot of the actual risk facing the organization before the security team has implemented any compensating controls.
CISOs should highlight to the board any steps that can be taken to mitigate the risk in their environment. It is also important to understand that, in many cases, though the risk may have been mitigated, the original conditions that created that vulnerability in the first place could still exist within the organization. Each time the organization undergoes change -- such as during a merger or acquisition or when adding a new third-party contractor -- the landscape shifts. The compensating controls you put in place to mitigate a risk today may not be effective tomorrow. CISOs should work with the board to help members understand other factors, such as organizational processes or employee behaviors, that impact risk.
- Provide practical remediation solutions that fit within the budget. Many times, third-party security providers not only help identify the vulnerabilities and cybersecurity threats facing an organization, but they also provide advice on how to fix the issues and recommend which security products to purchase. CISOs must remember that they are the ultimate decision-makers, and it is their responsibility to both know their budget and what will be palatable to the C-suite and the board of directors as they look to control spending. CISOs should always perform due diligence and even consider hiring a third-party firm to help them conduct an independent evaluation of security products to determine what is necessary. Many times, organizations do not need to buy the most high-end enterprise security products, and they may not have adequate training or the level of expertise within their security teams to maintain such products. Some common cybersecurity risks can be fixed with a change to a registry key or with Active Directory. In other cases, an organization may get more value and better protection from a managed security service.
As they speak with their boards and outline the remediation measures they plan to undertake, CISOs should be prepared to address how they fit within the budget.
Ultimately, much of the discussion around cybersecurity risks, testing and remediation efforts will depend on the organization's risk tolerance. Those that operate in highly regulated industries will have a lower tolerance for risk and will be more willing to allocate budget toward continuous testing, monitoring and mitigation. All CISOs, no matter what industry they operate in, should be prepared to face increased scrutiny from their boards.
In its recent Board of Directors Survey, Gartner estimated 40% of boards will have a dedicated cybersecurity committee within the next four years -- a significant increase from the fewer than 10% that have them today. Being prepared to describe the type of cybersecurity testing in place, the potential business impact of the identified risks and how these efforts align with the budget will enable CISOs to guide their boards in the right direction and strengthen the overall cybersecurity posture of their organizations.
About the author
Mark Whitehead is the global vice president of SpiderLabs Consulting Services at Trustwave. His responsibilities include setting the strategy and directing delivery for Trustwave's portfolio of testing services for Canada, the U.S., and Latin and Central America. Whitehead has more than 16 years of experience in cybersecurity, with 10 years of leadership and management experience.