In the years before business leaders truly understood cyber risk, requested budgets for cybersecurity departments were often approved without thoughtful consideration or review. There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.” Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems. The funds were to be spent, generally, on products and the staff to support them.
CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity. The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire-building, or opportunities to buy the trending tools. Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.
Two Components of a Successful Budget Request
1: Funds to Close Compliance Gaps
Businesses understand the language of compliance. Regulatory gaps and deficiencies can prevent companies from entering markets, and have a real impact on the organization’s ability to win and retain contracts. By tying budget line items to specific compliance gaps, CISO’s can implement short and long-term projects to remediate the deficiencies and show actual value through compliance achievements. If in addition to compliance gains, those funds also help grow the maturity of the security organization as a whole, great. Use compliance requirements to make smart budgeting requests that both close gaps and advances the security mission.
2: Operational Metrics and Staff Utilization
You cannot request additional funds to hire more full-time security employees without data to substantiate them. Imagine a CIO replying to your ambiguous request for staff with, “You already have 6 people, why should I give you money to hire 4 more?” Smart CISO’s measure the workload of their employees through metrics and reporting to justify the need for more support. By tracking the number of incidents an analyst investigates daily, hours supporting business initiatives, or vulnerability tickets closed per month, a security organization can prove, empirically, that they are understaffed for the processes they need to support. By measuring full-time employees vs. the tools and tasks they are assigned to daily, the conversation now changes to, “We have requirements and tasks for a staff of 10, and I only have 6.”
The data that you are collecting this year will support your budget request in the upcoming fiscal year. Security budget requests demand a level of rigor and proof commensurate with other parts of the business. Security assessments and security program development help you obtain and understand your compliance gaps as well as your staffing utilization and operational needs. Take the time this year to independently assess your organization against industry standards and submit a security budget next year based on facts.
Don’t Know Where To Start?
CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance. Our Strategic Security Planning service will enable you to successfully create a security budget that directly matches your business needs and goals.
Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.
Several years ago I came into an organization with 5 separate security silo’s, all reporting independently of one another with almost no unifying set of objectives or control framework. One thing all 5 groups had in common was their belief that “the business just doesn’t get it”, it being security. When the 5 “families” got together the debate was fierce, discussions academic and action towards improvement nonexistent. If only we had more money, more tools, more people, more, more, more…then and only then could we be effective. I’m simplifying the story a bit to fit into a blog posting, but not by much.
Having the advantage of being new to the organization I recognized that part of the problem with the state of security was security. If you listened to the groups the sky was falling but they had no data to support their assertions. They had no way to demonstrate, with facts and figures, that the company was taking on more risk than was reasonable.
We needed a quantifiable way to give the business actionable data and let them come to the right conclusions around investments in the security arena. So with my enormous team of 1 which eventually grew to 3 (including me), we set out to educate the business as to the risks they were taking and make the company more secure. It’s not an exaggeration to say that the effort to transform security at a global Fortune 500 company began with 3 people and an assessment.
We knew that we needed a way to measure security and to do that we had to select a control framework that could withstand scrutiny and provide an actionable baseline against which we would measure improvement year over year. The two candidates were NIST and ISO and there were passionate arguments for and against each. In my opinion, this is an area that can be “overthought”, meaning you can always change your mind later but the most important thing is taking action now. In fact, we did exactly that by selecting ISO and then reverting NIST.
Contrary to what many people might think the next step was not to start the assessment. For the assessment to be effective the business would have to understand how and why it was important to their business and making them ISO or NIST experts was not in the cards. We had to select the parts of ISO and NIST that were relevant to the business from a regulatory compliance perspective. The business understands compliance, be it with HR (Employment law), workplace safety (OSHA), finance (SOX) and or any other functions that support the business. Security, however, had never taken the time to map the work they were doing back to regulatory requirements in a language the business could understand.
So we set out to do that mapping….long before we started engaging vendors to do an assessment. In my next post, I’ll share some of the challenges with doing the mapping and how we ended up selecting a vendor.
Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.
1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.
2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)
3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.
4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.
5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.
As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.
I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.
What We Do
We integrate your compliance activities with security activities and measureably reduce your risk.
How We Do It
Set a security strategy, select standards, implement controls, measure effectiveness.
What Results Look Like
A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.
What We Did
Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.
Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.
Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.
Our focus is on implementing real results that make you more secure, we guarantee it.
The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.
The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.
The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.
I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.
It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?
Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake-off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.
All checked in @RSA 2013 here in San Francisco!
It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.
It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.
Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, firstname.lastname@example.org.
Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.
As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.
Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.
The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.
If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.
…that’s my advice for managers and CISO’s who find themselves on the hamster wheel of incident response and day to day operations. It’s easy to get locked into a permanent schedule of daily meetings punctuated by operational crisis and mistakenly believe that security is different from anything else in your business and can’t be managed. Of course, it can, but like anything worth doing (dieting and exercise come to mind), it’s hard and results take time to materialize. To do it you have to lead so that you can manage.
CISO’s have to set the strategic direction for the organization and define success criteria that can be measured and shared with the business. One way to change the pace of your organization from frantic to controlled chaos, with a goal of getting to the point where you manage security like a business unit, is to define and implement a process for collecting, analyzing and reporting metrics. Take an incident response as an example:
How many incidents did you have this month?
Where were they (geography)?
What business units were impacted the most?
Did you lose any data?
On average how long did it take you to remediate an incident?
Is that better or worse than last month? Why?
By collecting and analyzing the data you force the organization to slow down and start analyzing what’s working and what’s not. Which tools are performing the best? Which business units need more focused attention because they are more often targeted? Is the peanut butter spread approach to security working or does it make sense to better focus your resources? If you are not taking the time to collect and analyze the data you will never know.
If you don’t lead, you will never be able to manage.