Cyber risk, information security, privacy and compliance services to business thought leaders.
17 May 2019

Managing Third-Party IoT Cybersecurity Risks

Adam Stone, CPO, VP Consulting Services
May 16th, 2019

Managing Third-Party IoT Cybersecurity Risks

Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results

The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.

Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.

Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.

The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:

  • the extent of IoT-related cyberattacks, data breaches and service disruptions;
  • whether their existing safeguards address IoT-specific threats and vulnerabilities;
  • who is accountable for IoT risks and security failures;
  • how to conduct an effective IoT-focused risk assessment;
  • how to improve third-party service provider risk management policies and processes;
  • how to train the workforce on IoT-related security risks; and
  • what sorts of in-house expertise is required to mitigate IoT-related risks.

The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.

 

About the Author

Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or info@trustsds.com.

15 Jun 2018

Processes Are for Managers

A Holistic Approach to Information Security

(originally posted November 2015 – revised June 2018)
By Chad Boeckmann, (CEO, 
Secure Digital Solutions)

In my previous blog, “Controls are for Auditors” I wrote about how we as security leaders need to move away from managing security controls in the weeds like an auditor. This article describes a “processes are for managers” approach. It aims to align security management with the business in order to communicate and manage information security effectively.

CISOs are tasked to achieve challenging outcomes and need to also communicate the state of their progress and the state of information security program – related risks – to other executives and board of directors. Our team partners with CISO’s from Fortune 500 companies and many mid-market businesses. They are all challenged with the same dilemma: Presenting effectively to an audience that does not necessarily understand the complexities of information security.

To address this challenge consider looking at the information security program as a business process. Frameworks and legal or industry data protection requirements often overlap and these requirements can be combined to establish a core process as a requirement of the security program. For example ISO27002, HIPAA Security Rule and GLBA all require Access Control. If we look at access control for a moment:

Processes-Are-For-Managers

Let’s say we want to measure the referenced process above. Access Control is a requirement of many data protection laws and is also highlighted in both ISO27001 and NIST Cyber Security Framework. Instead of managing control verbiage from a regulation or framework we can measure the effectiveness of Access Control Management generally from a process perspective but do so specifically using maturity attributes. Looking at Access Control Management we want to understand the level of performance (maturity) of this process across the six major attributes using a standard maturity scale of 1 through 5.

  1. What is our level of maturity of Awareness for Access Control Management across our environment?
  2. What is our level of maturity for Policy & Procedures for Access Control Management across our environment?
  3. What is our level of maturity of Expertise for Access Control Management across our environment?
  4. What is our level of maturity of Accountability for Access Control Management across our environment?
  5. What is our level of maturity of Automation for Access Control Management across our environment?
  6. What is our level of maturity of Measurability for Access Control Management across our environment?

If the business is performing well in Awareness, Policy and Procedure and Accountability (relative to our process in question) then understand clearly where our resources and investment should be applied. In this example, improvement can be applied to Automation (tools) and Metrics for Access Control Management. This approach provides a much more holistic method to repeatedly understand attributes of a control process that applies to internal policies and external regulations.Then taking core business objectives, such as improving customer retention, and associating a core process like “access management” to that objective, one can correlate how information security is supporting key business outcomes.

This approach described is proven to establish alignment with business leadership, while still meeting control objectives and focusing resources on the areas of greatest impact. Let your internal and external auditors measure the effectiveness of the control in place, you will know the answer before the audit starts by measuring and improving upon attributes of each process. Therefore we can leave controls to auditors and adopt a “process for managers” approach to manage security programs and related risks. To see this methodology in action, take a look at a 2-minute video demonstrating TrustMAPP, a platform we developed to holistically manage information security.

06 Apr 2018

Four Hats a Security Leader Must Wear

April 6th, 2018
Chad Boeckmann, Secure Digital Solutions

A security program, as it evolves and matures, will typically experience four types of leader personalities. These personalities may even occur within the same individual if that individual adapts to the maturation of the business and molds the security program simultaneously.

I believe these leaders can be categorized into four types:

  • Auditor
  • Technologist
  • Hero
  • Business Leader

Auditor
The first type of leader is the auditor. The role of the auditor is purposefully designed to be tactical. The security leader in the auditor role is primarily focused on control measurement and compliance. The resulting security program is typically built and managed based on complying with regulatory requirements. Budget and resource decisions are made with the purpose of meeting these regulatory requirements. This approach isn’t surprising considering the history of Information Security throughout its long tenure. Countermeasures were frequently driven by the need for controls to protect information. As such, many security programs begin with compliance as the initial driver for building and maturing information security, making them tactically effective but strategically immature due the fact that some never move beyond this stage.

Technologist
The next type of security leader personalities – the one that we most commonly see – is the technologist. The security leader in the technologist role has a keen focus on technical testing, monitoring and response, and primary focus on tools to automate controls. Typically the security leader as a technologist takes pride in building out operational security capabilities and leveraging leading edge products and services. Every modern security program must have a strong security technologist leader.  However caution should be placed in emphasizing the majority of time in this single discipline. Implementation of leading automation technology must also be accompanied by well-defined processes and plans. Oftentimes, these processes are defined after tools are selected. Instead, the reverse should be achieved.  Processes and plans that meet the business objectives and inform technology decisions to automate key processes must be defined before technology is selected and applied.

Hero
The next type of security leader personality is the hero. The hero is generally the type of leader who will focus on response and detection based on the company having recently experienced a negative cyber security event. Oftentimes the hero approaches the role with the mindset “they hired me to build it” which can have both positive and negative effects on the organization. The positive implications this personality displays is pride and ownership for achieving outcomes. The flipside of this trait could be spending countless hours of staff time to build tools that already exist within the marketplace.

Business Leader
The fourth security leader personality is business leader. The business leader personality has only recently benefitted from discussion in the community. A security leader fulfills this type of role when they focus on managing the security program like a business within the business. Being a modern-day security leader is challenging as they need to understand technology and controls while simultaneously having the right team (staff and partnerships) in place to respond adequately in the event of a negative cyber event. The business-minded security leader understands to be successful, they must rely on others within the business and have strategic partnerships with firms outside of their business. Additionally, business-minded security leaders measure performance and do not rely on the less-effective approach of FUD (fear, uncertainty and doubt) to communicate the performance of their security initiatives with executives. Instead, they focus on aligning and enabling the business objectives while raising caution when situations require it.

No matter what type of security leader you have (or you are), we can help you measure the things that matter most to the business and improve the alignment of security strategy. I encourage you to reach out for more information and further discussion.
22 Aug 2017

Cybersecurity Maturity is Growing Up

originally featured on CSO Online

August 23rd, 2017
Ed Snodgrass, CISO

 

Maturity is an interesting word. We’ve heard it throughout our lives and it’s had different meanings in different contexts.  As a child, we heard it from our parents regarding “growing up” or “being more mature”.  We may not have entirely understood it then, but our parents knew that developing maturity would be important for friends, colleagues and peers to take us seriously.

As we grew older, we began to understand the concept of maturity and that it could be compared closely to wisdom.  We began using what we learned through experience and started applying that knowledge to our decision-making process.

Today we hear the word maturity frequently in the workplace.  We see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint, maturity can be applied to cybersecurity as well, although its applicability and benefit isn’t always readily apparent.

Case in point.  Recently, over lunch, I was attempting to explain the purpose and benefit of cybersecurity maturity to a business colleague.  Based on his skeptical expression, it was clear to me that I wasn’t succeeding.  He fully understood compliance and the implications of non-compliance, but wasn’t grasping the value of maturity and how it was relevant in the security space.

I thought about what was personally important for me to secure, and the answer was easy – my family.  I then thought about an area where compliance comes into play and how it is typically used to determine effectiveness – home fire safety.  Using that as an example, I asked him to rate his family’s level of home fire safety on a scale of 1-5.  “4-5,” was his response. “I have the best smoke alarms money can buy.  I have one on each floor and in each bedroom, as I’m required to by code.  In addition, I have a fire extinguisher in the house and one in the garage.”

From a compliance standpoint, we both agreed that his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard.  I then challenged him to look at it from a maturity perspective, using a series of ad-hoc questions as a baseline:

  • Do you test your smoke alarms?
  • Do you have a regular schedule for replacing the batteries or do you replace them only when the alarm tells you to?
  • Do you have a family communication and logistics plan that you can put into action if an alarm sounds in the middle of the night?
  • Do you practice the plan?
  • Does everyone in your family know where the fire extinguishers are?
  • Does everyone in your family know how to use the fire extinguishers?
  • Is there a pre-determined family assembly area outside?

As he considered each question, I then asked, now that he’d added a maturity measurement to compliance, what would he rate his family’s level of fire safety?  “Probably a 1-2,” was his concerned reply.

While this may be a simple example, it begs a question.  Traditional compliance and operational data is important, but does it provide adequate context to truly evaluate capability?  Using the fire safety example above, it doesn’t appear to.  My colleague had all the required detection mechanisms in place, including some additional preventative measures, but any significant capability for his family to respond effectively to a fire simply wasn’t there.

The same question can be asked of a cybersecurity organization, and a growing number of security leaders are adopting maturity as a metric to analyze and determine their team’s strategic capabilities because the hundreds of individual controls, while critical, only represent a point in time.

Cybersecurity maturity, used as a performance metric, offers additional insight into how the security organization is operating.  It can be used to analyze compliance and operational data at the process or function level.  Trends can be discovered, monitored and adjusted for.  An enterprise security training program may have all the right features in place, for instance, but the open rate of phishing emails by employees isn’t decreasing over time.  Do the components of the training program need to be adjusted or does the content?  Or, does the challenge lie within another function or process outside of the training program?   The use of maturity to analyze the capabilities of those processes can likely answer those questions.

In today’s evolving threat landscape, effective metrics are critical to security success.  Controls and operational data are required to run the organization today.  Strategic KPIs, such as maturity, are also required to measure, profile and plan the security organization’s capabilities for both today and tomorrow.  Performing a cybersecurity maturity assessment on the security organization will likely yield valuable insights.  There are excellent sources available that show where to begin and how to demonstrate the value of measuring cybersecurity capabilities and effectiveness.  (An example can be found here).

Ultimately, the best smoke alarms money can buy are powerful tools in the event of a fire, but only if everyone has the capability and maturity to respond effectively.

Interested in learning more about security program performance and leveraging the value of cybersecurity maturity? Download the white paper titled “Roadmap to Success

12 Jul 2017

Security Leader’s Primer to GDPR

Understanding GDPR: The Security Leader’s (Really Concise) Primer

July 11th, 2017
Adam Stone, Chief Privacy Officer and Principal

 

As the effective date for the GDPR nears, the team at Secure Digital Solutions (SDS) are experiencing a significant uptick in calls from information security leaders seeking guidance about this new regulation. Though there’s much to discuss when it comes to GDPR compliance, we would like to provide a short primer to answer some of your most basic questions.

 

 

1. What is GDPR?

The GDPR (General Data Protection Regulation) is a regulation enacted by the European Union (EU) in 2016. This new rule serves many purposes, though in short, GDPR:

  • Repeals the 1995 Data Protection Directive, and addresses certain hurdles impeding economic growth for the EU by harmonizing and simplifying compliance and enforcement across EU member countries;
  • Focuses on balancing fundamental human rights and freedoms with the EU’s Digital Single Market strategy;
  • Strengthens protections for individuals via enhanced requirements for data privacy risk assessments, notice, choice, consent, data portability, right-to-be-forgotten and breach notification, among others;
  • Adapts to technological developments that emerged in years past the enactment of the Data Protection Directive;
  • Clarifies obligations for both data controllers and data processors; and
  • Enacts a new penalty structure that includes administrative fines of up to 4% worldwide revenue for certain violators.

2. Why is everyone talking about GDPR now?

The effective date for GDPR is 25 May 2018, less than a year away. Many organizations recognize that implementation activities must begin today to be compliance with GDPR mandates.

3. Isn’t GDPR a legal thing? Why can’t the lawyers handle this?

Legal professionals play a critical role by helping interpret GDPR compliance obligations, establishing policy and defending our organizations in the event of GDPR-related enforcement actions. Attorneys may not however, be called upon to assist organizations with the implementation of controls and processes in support of GDPR compliance. Many key functions have a role to play in deploying GDPR controls and processes, including of course, information security.

4. Who typically leads GDPR readiness efforts?

For organizations that have a Data Privacy Officer (DPO) in place, this person will often be tapped to lead GDPR readiness efforts. Otherwise, organizations choose a leader that reflects the culture of the organization. Firms that view GDPR as chiefly a legal liability are likely to appoint General Counsel or the Chief Compliance Officer (CCO) to lead GDPR implementation efforts. For those who see GDPR as material factor in marketing and sales initiatives, the Chief Operating Officer (COO) or Chief Marketing Officer (CMO) will lead. Some firms see GDPR as an issue closely aligned to IT, and thus will appoint the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to lead readiness efforts. Since GDPR crosses many organizational functions, whoever leads GDPR readiness efforts must have the authority to affect change throughout the firm.

5. Does GDPR define specific things that security leaders need to do?

Like most laws and regulations, the GDPR does not go into many specifics about the types of information security solutions required for compliance. Luckily for organizations with a security leader in place, there is a strong possibility that the firm already has many of the basic information security controls requirements in place. In these scenarios, security leaders should, at a minimum, conduct a gap assessment to ensure that existing controls meet GDPR standards.

It may be helpful to parse the sections of GDPR into logical chunks to identify potential areas where information security is involved. For the benefit of our readers, we provide a worksheet to get you started.

6. Where should I start in my GDPR preparations?

First and foremost, organizations should seek an understanding of whether GDPR applies to their business operations. For most, this is when a lawyer comes in handy. S/he can provide the legal advice needed to decide whether to move forward on GDPR readiness.

Assuming that GDPR does apply, we suggest that organizations begin by identifying the scope of GDPR within their operations. Doing so should minimize the disruptions created when implementing new controls and processes. Part of this scoping work includes identification of the personal data and sensitive personal data that fall into regulatory purview. Following this stage, the firm should conduct a comprehensive gap or risk assessment, aligned with the requirements of GDPR. Only after completing these first two stages should an organization develop a strategy for addressing potential gaps in GDPR compliance.

SDS’ experienced professionals stand ready to assist your organization as you prepare for GDPR. Choosing a knowledgeable advisor will help ensure that your efforts have maximum impact, even limited budgets and resources. Contact Secure Digital Solutions today to learn more!

20 Mar 2017

Cyber Risk is a Key Focus for Corporate Boards

March 20th, 2017
By Adam Stone, Principal

For organizations across industry sectors, digital commerce is the dominant vehicle to transact business and improve efficiency. Groundbreaking innovations in computing potential accelerate the speed of change for business, and the risks that naturally follow. A key risk that is often highlighted is cyber risk. Cyber risk is a key focus for corporate boards. According to the Institute of Risk Management cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Board members of the digital economy need the knowledge to ask the right questions of corporate executives. Without a reasonable degree of technical fluency, board members lack important tools to ensure a professional standard of care for the organizations they serve. Board members face a business imperative: adapt, today, to the disruptive changes of digital commerce by adopting a new dialect based in cyber risk.

Recently, the National Association of Corporate Directors (NACD) published the 2017 Cyber Risk Oversight Handbook. The message of the Handbook is clear: to assert meaningful oversight in the digital economy, board members must treat cyber-risk as an issue of strategic import and operational significance for the organization. Cyber-risk ought not be written off as an “IT issue,” since this sort of thinking creates a hazardous blind spot for professionals charged with corporate governance responsibilities. To prepare board members for discussions about cyber risk, NACD recommends the following:

  • Understand the legal ramifications for the company, as well as the board itself.
  • Ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management.
  • Integrate cyber risk discussions with those about the company’s overall tolerance for risk.

These recommendations emphasize the need for proactive (rather than reactive) identification and analysis of cyber risks, as well as clear direction on cyber-risk management strategies. Importantly, the board’s treatment of cyber-risk ought to reflect the firm’s culture and capacity for change.

In support of an effective cyber risk strategy for the board, the Handbook outlines five cyber risk oversight principles fundamental to an effective risk management program.

Information security leaders play a crucial role in cyber risk governance. Board members depend on current, meaningful data to support the effectiveness of the firm’s information security controls and processes. For over a decade, Secure Digital Solutions (SDS) has provided solutions to elevate the language of information security by focusing on process maturity mapped to risk categories. Our award-winning TrustMAPP® platform leverages the powerful MAPP™ (Maturity Assessment, Profile, and Plan) methodology to quickly identify, measure and understand the performance of the business processes that support a security program and inform risk decisions.

Using process maturity as the key performance indicator for program effectiveness, TrustMAPP provides security leaders with readily available tools to effectively communicate the business value of cybersecurity and cyber risk. Executives and board members reap the benefits of TrustMAPP analytics via improved clarity in the organization’s information security posture and its impact on cyber risk strategies.

Want to learn more? Visit TrustMAPP.com for information about TrustMAPP®, powered by the MAPP™ methodology.

21 Dec 2016

Five Popular Initiatives of Cyber Security Leaders in 2017

cybersecurity-initiativesWith the new year approaching, now is a great time to celebrate the successes (and
failures) of information security leaders and reflect on the challenges these leaders face in 2017. With this we’ve condensed the list to five popular initiatives of cyber security leaders in 2017. After experiencing massive ransom ware attacks, large-scale data breaches and other adverse cybersecurity events of 2016, we anticipate another demanding year.

Recently, we asked security executives how they plan to address cybersecurity in 2017. What lessons did they take from the past year? What do they anticipate are the issues needing the most attention in 2017? Additionally we collaborated with Fortium Partners to gain the perspective of the CIO office.

What we learned from these conversations is a summary of similar initiatives highlighted in 2016 with the addition of a few new priorities.

  1. Third-party security risk grows as we continue to outsource critical functions and migrate systems to the cloud.
    • Assessing third-party risk became a top priority after high-profile data breaches in 2013-2014. Third-party risk management initiatives finally made the project list across many security teams and C-suite leaders in 2015 and 2016 and will continue to improve with additional automation, scope expansion and improved metrics in 2017. Third-party risk management will become a core function of security and compliance operations and move off of the special projects list in 2017.
  2. Influencing employee behavior and company culture around cyber security is challenging without top-level support and remains a top priority.
    • Security awareness training is still a critical component to maintaining policy compliance and information security best practices. Security leaders will continue to sharpen and hone the messages and content to end users throughout 2017, because security is everyone’s role not just the security team. This is a theme the security industry has been focused on for several years. Although the topic is not new, take this as a reminder that user security awareness training is still as important as ever. In our experience, many successful attacks involve human-error. Training is one key mechanism to reduce these errors to an acceptable level of risk.
  3. Threat actors continue to adapt their tactics faster than we can build or adapt our defenses.
    • Hardening the perimeter is an old concept and nearly inapplicable in todays connected landscape. Thus, security leadership is taking the position that all connected devices are untrusted until otherwise vetted. This approach is also driving improvements in third-party risk management where connectivity is often involved between two organizations. There are some promising new solutions in the marketplace that can perform real-time detection and stop questionable network traffic at the door. As the industry continues to improve upon attack prevention we will see the sophistication of attacks evolve . The industry will always be in an arms race to build a better mousetrap as the attackers’ devise methods to subvert the traps over time. In a nutshell, the leadership to whom we speak and our own observations do not see this initiative slowing down, or moving off the top five list in the near term.
  4. Resources remain slim and do not line up with the demand for effective controls.
    • The demand for skilled talent in cyber security has never been greater. We’ve spoken to a couple of solution providers who have a unique take on this by developing training programs that within 1-2 years can develop individuals into effective cyber security analysts. Accelerated training programs, coupled with trusted third party partnerships, provides the best near term solution to meet the demands of today’s security needs. Companies are growing tired of bidding for talent and instead look to partners to augment specific functions of their security operations, governance and compliance efforts.
  5. Information security remains an afterthought which, in turn, feeds the perception that security is a barrier to innovation and speed to market.
    • Reducing release cycle times and speed to market will continue to be top of mind for many CIOs and their business partners. Pressure will continue to build to skip past anything that could slow that process. However, the consequences of failing to catch vulnerabilities are clear, such as: incurring regulatory fines, reputation damage, customer data theft, and the list goes on. Over the next few years there will be emphasis on building security into the software development life cycle (SDLC). The good news is that automated testing and source code analysis tools will continue to mature, enabling incorporation into an organization’s SDLC.

It’s clear that security executives have their work cut out for them. How will they accomplish their objectives? We believe that the answer is simple: better communication. Too often, we observe information security leaders speak a language foreign to executives, board members and peers. The result is predictable. Security leaders experience perception issues connected to a lack of credibility among those in the C-suite. Without the trust and confidence of company executives, information security leaders find themselves swimming upstream with a flimsy paddle.

Make 2017 the year that you build credibility for your program. Speaking the language of business and develop a business story around cyber security program priorities and successes is critically important to maintain credibility. Collaborate closely with the CIO and internal audit/risk management functions to educate management and gain support for critical initiatives. Express your ideas, recommendations, and proposals in ways that engage and energize executives and board members. Use business-focused metrics to tell a compelling story. Focus on process over controls.

Secure Digital Solutions wishes our customers and all business leaders a successful and productive 2017. May you earn the credibility needed to advance your business objectives for the new year!

Contact our team to learn about methods to communicate with executives and board of directors using our MAPP™ (maturity assessment, profile and plan)™ methodology enabled by the cloud-based TrustMAPP® platform.

09 Sep 2016

FFIEC Issues Updated Information Security Handbook

By Adam Stone, Principal Consultant
September 9th, 2016

The Federal Financial Institution Examinations Council (FFIEC) today announced a revision to their venerable Information Security booklet. As a part of the FFIEC Information Technology Examination Handbook, the updated Information Security booklet addresses “the factors necessary to assess the level of security risks to a financial institution’s information systems.”

For U.S. financial institutions and others responsible for complying with section 501(b) of the Gramm-Leach-Bliley Act of 1999, the updated booklet provides greater clarity on the role of risk management as an integral part of a robust information security program. It is likely that examiners will begin referencing the updated booklet immediately.

For more on how you can effectively integrate these new guidelines into your information security program, contact Secure Digital Solutions at 952-544-0234.

26 Apr 2016

Is Your Risk Leadership Asking the Right Questions?

By Christophe Veltsos, PhD
April 25th, 2016

A recent report by Deloitte entitled 10 Questions You Should Be Asking to Embrace Risk and Lead Confidently in a Volatile World contains key recommendations for business executives to ensure their organization’s survival in the face of uncertainty. The main themes of the report include the need for executives and directors to be aware of their own biases, to value differing opinions, to protect the organization’s reputation, to prepare for the next crisis, and to ensure lessons are drawn from every crisis. However, the last two questions stand out as they relate strongly to the cybersecurity field:

Question 9 – “Is my risk team giving me the confidence I need to make high-stakes decisions?“

The report cautions business leaders about the danger of looking at the risk function as a mere exercise in compliance. It also warns about the use of language and terminology that can feel foreign to these leaders. So, how should an organization report on its cybersecurity efforts to enable leaders to make confident decisions? How can the CISO elevate the conversation, to provide expertise and consultation to the business leaders on matters related to cyber risks?

Question 10 – “Am I engaging our board’s expertise to navigate uncertainty?”

Here Deloitte reminds executives to fully leverage the expertise the board can provide. However, to fully leverage the board’s help, the business has to ensure that information is presented in a way that is clear, consistent, and easy to understand by people with various levels of expertise in the particular domain presented. This is especially true for the cybersecurity domain. How can the business present cybersecurity-related information in a clear, consistent manner that is easy to understand by executives and directors?

To bridge the gap between the CISO, the executives, and the board, one can look at the MAPP approach: Maturity Assessment, Profile, and Plan. This approach works by first assessing the maturity of the organization’s security processes. This assessment can then be translated into diagrams and visuals in support of high-level presentations and discussions with executives and directors about the organization’s current cybersecurity profile, and how to best direct future investments to balance cyber risks while supporting the business’ ability to grow. The MAPP approach enables the information security and risk leaders to become a strategic partner of senior management.

“MAPP helps CISOs create and communicate an information security roadmap to guide the organization’s security activities.” — MAPP White Paper

23 Mar 2016

Unifying the Message of Information Security

By Tennelle Anderson, CISSP, CISA, CPA, Secure Digital Solutions

I started out my career as an auditor. Then I moved into compliance. Now I’m a security consultant. One thing I’ve observed during my journey, is that while each of these groups value controls such as logical access and vulnerability management, each group is evaluating these controls using a different lens. These different lenses cause each group to speak a different language, leading to the confusion and frustration of management (and each other). All teams should focus on unifying the message of information security.

Isn’t there a single language that all three groups can use to consistently communicate the state of control effectiveness, compliance position and risk? Is there a single language that can also accommodate an ever-changing technological and compliance landscape? Is there a unifying language that can also communicate “how good is good enough” AND address concerns regarding overinvestment in security and compliance?

Yes, there is.

A Single Language

icons-mappYou probably think I’m dreaming, but I assure you I am not. The security industry is increasingly moving toward process maturity as the standard by which security programs are measured and improved[1].  The five CMMI maturity levels (Ad hoc, Managed/Repeatable, Defined, Quantitatively Managed, Optimized) can be used to describe control implementation and effectiveness, compliance with a specific requirement, as well as the level of risk present for any given process or asset.

 

Harmonization of Controls and Processes to Reduce Compliance Fatigue

As you have no doubt observed, there is a great deal of overlap between the various security regulations and frameworks that exist today. Rather than trying to keep up with hundreds of different individual (and ever-changing) control objectives, organizations can harmonize those individual controls into a set of processes that can be measured based on their maturity level. For example, rather than measuring adherence to 20 different logical access-related controls, break those controls into a subset of processes (e.g. provisioning, de-provisioning, access reviews, etc.) and measure the maturity of those processes.

Unlike audits and risk assessments, which provide only a point-in-time view of the existence and/or effectiveness of controls, assigning maturity levels to existing processes gives a point-in-time snapshot of these processes AND helps determine a company’s ability to adapt to ever-changing compliance requirements and control expectations. In addition, it reduces the number of assessments that must be conducted (and the number of widgets assessed), helping to reduce your organization’s audit fatigue.

How Good is Good Enough?

Using the CMMI maturity levels is also a great way to help your organization define “how good is good enough”. For example, if your logical access provisioning processes are considered Level 1, or ad hoc, most auditors, compliance specialists and security analysts would agree that the associated controls are likely not operating effectively (if they exist), do not meet associated compliance requirements, and present a higher level of risk to your organization. Processes rated a Level 2 (repeatable, but reactive) or Level 3 (defined) may be considered to be operating effectively, meeting associated compliance requirements, and presenting less risk to your organization. Processes rated a Level 4 (quantitatively managed) or a Level 5 (optimized), while indicating effectively operating controls that meet compliance requirements and present little risk, may be getting into overinvestment territory for your particular organization. Having management define maturity goals for the organization can help everyone know how good is good enough from the outset, eliminating confusion and reducing the risk of under- or overinvestment.

Bringing it all Together

Once audit, compliance and security begin to speak in the same language, management will immediately benefit by receiving a consistent and understandable message. This will allow your organization to move to the prioritization and implementation stages more quickly without fear of overinvestment. It may even help your organization to recognize audit, compliance and security as valuable business partners contributing to business goals, rather than impeding them.

How SDS Can Help

SDS’s TrustMAPP platform, powered by their MAPP methodology, empowers organizations with a clear picture of security posture based on maturity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With TrustMAPP’s SaaS delivery model, scoring, tracking improvements and communicating performance of a security program happens in weeks, instead of months, using built-in analytics. Accliviti helps CISOs create and communicate, using a unifying message for information security, a roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model of Maturity Assessment, Profile, and Plan, using an automated tool like TrustMAPP, CISOs can focus more of their time and interactions towards security strategy and advisor roles for the business.

[1] Veltsos, Christophe; “A MAPP to Clearer Information Security,” January 2016,