Cyber risk, information security, privacy and compliance services to business thought leaders.
19 Feb 2020

Reaching for the Pinnacle of Information Security Maturity

February 19th, 2020
Adam Stone, VP, Consulting Services

Not all security leaders are alike. Though this statement is obvious to most, many folks in this industry have a difficult time articulating exactly what makes one security leader stand out from others. Does s/he exhibit technical acumen? Business savvy? Strong financial instincts? Skillful sales and marketing reflexes? Effective organizational skills? Could it be the case that security leaders maintain certain aspects of all these traits (and more)? According to a trio of researchers affiliated with the Building Security in Maturity Model (BSIMM), information security leaders tend to fall into four “tribes” with differing approaches to security management. In a whitepaper entitled, “Four CISO Tribes and Where to Find Them,” authors Gary McGraw, Sammy Migues and Brian Chess assert that security leaders exhibit character traits that skilled observers can both identify and measure. In descending order from strategic to tactical, each “tribe” of security leaders carries its own strengths and weaknesses. Ultimately, the authors suggest that the security leaders who can appreciate and learn from the differences between the tribes are those best situated to creatively lead organizations into the next iteration of information security management. Secure Digital Solutions (SDS) agrees with this conclusion. We observe that, in general, these tribes describe individuals with increasing levels of information security process maturity, where Tribe 4 is the least mature and Tribe 1 the most (see image below).

Using tribes as the organizational foundation of their study, the authors interviewed over two dozen Chief Information Security Officers (CISOs) working for large corporations. During the interviews, the researchers used a set of three security “domains” with eighteen “discriminators,” or approaches to addressing information security topics. For each discriminator, the researchers translated each CISO’s survey responses into statements that best approximate his/her management philosophy. Using this approach, CISOs can identify their tribe and use this information to determine what steps are necessary to elevate oneself to the next level (for instance, transitioning from Tribe Four to Tribe Three, and so on).

The researchers’ method to establish “tribal membership” among CISOs is similar to the method SDS developed for the TrustMAPP® Performance Management System. Instead of narrowly assessing the qualities and character traits of the security leader separately from the function, TrustMAPP enables organizations to use process maturity as the baseline metric describing the effectiveness of the entire information security function (which includes people, processes and technology). The goal of both methods is the same: use quantitative and qualitative data to identify current state, while leveraging this knowledge by taking steps to reach the next level. In place of “discriminators” however, the TrustMAPP System evaluates process maturity across six maturity “attributes,” as illustrated below.

Prior to conducting a TrustMAPP assessment information security leaders set a maturity goal for their organization, typically on a scale of 1-5 (see maturity levels defined below). After completing a TrustMAPP assessment, an organization can quickly identify which business processes fall short of the maturity goal. Using this data, information security managers can communicate a meaningful message to executives and develop plans to improve. After nearly five years of capturing data from the TrustMAPP system, we observe that security leaders and their functional area transition slowly and methodically from one level of process maturity to another in manner not unlike the different tribes defined by the authors of “Four CISO Tribes and Where to Find Them.” In other words, security leaders (like business processes) fall along a continuum of maturity – where one learns from and builds off the previous level.

How can you leverage the power of understanding your tribal membership and information security program maturity relative to your maturity goals? The TrustMAPP Platform makes the process simple and efficient. Information security leaders can use the ideas advanced by the McGraw and team in combination with one or more industry-accepted frameworks to build an assessment that captures both dimensions. We designed TrustMAPP to make the assessment process nearly painless. In four steps, you will benefit from TrustMAPP’s reporting metrics to plan for process improvements.

If you are interested in elevating your professional maturity and improving your organization’s information security program, contact Secure Digital Solutions today at 952-544-0234 from 9am-5pm Central Time, or email us at info@trustmapp.com.

17 May 2019

Managing Third-Party IoT Cybersecurity Risks

Adam Stone, CPO, VP Consulting Services
May 16th, 2019

Managing Third-Party IoT Cybersecurity Risks

Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results

The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.

Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.

Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.

The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:

  • the extent of IoT-related cyberattacks, data breaches and service disruptions;
  • whether their existing safeguards address IoT-specific threats and vulnerabilities;
  • who is accountable for IoT risks and security failures;
  • how to conduct an effective IoT-focused risk assessment;
  • how to improve third-party service provider risk management policies and processes;
  • how to train the workforce on IoT-related security risks; and
  • what sorts of in-house expertise is required to mitigate IoT-related risks.

The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.

 

About the Author

Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or info@trustsds.com.

15 Jun 2018

Processes Are for Managers

A Holistic Approach to Information Security

(originally posted November 2015 – revised June 2018)
By Chad Boeckmann, (CEO, 
Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress and the state of information security program – related risks – to other executives and board of directors. Our team partners with CISO’s from Fortune 500 companies and many mid-market businesses. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:

Processes-Are-For-Managers

Let’s say we want to measure the referenced process above. Access Control is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes. Looking at Access Control Management we want to understand the level of performance (maturity) of this process across the six major attributes using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then understand clearly where our resources and investment should be applied. In this example, improvement can be applied to Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.Then taking core business objectives, such as improving customer retention, and associating a core process like “access management” to that objective, one can correlate how information security is supporting key business outcomes.

This approach described is proven to establish alignment with business leadership, while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs and related risks. To see this methodology in action, take a look at a 2-minute video demonstrating TrustMAPP, a platform we developed to holistically manage information security.

06 Apr 2018

Four Hats a Security Leader Must Wear

April 6th, 2018
Chad Boeckmann, Secure Digital Solutions

A security program, as it evolves and matures, will typically experience four types of leader personalities. These personalities may even occur within the same individual if that individual adapts to the maturation of the business and molds the security program simultaneously.

I believe these leaders can be categorized into four types:

  • Auditor
  • Technologist
  • Hero
  • Business Leader

Auditor
The first type of leader is the auditor. The role of the auditor is purposefully designed to be tactical. The security leader in the auditor role is primarily focused on control measurement and compliance. The resulting security program is typically built and managed based on complying with regulatory requirements. Budget and resource decisions are made with the purpose of meeting these regulatory requirements. This approach isn’t surprising considering the history of Information Security throughout its long tenure. Countermeasures were frequently driven by the need for controls to protect information. As such, many security programs begin with compliance as the initial driver for building and maturing information security, making them tactically effective but strategically immature due the fact that some never move beyond this stage.

Technologist
The next type of security leader personalities – the one that we most commonly see – is the technologist. The security leader in the technologist role has a keen focus on technical testing, monitoring and response, and primary focus on tools to automate controls. Typically the security leader as a technologist takes pride in building out operational security capabilities and leveraging leading edge products and services. Every modern security program must have a strong security technologist leader.  However caution should be placed in emphasizing the majority of time in this single discipline. Implementation of leading automation technology must also be accompanied by well-defined processes and plans. Oftentimes, these processes are defined after tools are selected. Instead, the reverse should be achieved.  Processes and plans that meet the business objectives and inform technology decisions to automate key processes must be defined before technology is selected and applied.

Hero
The next type of security leader personality is the hero. The hero is generally the type of leader who will focus on response and detection based on the company having recently experienced a negative cyber security event. Oftentimes the hero approaches the role with the mindset “they hired me to build it” which can have both positive and negative effects on the organization. The positive implications this personality displays is pride and ownership for achieving outcomes. The flipside of this trait could be spending countless hours of staff time to build tools that already exist within the marketplace.

Business Leader
The fourth security leader personality is business leader. The business leader personality has only recently benefitted from discussion in the community. A security leader fulfills this type of role when they focus on managing the security program like a business within the business. Being a modern-day security leader is challenging as they need to understand technology and controls while simultaneously having the right team (staff and partnerships) in place to respond adequately in the event of a negative cyber event. The business-minded security leader understands to be successful, they must rely on others within the business and have strategic partnerships with firms outside of their business. Additionally, business-minded security leaders measure performance and do not rely on the less-effective approach of FUD (fear, uncertainty and doubt) to communicate the performance of their security initiatives with executives. Instead, they focus on aligning and enabling the business objectives while raising caution when situations require it.

No matter what type of security leader you have (or you are), we can help you measure the things that matter most to the business and improve the alignment of security strategy. I encourage you to reach out for more information and further discussion.
27 Oct 2015

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.