Information Security: A Corporate Responsibility that goes beyond the CISO
By Carolyn Crandall, CMO
As management within companies large and small strive to stay one step ahead of cyberattackers, expertise residing within the board of directors and the resources they bring can be a valuable part of the solution. A Chief Executive magazine article from 2015 makes the excellent point that Boards can no longer “deflect responsibility” to company officers, and must take a more active role. The article goes one step further and also outlines a useful set of activities to both assist company officers as well as meet the board’s fiduciary responsibility.
Further highlighting the importance of information security, Forrester analyst Heidi Shey, in an October blog post, notes that in 2015, 26 percent of global privacy decision makers considered privacy a competitive differentiator. She continues by highlighting several activities necessary to make “privacy as a competitive differentiator” a reality. These activities center around building trust with customers and other stakeholders, planning better for failure, generating credibility with c-level executives within the organization, and considering the security controls for data internally, as well as transparency and choice externally.
Heidi focuses on planning for failure and includes this comment in her report:
“You can’t stop every cyberattack. However, your key stakeholders, clients, and other observers do expect you to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately.”
Heidi goes on to point out that businesses must have processes that address breaches when perimeter solutions fail. This includes internal processes of how to respond, contain and mitigate a breach. It also includes communications processes that address questions such as what channels the business will use, what they will say, when and to whom.
I have also found it insightful to track some of the corporations that have been stung by high-profile data breaches. Many are now including and creating a precedent for the inclusion of statements regarding customer data privacy as part of their corporate social responsibility (CSR) reports. A well written example of this can be found on the website of Xcel Energy. I found it interesting to see the defined commitment and inherent support of the company to publish this for their customers to see.
Attitudes and accountability of security infrastructure has begun to shift over the last year. Organizations have seen repeated incidents of breaches, negative impact to their brand, and in some cases material financial impact and payments. New regulations are also affecting how organizations think and operate as they look at compliance with standards like the Federal Information Security Management Act (FISMA), PCI DSS , North American Electric Reliability Corp. — Critical Infrastructure Protection (NERC-CIP), and others. Businesses are now acknowledging the fact that prevention solutions alone can and will fail and that they need to change not only their security postures, but also their info security policies and procedures to drive ownership and accountability. These changes include no longer putting all their efforts into prevention, but into a balanced plan that includes prevention, detection, and response.
Discussions around how secure we are, how do we know, what will we do are all now Board level discussions along with plans for incident response. Incident response plans vary widely by company and are challenged because they require cross company collaboration and have historically relied on prevention vs. detection and response. Fortunately, deception can play a key role in closing the gaps and supporting a company’s continuous incident response plan.
The annual Verizon Data Breach Report repeatedly points to an average time to detection in months and that 70% of incidents are reported from outside the company.
Deception can play a critical role in the early detection of attackers that have bypassed prevention systems and are inside the network. Deception can also be used during PEN testing as a way to validate the security of an organization’s infrastructure and its time to detection.
Organizations need to be able to answer these critical questions:
- What do we do if we get breached?
- How will we know what was stolen?
- How quickly can we return to operations?
- How do we know that we have stopped the attack and that we can prevent it if it returns or is elsewhere in the network?
Deception Platforms come with the extra advantage of providing network activity visibility, an analysis engine, and integration to automate the blocking and quarantiine of infected systems for prompt remediation and mitigation of threats. Since a deception platform is based on engagement information such as infected device IP addresses, C&C addresses, attacker tools, activities, and methods are all captured. Combined with early detection, organizations are now alerted and provided additional attack information to accelerate incident response and to restore operations.
Additionally, integrations with prevention systems will equip the organization to prevent against future attacks by updating signatures and other attack information on this now known attacker.
Ultimately, CISOs and their security operations team can benefit from this visibility and the reporting to validate that there is not a breach or a spreading infection within their networks. Having the confidence that a network is clean and being able to substantiate this with network visibility reports can be quite powerful in presenting to the Board.
Whether an organization’s primary concern is centered on stolen credentials, targeted attacks, insider threats, ransomware, phishing, attacks on critical infrastructure or other destruction, a deception platform can play a key role in providing the needed network visibility and real-time detection of these threats. Add in the forensics, substantiated alerts, and automated integration with 3rd party prevention systems to improve incident response, and CISOs can now enter the board room with tangible reports and greater confidence. In a society of “trust but prove”, the ability to validate the ongoing health of the network and a clear plan for incident response and remediation can go a long way in showing compliance to one’s information security policies and protection.