Secure Digital Solutions, LLC
20 Mar 2017

Cyber Risk is a Key Focus for Corporate Boards

March 20th, 2017
By Adam Stone, Principal

For organizations across industry sectors, digital commerce is the dominant vehicle to transact business and improve efficiency. Groundbreaking innovations in computing potential accelerate the speed of change for business, and the risks that naturally follow. A key risk that is often highlighted is cyber risk. Cyber risk is a key focus for corporate boards. According to the Institute of Risk Management cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Board members of the digital economy need the knowledge to ask the right questions of corporate executives. Without a reasonable degree of technical fluency, board members lack important tools to ensure a professional standard of care for the organizations they serve. Board members face a business imperative: adapt, today, to the disruptive changes of digital commerce by adopting a new dialect based in cyber risk.

Recently, the National Association of Corporate Directors (NACD) published the 2017 Cyber Risk Oversight Handbook. The message of the Handbook is clear: to assert meaningful oversight in the digital economy, board members must treat cyber-risk as an issue of strategic import and operational significance for the organization. Cyber-risk ought not be written off as an “IT issue,” since this sort of thinking creates a hazardous blind spot for professionals charged with corporate governance responsibilities. To prepare board members for discussions about cyber risk, NACD recommends the following:

  • Understand the legal ramifications for the company, as well as the board itself.
  • Ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management.
  • Integrate cyber risk discussions with those about the company’s overall tolerance for risk.

These recommendations emphasize the need for proactive (rather than reactive) identification and analysis of cyber risks, as well as clear direction on cyber-risk management strategies. Importantly, the board’s treatment of cyber-risk ought to reflect the firm’s culture and capacity for change.

In support of an effective cyber risk strategy for the board, the Handbook outlines five cyber risk oversight principles fundamental to an effective risk management program.

Information security leaders play a crucial role in cyber risk governance. Board members depend on current, meaningful data to support the effectiveness of the firm’s information security controls and processes. For over a decade, Secure Digital Solutions (SDS) has provided solutions to elevate the language of information security by focusing on process maturity mapped to risk categories. Our award-winning TrustMAPP® platform leverages the powerful MAPP™ (Maturity Assessment, Profile, and Plan) methodology to quickly identify, measure and understand the performance of the business processes that support a security program and inform risk decisions.

Using process maturity as the key performance indicator for program effectiveness, TrustMAPP provides security leaders with readily available tools to effectively communicate the business value of cybersecurity and cyber risk. Executives and board members reap the benefits of TrustMAPP analytics via improved clarity in the organization’s information security posture and its impact on cyber risk strategies.

Want to learn more? Visit TrustMAPP.com for information about TrustMAPP®, powered by the MAPP™ methodology.

21 Dec 2016

Five Popular Initiatives of Cyber Security Leaders in 2017

cybersecurity-initiativesWith the new year approaching, now is a great time to celebrate the successes (and
failures) of information security leaders and reflect on the challenges these leaders face in 2017. With this we’ve condensed the list to five popular initiatives of cyber security leaders in 2017. After experiencing massive ransom ware attacks, large-scale data breaches and other adverse cybersecurity events of 2016, we anticipate another demanding year.

Recently, we asked security executives how they plan to address cybersecurity in 2017. What lessons did they take from the past year? What do they anticipate are the issues needing the most attention in 2017? Additionally we collaborated with Fortium Partners to gain the perspective of the CIO office.

What we learned from these conversations is a summary of similar initiatives highlighted in 2016 with the addition of a few new priorities.

  1. Third-party security risk grows as we continue to outsource critical functions and migrate systems to the cloud.
    • Assessing third-party risk became a top priority after high-profile data breaches in 2013-2014. Third-party risk management initiatives finally made the project list across many security teams and C-suite leaders in 2015 and 2016 and will continue to improve with additional automation, scope expansion and improved metrics in 2017. Third-party risk management will become a core function of security and compliance operations and move off of the special projects list in 2017.
  2. Influencing employee behavior and company culture around cyber security is challenging without top-level support and remains a top priority.
    • Security awareness training is still a critical component to maintaining policy compliance and information security best practices. Security leaders will continue to sharpen and hone the messages and content to end users throughout 2017, because security is everyone’s role not just the security team. This is a theme the security industry has been focused on for several years. Although the topic is not new, take this as a reminder that user security awareness training is still as important as ever. In our experience, many successful attacks involve human-error. Training is one key mechanism to reduce these errors to an acceptable level of risk.
  3. Threat actors continue to adapt their tactics faster than we can build or adapt our defenses.
    • Hardening the perimeter is an old concept and nearly inapplicable in todays connected landscape. Thus, security leadership is taking the position that all connected devices are untrusted until otherwise vetted. This approach is also driving improvements in third-party risk management where connectivity is often involved between two organizations. There are some promising new solutions in the marketplace that can perform real-time detection and stop questionable network traffic at the door. As the industry continues to improve upon attack prevention we will see the sophistication of attacks evolve . The industry will always be in an arms race to build a better mousetrap as the attackers’ devise methods to subvert the traps over time. In a nutshell, the leadership to whom we speak and our own observations do not see this initiative slowing down, or moving off the top five list in the near term.
  4. Resources remain slim and do not line up with the demand for effective controls.
    • The demand for skilled talent in cyber security has never been greater. We’ve spoken to a couple of solution providers who have a unique take on this by developing training programs that within 1-2 years can develop individuals into effective cyber security analysts. Accelerated training programs, coupled with trusted third party partnerships, provides the best near term solution to meet the demands of today’s security needs. Companies are growing tired of bidding for talent and instead look to partners to augment specific functions of their security operations, governance and compliance efforts.
  5. Information security remains an afterthought which, in turn, feeds the perception that security is a barrier to innovation and speed to market.
    • Reducing release cycle times and speed to market will continue to be top of mind for many CIOs and their business partners. Pressure will continue to build to skip past anything that could slow that process. However, the consequences of failing to catch vulnerabilities are clear, such as: incurring regulatory fines, reputation damage, customer data theft, and the list goes on. Over the next few years there will be emphasis on building security into the software development life cycle (SDLC). The good news is that automated testing and source code analysis tools will continue to mature, enabling incorporation into an organization’s SDLC.

It’s clear that security executives have their work cut out for them. How will they accomplish their objectives? We believe that the answer is simple: better communication. Too often, we observe information security leaders speak a language foreign to executives, board members and peers. The result is predictable. Security leaders experience perception issues connected to a lack of credibility among those in the C-suite. Without the trust and confidence of company executives, information security leaders find themselves swimming upstream with a flimsy paddle.

Make 2017 the year that you build credibility for your program. Speaking the language of business and develop a business story around cyber security program priorities and successes is critically important to maintain credibility. Collaborate closely with the CIO and internal audit/risk management functions to educate management and gain support for critical initiatives. Express your ideas, recommendations, and proposals in ways that engage and energize executives and board members. Use business-focused metrics to tell a compelling story. Focus on process over controls.

Secure Digital Solutions wishes our customers and all business leaders a successful and productive 2017. May you earn the credibility needed to advance your business objectives for the new year!

Contact our team to learn about methods to communicate with executives and board of directors using our MAPP™ (maturity assessment, profile and plan)™ methodology enabled by the cloud-based TrustMAPP® platform.

09 Sep 2016

FFIEC Issues Updated Information Security Handbook

By Adam Stone, Principal Consultant
September 9th, 2016

The Federal Financial Institution Examinations Council (FFIEC) today announced a revision to their venerable Information Security booklet. As a part of the FFIEC Information Technology Examination Handbook, the updated Information Security booklet addresses “the factors necessary to assess the level of security risks to a financial institution’s information systems.”

For U.S. financial institutions and others responsible for complying with section 501(b) of the Gramm-Leach-Bliley Act of 1999, the updated booklet provides greater clarity on the role of risk management as an integral part of a robust information security program. It is likely that examiners will begin referencing the updated booklet immediately.

For more on how you can effectively integrate these new guidelines into your information security program, contact Secure Digital Solutions at 952-544-0234.

26 Apr 2016

Is Your Risk Leadership Asking the Right Questions?

By Christophe Veltsos, PhD
April 25th, 2016

A recent report by Deloitte entitled 10 Questions You Should Be Asking to Embrace Risk and Lead Confidently in a Volatile World contains key recommendations for business executives to ensure their organization’s survival in the face of uncertainty. The main themes of the report include the need for executives and directors to be aware of their own biases, to value differing opinions, to protect the organization’s reputation, to prepare for the next crisis, and to ensure lessons are drawn from every crisis. However, the last two questions stand out as they relate strongly to the cybersecurity field:

Question 9 – “Is my risk team giving me the confidence I need to make high-stakes decisions?“

The report cautions business leaders about the danger of looking at the risk function as a mere exercise in compliance. It also warns about the use of language and terminology that can feel foreign to these leaders. So, how should an organization report on its cybersecurity efforts to enable leaders to make confident decisions? How can the CISO elevate the conversation, to provide expertise and consultation to the business leaders on matters related to cyber risks?

Question 10 – “Am I engaging our board’s expertise to navigate uncertainty?”

Here Deloitte reminds executives to fully leverage the expertise the board can provide. However, to fully leverage the board’s help, the business has to ensure that information is presented in a way that is clear, consistent, and easy to understand by people with various levels of expertise in the particular domain presented. This is especially true for the cybersecurity domain. How can the business present cybersecurity-related information in a clear, consistent manner that is easy to understand by executives and directors?

To bridge the gap between the CISO, the executives, and the board, one can look at the MAPP approach: Maturity Assessment, Profile, and Plan. This approach works by first assessing the maturity of the organization’s security processes. This assessment can then be translated into diagrams and visuals in support of high-level presentations and discussions with executives and directors about the organization’s current cybersecurity profile, and how to best direct future investments to balance cyber risks while supporting the business’ ability to grow. The MAPP approach enables the information security and risk leaders to become a strategic partner of senior management.

“MAPP helps CISOs create and communicate an information security roadmap to guide the organization’s security activities.” — MAPP White Paper

23 Mar 2016

Unifying the Message of Information Security

By Tennelle Anderson, CISSP, CISA, CPA, Secure Digital Solutions

I started out my career as an auditor. Then I moved into compliance. Now I’m a security consultant. One thing I’ve observed during my journey, is that while each of these groups value controls such as logical access and vulnerability management, each group is evaluating these controls using a different lens. These different lenses cause each group to speak a different language, leading to the confusion and frustration of management (and each other). All teams should focus on unifying the message of information security.

Isn’t there a single language that all three groups can use to consistently communicate the state of control effectiveness, compliance position and risk? Is there a single language that can also accommodate an ever-changing technological and compliance landscape? Is there a unifying language that can also communicate “how good is good enough” AND address concerns regarding overinvestment in security and compliance?

Yes, there is.

A Single Language

icons-mappYou probably think I’m dreaming, but I assure you I am not. The security industry is increasingly moving toward process maturity as the standard by which security programs are measured and improved[1].  The five CMMI maturity levels (Ad hoc, Managed/Repeatable, Defined, Quantitatively Managed, Optimized) can be used to describe control implementation and effectiveness, compliance with a specific requirement, as well as the level of risk present for any given process or asset.

 

Harmonization of Controls and Processes to Reduce Compliance Fatigue

As you have no doubt observed, there is a great deal of overlap between the various security regulations and frameworks that exist today. Rather than trying to keep up with hundreds of different individual (and ever-changing) control objectives, organizations can harmonize those individual controls into a set of processes that can be measured based on their maturity level. For example, rather than measuring adherence to 20 different logical access-related controls, break those controls into a subset of processes (e.g. provisioning, de-provisioning, access reviews, etc.) and measure the maturity of those processes.

Unlike audits and risk assessments, which provide only a point-in-time view of the existence and/or effectiveness of controls, assigning maturity levels to existing processes gives a point-in-time snapshot of these processes AND helps determine a company’s ability to adapt to ever-changing compliance requirements and control expectations. In addition, it reduces the number of assessments that must be conducted (and the number of widgets assessed), helping to reduce your organization’s audit fatigue.

How Good is Good Enough?

Using the CMMI maturity levels is also a great way to help your organization define “how good is good enough”. For example, if your logical access provisioning processes are considered Level 1, or ad hoc, most auditors, compliance specialists and security analysts would agree that the associated controls are likely not operating effectively (if they exist), do not meet associated compliance requirements, and present a higher level of risk to your organization. Processes rated a Level 2 (repeatable, but reactive) or Level 3 (defined) may be considered to be operating effectively, meeting associated compliance requirements, and presenting less risk to your organization. Processes rated a Level 4 (quantitatively managed) or a Level 5 (optimized), while indicating effectively operating controls that meet compliance requirements and present little risk, may be getting into overinvestment territory for your particular organization. Having management define maturity goals for the organization can help everyone know how good is good enough from the outset, eliminating confusion and reducing the risk of under- or overinvestment.

Bringing it all Together

Once audit, compliance and security begin to speak in the same language, management will immediately benefit by receiving a consistent and understandable message. This will allow your organization to move to the prioritization and implementation stages more quickly without fear of overinvestment. It may even help your organization to recognize audit, compliance and security as valuable business partners contributing to business goals, rather than impeding them.

Accliviti-HomeHow SDS Can Help

SDS’s Accliviti tool, powered by their MAPP methodology, empowers organizations with a clear picture of security posture based on maturity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a security program happens in weeks, instead of months, using built-in analytics. Accliviti helps CISOs create and communicate, using a unifying message for information security, a roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model of Maturity Assessment, Profile, and Plan, using an automated tool like Accliviti, CISOs can focus more of their time and interactions towards security strategy and advisor roles for the business.

[1] Veltsos, Christophe; “A MAPP to Clearer Information Security,” January 2016,

 

15 Nov 2015

Processes Are for Managers

A Holistic Approach to Information Security

By Chad Boeckmann, CISA, CISSP (CEO, Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a better “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress, the state of the information security program, to other executives and the board of directors. We speak with CISO’s from Fortune 500 companies and many mid-market companies. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:

Processes-Are-For-Managers

Let’s say we want to measure the process called Access Control. Access Control Management is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes from COBIT. So for Access Control Management we want to understand the level of performance of this process across the six major attributes described in COBIT 4.1 using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then focus can be applied to improving the process towards Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.

This is how to create alignment with the business while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs. To see this methodology in action, take a look at a 2-minute video demonstrating Accliviti, a platform we developed to holistically manage information security.

01 Nov 2015

Ten Years of Information Security

This November marks ten years since Secure Digital Solutions (SDS) began as a company delivering thought leadership to clients in a way that accomplishes business objectives. In those ten years there has been a lot of change.

In 2005, companies defined information security as policy, procedures, firewalls and vulnerability assessments. A lot has changed in ten years, and still a lot has not. Today in 2015 we are still focused on policy, procedures, vulnerability assessments but also on securing mobile devices, personal devices in the workplace, health information is now online in a big way, credit cards are stolen at an enormous rate and we are suppose to believe that technology is making our lives easier.

The average employee spends roughly 28% of their workweek reading and responding to email according to a McKinsey study conducted in 2012. Taking a look at data for a moment in 2005, 136 data breaches were made public impacting 52,815,610 records. Contrast that to 2015 where 155 breaches were reported to the public and that has impacted a staggering 153,021,381 records. This information is reported by the Privacy Rights Clearing House chronology of data breaches. Comparing 2005 to 2015 there are only 19 more data breaches reported today versus ten years ago. However, it is clear the amount of information compromised is a much higher multiple with over 100M more records compromised in 2015 compared to 2005. This clearly tells us that larger breaches are occurring but also in general businesses are storing more sensitive information online than ever before.

As a digital society we still have not solved information security. We continue to bring digital revolutions to consumers and deliver automation for our businesses with security being a bolt-on feature in many instances. Ten years later our firm is still writing new security policies, emphasizing the importance of procedures and we frequently are called upon to help clients conduct vulnerability assessments and penetration tests. These activities are important and intentions are sound however it also means we as digital society still have not “solved” some of the fundamentals of information security. In 2015, CISO’s are working to solve the approach and information to report to the Board of Directors the state of their information security programs and progress. This is a reaction to the Target breach and Home Depot data breaches. Whenever an executive is called upon to report to Congress the state of security, ladies and gentlemen, we as an information security industry have arrived. But yet, I’m not impressed at the attention information security is receiving. Why have Board of Directors not demanded reports from the CISO prior to 2014? The industry is still very reactive in nature but I do see hope as we are learning from our mistakes.

Circling back to our ten-year anniversary for a moment. In 2014 our team embarked on a journey to automate the measurement, analysis and communication of information security programs. Our business rule for doing so was to ensure we were not going to create another audit tool or GRC tool. Indeed we have accomplished this goal. We have solved what CISO’s are struggling with in 2015 and beyond; reporting to the Board of Directors and executive stakeholders in a meaningful and consistent manner. We do this by measuring the processes that form your information security program based on maturity levels of six criteria from COBIT 4.1 (Awareness, Policy & Procedure, Accountability, Expertise, Automation and Measurability). Each of these criteria is measured based on its’ maturity level for each individual process so you know what aspects of a process actually needs improving and how well other criteria of the process are actually performing.

For the month of November we are offering qualified clients an opportunity to try Accliviti for thirty-days with no further obligation. To understand more about how we measure information security programs using Accliviti refer to the blog titled “Processes are for Managers”. Accliviti is all about elevating the conversation around information security programs.

As CISO’s and information security programs in general have dramatically shifted and matured over ten years so has our practice at Secure Digital Solutions. We plan to continue to develop exciting new features in the Accliviti platform, as it quickly becomes the go-to CISO platform. Supporting the CISO to become successful with the business for the business. Cheers to the next ten years!

 

25 Mar 2015

Are You Speaking Risk?

Clearing Up Garbled InfoSecurity Communication

By Corey Tower, GRC Consultant

trustsds.com
trustsds.com

“There is a Threat that can Exploit our Vulnerability – we should address this Risk.”

That sentence alone can be written interchangeably about nine times, causing confusion on what in the information security world we are actually talking about. In my tenure, I’ve seen these risk management terms misused more than not.

What I would like to accomplish in this blog is address what risk management terms actually mean and how to use them correctly. Risk Management TermsOtherwise, we take the risk of creating confusion amongst our team which can exploit…oh, never mind, let’s get to it.

The following definitions are from Shon Harris’ All-in-1-CISSP:

Threat Agent: This is the entity that is responsible for creating a threat. This is your hacker.

Threat: Threat is a danger that can exploit a known or unknown vulnerability in your security.

Vulnerability: This is the lack of having a countermeasure or a weakness in an already existing countermeasure

Risk: Risk is your likelihood and business impact if a threat were to indeed exploit a vulnerability.

Exposure: An instance to being exposed to loses.

So how do these risk management terms interlink? Shon gives another great example of how to show this in her infinite loop:

“Threat Agents, give rise to Threats, that exploit Vulnerabilities, which lead to Risk, that can damage Assets, and cause an Exposure, which can be countermeasured by a Control, which affect Threat Agents.”

Another translation issue can come about when discussing what classification a control is. When it comes to kicking in your home’s front door, did that lock serve as a Physical Preventative control or a Physical Detective? The lock didn’t keep the intruder out, though your busted door frame told you loud and clear what happened. So which is it? Keep it simple – locks are meant to keep unwanted people out. That makes this a Physical Preventative Control. An example of a Physical Detective would be a motion detector.

As you can see, it’s no surprise these terms are interchanged. Within your security team, make it a point to use correct terminology to help bolster a more mature InfoSec program.