Secure Digital Solutions, LLC
22 Aug 2017

Cybersecurity Maturity is Growing Up

originally featured on CSO Online

August 23rd, 2017
Ed Snodgrass, CISO

 

Maturity is an interesting word. We’ve heard it throughout our lives and it’s had different meanings in different contexts.  As a child, we heard it from our parents regarding “growing up” or “being more mature”.  We may not have entirely understood it then, but our parents knew that developing maturity would be important for friends, colleagues and peers to take us seriously.

As we grew older, we began to understand the concept of maturity and that it could be compared closely to wisdom.  We began using what we learned through experience and started applying that knowledge to our decision-making process.

Today we hear the word maturity frequently in the workplace.  We see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint, maturity can be applied to cybersecurity as well, although its applicability and benefit isn’t always readily apparent.

Case in point.  Recently, over lunch, I was attempting to explain the purpose and benefit of cybersecurity maturity to a business colleague.  Based on his skeptical expression, it was clear to me that I wasn’t succeeding.  He fully understood compliance and the implications of non-compliance, but wasn’t grasping the value of maturity and how it was relevant in the security space.

I thought about what was personally important for me to secure, and the answer was easy – my family.  I then thought about an area where compliance comes into play and how it is typically used to determine effectiveness – home fire safety.  Using that as an example, I asked him to rate his family’s level of home fire safety on a scale of 1-5.  “4-5,” was his response. “I have the best smoke alarms money can buy.  I have one on each floor and in each bedroom, as I’m required to by code.  In addition, I have a fire extinguisher in the house and one in the garage.”

From a compliance standpoint, we both agreed that his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard.  I then challenged him to look at it from a maturity perspective, using a series of ad-hoc questions as a baseline:

  • Do you test your smoke alarms?
  • Do you have a regular schedule for replacing the batteries or do you replace them only when the alarm tells you to?
  • Do you have a family communication and logistics plan that you can put into action if an alarm sounds in the middle of the night?
  • Do you practice the plan?
  • Does everyone in your family know where the fire extinguishers are?
  • Does everyone in your family know how to use the fire extinguishers?
  • Is there a pre-determined family assembly area outside?

As he considered each question, I then asked, now that he’d added a maturity measurement to compliance, what would he rate his family’s level of fire safety?  “Probably a 1-2,” was his concerned reply.

While this may be a simple example, it begs a question.  Traditional compliance and operational data is important, but does it provide adequate context to truly evaluate capability?  Using the fire safety example above, it doesn’t appear to.  My colleague had all the required detection mechanisms in place, including some additional preventative measures, but any significant capability for his family to respond effectively to a fire simply wasn’t there.

The same question can be asked of a cybersecurity organization, and a growing number of security leaders are adopting maturity as a metric to analyze and determine their team’s strategic capabilities because the hundreds of individual controls, while critical, only represent a point in time.

Cybersecurity maturity, used as a performance metric, offers additional insight into how the security organization is operating.  It can be used to analyze compliance and operational data at the process or function level.  Trends can be discovered, monitored and adjusted for.  An enterprise security training program may have all the right features in place, for instance, but the open rate of phishing emails by employees isn’t decreasing over time.  Do the components of the training program need to be adjusted or does the content?  Or, does the challenge lie within another function or process outside of the training program?   The use of maturity to analyze the capabilities of those processes can likely answer those questions.

In today’s evolving threat landscape, effective metrics are critical to security success.  Controls and operational data are required to run the organization today.  Strategic KPIs, such as maturity, are also required to measure, profile and plan the security organization’s capabilities for both today and tomorrow.  Performing a cybersecurity maturity assessment on the security organization will likely yield valuable insights.  There are excellent sources available that show where to begin and how to demonstrate the value of measuring cybersecurity capabilities and effectiveness.  (An example can be found here).

Ultimately, the best smoke alarms money can buy are powerful tools in the event of a fire, but only if everyone has the capability and maturity to respond effectively.

Interested in learning more about security program performance and leveraging the value of cybersecurity maturity? Download the white paper titled “Roadmap to Success

29 Jun 2017

Trends in Data Breach

June 29, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

On Friday, June 23, Anthem Healthcare agreed to settle a series of lawsuits related to the company’s 2015 data breach, which impacted 78.8 million individuals. The settlement includes a payment of $115 million and three years of additional security protections. This represents the largest amount thus far in a steadily growing list of big-dollar, security incidents.

On the surface, this trend has the appearance of a growing regulator intolerance backed up by similarly increasing penalties. But, there’s more to this story than meets the eye.

Every major data breach has resulted in settling the case without a single admittance of liability. Settlements are negotiated between the respective legal teams and various payments between parties are agreed to.

The results of these cases, without admission of liability, leaves us wondering where the accountability lies and why such breaches, and the settlements that follow, continue to happen, even though security is now viewed as a critical component of doing business. The accountability aspect is complex and likely a topic for another day. This post will focus on some reasons breaches continue to occur.

Secure Digital Solutions has been privileged to be involved in some of the largest data breach cases over the last decade. This challenging and sensitive work gives us a unique perspective on the process, the causes and the results. While I’m not able to talk specifics, I can provide some of the following insights into the high-level, recurring patterns that we see in almost every case related to these breach incidents:

  • Lack of visibility – The identified critical, core systems are known and generally well- protected. Other systems that are known, but may not have been assessed and designated as critical, are not well-protected.
  • Lack of ownership – Taking direct responsibility for company-owned and managed systems isn’t enough. Identification and ownership of the connectivity to those systems, (vendors and suppliers, for example), is mandatory as well. Reliance on 3rd party attestation doesn’t cut it.
  • Having it but not doing it – It’s one thing to have policies and standards written and communicated. They’re nothing but ‘shelf-ware’ unless they’re monitored and enforced.
  • Lack of basic blocking and tackling – The technical requirements of a solid, secure enterprise are known as are the processes to support the requirements. Implementation of those requirements is hard, but it must be done.

The key takeaway is that nothing on the above list is new or unforeseen. No undiscovered symptom exists that leads to compromise. Nor is there a silver bullet that prevents compromise. Knowing your enterprise and getting back to security basics in terms of objectives, requirements, process and appropriate supporting technology – is the most effective means of preventing a significant incident. And when an incident does occur, having the above components addressed allows for rapid and effective detection, containment and response that should minimize the long and complex process that follows a breach.

13 May 2017

Hiring a Security Rockstar

May 13th, 2017

Secure Digital Solutions CISO, Ed Snodgrass,recently had the privilege of writing for Forbes Technology Council. The title of the piece is “Looking To Sign A Security Rock Star? Money Isn’t Everything“. A summary of the article is given here with the full article located on Forbes.

What follows is a high-level summary of original article posted on Forbes.com May 3rd, 2017:

There’s a cybersecurity talent war going on. Skilled resources are in high demand, and the competition for them is fierce. Big companies pay big money to attract and retain talent, potentially leaving small to mid-size organizations in a tough spot to compete on those grounds alone. In summary

Give them a path forward:. You brought them in for what you need today. Work with them to build a plan for what you’ll need tomorrow. Discuss career aspirations, help them build an individual roadmap based on goals and milestones, and support it. Your people will know they have a challenging and rewarding future ahead. It’s mutually beneficial.

Share the company’s mission and strategy: Knowing how security and their specific role supports the company’s overall mission provides context and creates ownership in the organization’s success. The role they’re currently in may not be glamorous, but it’s critical and they know that.

Support continuing education and networking: Give them time to get that new security certification. The knowledge they’re gaining will make them smarter, and your company will be better off for it. Security conferences are important, too. Security pros need to stay up to date with the latest threats and the latest countermeasures showcased at these events. Yes, they go to network, too, but that’s not necessarily a terrible thing. After all, if they’re happy working for your company and others see that, perhaps a respected and talented colleague will want to be happy working for your company as well.

Respect and acknowledge their expertise: Security professionals are paranoid — and that’s a good thing. When they come in with a discovery or a suggestion (read: “We absolutely have to do this”), make sure you listen. Discuss it.  Weigh pros and cons, and ultimately, if your decision isn’t the course of action recommended, they’ll know why. They’ll know their council was valid and they’ll respect it.

Be real: Engaging in candid discussions about professional development is critical. The pros will take your constructive feedback as a personal challenge to better themselves rather than petty criticism — but only if you’re open to their constructive feedback as well. At the end of the day, they know you call the plays and they respect that.

Recognize their achievements: Security can be a thankless job because “no news is good news.” Much of the demanding work it takes to protect a company goes on behind the scenes and in windowless rooms. Appreciate what they do, and they’ll appreciate it, too.

If they want to leave, help them leave: That doesn’t mean push them out the door; it means set them up for success in their next role. Know what their new opportunity is offering them and why. Talk about the things they’ve learned and their professional growth as a member of your organization and thank them for being a part of the team. Despite the substantial number of security practitioners out there, it’s a small community. With so many open positions available, security pros can pick and choose where they go, and security culture is just as important as compensation. Build a great culture, and you’ll be amazed by the results.

16 Feb 2017

Investors’ Top Five Cyber Security Questions

February 16th, 2017

In the wake of numerous high profile cyber attacks against global businesses, including Sony, Target, and eBay, investors and boards alike are realizing that data breaches are an ever-present threat. Investors expect that company boards will assume a leadership role in addressing risks and controlling damage from these cyber incidents. Information security leaders should also understand what boards and investors expect from them in translating the business value of security
An article from the Council of Institutional Investors called “Prioritizing Cybersecurity” explores investors top five cyber security questions they are asking company boards, and how the board can effectively respond.

 

 

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?

With this question, investors want to learn how well informed the directors are regarding the company’s cyber risk profile. Investors are best reassured when the board is updated frequently about information security risks.

  1. Has the board evaluated and approved the company’s cybersecurity strategy?

Investors expect the board to have a full understanding of the company’s strategy for minimizing the financial and material impact of a cyber incident. A good strategy includes protecting the most critical data and assets from operational, financial, reputational, and legal harm. It should include preventative, detective, and corrective measures. The board must also be familiar with management’s incident response procedures, including simulation drills and a strong communications plan.

  1. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?

Cyber security often requires a multi-disciplinary approach across multiple management levels. Board members are responsible for reviewing the backgrounds and qualifications of everyone accountable for cybersecurity. Investors look for an organizational structure with clearly delineated responsibilities and sufficient management oversight.

  1. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?

The board has the authority to establish standard performance metrics based on the company’s size, industry, and risk profile. An additional benchmark is to compare performance to that of similar companies. Investors want to know how the company’s security efforts perform according to the company’s own metrics, as well as how they compare to other companies.

  1. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Investors want the board to fairly and accurately report on the company’s cyber risk profile and security performance. The SEC asks that companies disclose cyber incidents, but provides few guidelines regarding when such a disclosure is required. The board can proactively communicate the process used to assess damage from cyber incidents on the company’s data and assets. Transparency about this process reassures investors of the company’s cyber health.

Boards and investors can develop a more productive partnership through better communication. Board members should seek to understand the investors’ concerns, and the investors should make equal effort to understand the board’s decisions and actions.

Secure Digital Solutions offers TrustMAPP®, a platform that facilitates this type of communication and information sharing with boards by information security leaders. Contact our team to learn more about TrustMAPP® solution.

19 Oct 2016

Cyber Security Services Catalog Enables Strategy

October 19th, 2016
Mike Edlund, Solutions Manager

Cyber Security Service Catalog Enables Strategy

Creating a Security Services Catalog for a larger security team begins to drive value across the business. A security service catalog enables strategy by clearly articulating to the business customer the type of services the security team provides and the level of service and responsible parties for each area identified.

Customer Request

A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the security team to document and improve the current and desired security activities and plans. Our security consulting client had two challenges:

  • Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
  • Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities.

The customer engaged SDS to conduct in a collaborative environment development of cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to assist the security program.

SDS Solution

Over a period of months, SDS partnered with customer security leadership to define desired security program procedures and plans. The documents included a number of areas such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.

servicescatalogSDS began creating a number of documents that laid out areas within the security program. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and leadership to reach a final draft status. The SDS team developed the content leveraging both industry best practice and
actual approach by the customer’s security team.

Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels. SDS also noted that missing formal responsibilities for the security team were leading to more firefighting and less strategic, planned activities. This conversation and discovery identified the need to coalesce security team processes into a centralized service catalog.

Consulting with customer’s security team lead to the creation of a services catalog that defined the required activities and assigned team personnel requirements to these activities.  As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team.  Business teams now understand how to engage and who to speak with regarding various projects and customer engagements.

Impact on the Client’s Business

Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.

With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed.

17 Aug 2016

How Measuring Process Maturity Exceeds a Binary Compliance Approach

August 17th, 2016
By Corey Tower, CISM, PMP

If you have ever been in charge of implementing an inaugural security program or have been asked to formally organize information security, you know that compliance requirements are at the forefront of the conversation. Yet if you’ve been building and managing a security program for years you already know a compliance-based approach is not robust to handle modern threats or comprehensive to manage risk across the entire business. As a measurement tool, compliance assessments are blunt instruments that focus primarily on the existence of controls. These assessments tend to yield binary results – either the organization is compliant, or not.  Let’s explore how measuring your process maturity exceeds a binary compliance approach.

Implementing security effectively from the results of a compliance assessment is challenging, since gaps in compliance suggest the need for security investments that may be disproportionate to the problem the organization is trying to solve.

How Maturity Prioritizes Investment

Focusing on your maturity will allow you to view your program in both dark and bright lights. If you are serious about the effectiveness of your security program, you must be honest about the current state. For example, if you have in-house software development and you complete the compliance section of securing source code, you have two choices:

  1. Compliance Approach: Check the box that says “We do it – done.”
  2. Maturity Approach: Deep dive into process-level maturity. (I.e. “How do we protect source code? How well defined are the standards to protect source code? What goal have we defined for source code protection? Is the security of our source code library adequate?”) Each scored on a maturity scale of 0 through 5 such as those defined by COBIT.

Once you’ve completed a maturity assessment of all processes that make up information security program, you can begin a more efficient plan for resource allocation and budget management. For example, perhaps 250 hours of project resource time can be shifted from your very mature patch management process to help your struggling security and event management effort. A maturity-based assessment helps to identify the performance level of key process areas and the output compliments and enhances a risk assessment.  Looking at processes through the lens of maturity provides greater dimension to team and security program performance and conveys how to allocate resources once maturity goals are achieved.

Automate Maturity Assessments
Secure Digital Solutions’ TrustMAPP™ platform, powered by the MAPP™ (Maturity Assessment, Profile, and Plan) methodology, offers security leaders the ability to:

  • Identify how much security is “enough” by establishing process-level performance goals
  • Measure the effectiveness of your security programs and the capacity to accomplish outcomes
  • Link information security metrics and measurement back to business value and strategy
  • Use analytics and estimated level of effort to tell a compelling story to business executives and the board

TrustMAPP reports security posture by maturity levels, including trending analysis, planning, budgeting, and built-in support for multiple security frameworks and regulations. As a cloud solution, TrustMAPP enables clients to begin assessing their information security program in weeks instead of months. TrustMAPP helps security leaders create and communicate a strategic roadmap, build budgets and resource plans to guide their organizations’ security activities.

09 Jun 2016

Breaking Down Barriers to Effective Information Security

June 9, 2016
Mike-Edlund-Large
By Mike Edlund, CISM

A recent survey* was conducted by PricewaterhouseCoopers (PwC) and asked 9600 C-level leaders about obstacles to effective cybersecurity. The barriers identified in PwC’s study include:

  • Insufficient funding for capital expenditures
  • Lack of or ineffective CEO leadership
  • Absence or shortage of in-house technical expertise
  • Insufficient funding for operating expenditures
  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding
  • Lack of or ineffective CIO leadership
  • Poorly integrated or overly complex information/IT systems
  • Lack of or ineffective Security Chief (CISO or others) leadership

PwC found that sometimes different C-levels have diverging views on how strong a barrier is. For example, one item, Absence or shortage of in-house technical expertise, was viewed more strongly as an obstacle by CEOs and CIOs, but the CFO did not view as strongly.

Let’s look at breaking down these barriers – we’ll group some to address collectively.

  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding

We’ve found that having a common language to discuss and create strategy and vision for cybersecurity or information security at the company’s executive levels breaks down these barriers. For all C-level and senior leadership, conduct strategy sessions that revolve around the information security processes and use the process lens just like the rest of the business looks at its operations. Looking at how well processes are running (as-is) and how they can be improved (to-be) will let all parties assist with and provide input on good strategy and goal setting, just like the rest of the business. Looking at information security processes from this perspective lets information security become and be understood as a business enabler, not the classic department of “No!” from the past.

  • Lack of or ineffective CEO leadership
  • Lack of or ineffective CIO leadership
  • Lack of or ineffective Security Chief (CISO or others) leadership

Using the above common language approach (viewing cybersecurity through the process lens) should provide all three leaders with language and understanding that can help them have an equal understanding. When each has common understanding about and a language through which to view information security and its strategy, leadership easily begins speaking the same language and addressing the most important decisions collectively.

  • Insufficient funding for capital expenditures
  • Insufficient funding for operating expenditures

Conducting a risk assessment, compliance assessment and capability assessment by competent internal or external parties helps to provide this supporting information for investments. Regardless of whether results and gaps are viewed through a risk, compliance or capability lens, gaps or findings with priorities for improvements should include funding for new technology, new staff efforts or ongoing efforts appropriately captured assists C-level leadership understand needs for information security investments. A strong review during an assessment, whether conducted internally or by a third-party, should include findings that include costs for addressing information security program gaps.

  • TrustMAPP-ExecutivePlanningAbsence or shortage of in-house technical expertise

A solid team capability assessment will review cybersecurity team member responsibilities and roles for any of the assessments mentioned previously (risk, compliance or process-based). Findings will lead to leadership understanding where there are gaps in addressing the cybersecurity program’s needs through its people. As mentioned above, solid assessment results should provide funding estimates for additional training or personnel to meet developing or ongoing requirements of the security program. As mentioned above, review of cybersecurity expertise, whether conducted internally or by a third-party, should include findings that include costs for addressing cybersecurity program personnel gaps.

  • Poorly integrated or overly complex information/IT systems

This one may require review from various perspectives to reduce complexity or improve integration. Integration may be improved through the above approach using process as a common language between cybersecurity and the C-level. Understanding what is needed between information security and the business should improve through this common language approach. Further review through risk, compliance or process-based assessment should tease out issues around this barrier. Risk may find that poorly integrate systems show frequent downtime or failures, increasing risks due to unavailability of systems. Compliance may find that poor sharing of compliance-specific information between systems or high costs related to complying with a regulation due to system complexity show where improvements will be needed.

To break down these barriers for your information security program, look at what SDS’ Maturity Assessment, Profile, and Plan (MAPP) approach can provide for you.

*Survey: http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html