Back in October, the South Carolina Department of Revenue revealed it had suffered a massive data breach. The widely
reported breach exposed Social Security numbers, bank account information, and credit and debit card numbers of millions of South Carolina taxpayers, both individuals and businesses.
In making the business case for adequate security, security chiefs must educate the executive team on successes, near-misses and, yes, even security events that actually occurred in the company.
What wasn't as widely reported is that about a year before this incident, the security chief of South Carolina's IRS department quit, citing a lack of support and funding for security within his department. Although incidents like these are bringing more attention to the lack of focus and funding information security programs receive, many chief information security officers (CISOs) still struggle to get the help they need for their organizations. Until there is recognition that an effective information security program is an operational necessity – as much as having an accounting department – such incidents as the South Carolina breach will keep happening.
In this tip, we look at how CISOs can align security with business goals and how to get the support they need, including financially, for improving security measures to avoid a South Carolina-like incident.
Aligning business and IT security: The challenge
The causes for this dilemma lie across an organization. On the one hand, the corporate management team may not want to spend funds on an information security program either because it doesn't understand why they need it or because it is confident the company would never be a target. Similarly, executives may see information security expenses as more of an insurance policy rather than truly facilitating information security and risk management. So, after some time when the expenses have been made and there is no evidence of deflected attacks or "saved files," the executives wonder if the security expense was necessary or even worth it.
On the other hand, information security managers often don't effectively communicate up within the organization to identify their successes and failures, and often don't effectively make the case for the necessary resources to do their jobs. They may describe their needs in terms of new technologies required (e.g., firewalls, IPS) and more head count but may not be able to effectively describe what the company and executives get for their money. This is a dilemma and a huge challenge for security teams.
Compliance matters, but it isn't enough
Regardless of management's commitment to security, many organizations still fund information security programs, albeit insufficiently, for one reason: compliance. There are cybersecurity mandates that must be followed in various industries to protect corporate assets, and most have come in the form of regulatory requirements. For instance, companies that handle credit card transactions must follow the Payment Card Industry Data Security Standards (PCI DSS) and are audited annually. CISOs can often find an ally in the company treasurer and chief financial officer to advocate for adequate security resources in this space. If companies don't meet the PCI DSS requirements, they could be prohibited from handling credit cards. Hence, there is a consequence for noncompliance.
Similarly, there are some security aspects mandated by a number of regulations. For example, health care organizations, insurance companies and other companies handling Protected Health Information are obligated to comply with the Health Insurance Portability and Accountability Act (HIPAA), which has its own security guidelines.
But simply following regulations is not enough. Compliance does not equal security. For instance, an organization may be compliant with a requirement, but it may not mean that opportunities for attacks are sufficiently mitigated. Recent examples include companies that have had their credit card files breached and yet had recently "passed" their PCI DSS assessments -- i.e., they were deemed compliant. As often happens, attacks took advantage of vulnerabilities not identified by the PCI assessment.
In the electric utility industry, there is a similar issue related to the North American Electric Reliability Corporation Critical Infrastructure Protection standards. Here, a utility may have a written incident-response policy (i.e., be compliant), but the policy would never effectively address an incident because it does not contain correct phone numbers or is out of date. Hence, they are compliant, but not necessarily secure.
The bottom line is that executives and security managers must mutually focus on securing the organization and recognize that the compliance requirements are simply there to cover the more direct vulnerabilities and loose ends.
Striking a balance: Tactics to align business and IT security
Executives should provide highly visible support for the security program -- an approach that will substantially improve the stature and effectiveness of the overall corporate security. Often, employees -- and even the media and shareholders -- pay attention to the attitude and position of the corporate executives. Hence, if the executives are strongly supportive of a solid, complete security program, then the attitude will permeate through the organization. Essentially, the executives are setting the tone for security with their actions and words -- i.e., walking the talk.
In addition, the security team should make sure it understands the business -- and spend time with the various aspects of operations to learn it. Looking for areas that are secure and should be maintained, as well as for areas where possible information breaches could occur -- either due to less-than-adequate technical protections or carelessness -- can go a long way toward protecting employees and company data. By understanding the business better, the security team will be able to ensure that its actions, tools, systems, policies and procedures support the business in achieving its goals. For instance, industrial control security is an operational imperative to ensure that production not only stays online, but also that production and quality goals are achieved and, ideally, exceeded. Thus, production is derived from solid security.
It also is important for the CISO to provide periodic reviews or briefings to the executive leadership team. These reviews or briefings can include guest speakers from the local police department, the Federal Bureau of Investigation or the U.S. Secret Service, who will discuss the infosec attacks they observe and tips on how to better protect the organization. The briefings also can be used to discuss near-misses within the organization or within similar industries. By reinforcing the value of security, the briefings not only will help educate the executives but also will help plan and write budgets.
My employer, Verizon, publishes its annual Data Breach Investigations Report, which can be a useful tool to educate executives on the real challenges of securing a company today with actual data to draw conclusions on the causes and protective actions that should be taken. To be fair, Symantec, McAfee and many other vendors publish similarly valuable reports.
Finally, the CISO and security team must recognize that running a business profitably and efficiently is top of mind for the CEO and executive team. Security tends to be ignored, not because of lack of interest, but because of financial demands. In making the business case for adequate security, security chiefs must educate the executive team on successes, near-misses and, yes, even security events that actually occurred in the company.
The CISO job in any organization is a hugely challenging task. It's probably the hardest job in any company -- especially when the CISO doesn't receive the necessary support that he or she needs to protect cyber assets from invisible attackers who can be implementing an assault from anywhere on the planet. Perhaps the most important lesson CISOs should take from the South Carolina breach is to be unrelenting when working to secure the support a successful infosec program needs. It's rarely easy, but without sufficient internal recognition of the importance information security has to a business, it's impossible for security to succeed. That's what South Carolina's taxpayers found out the hard way.
About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing global thought leadership for more than 13 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of Managing Principal -- Critical Infrastructure Protection/Cyber Security on Verizon’s Risk Team, devoting much of his time to energy, utility, critical infrastructure and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle) and Seattle City Light. Hayden's independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Thought Leadershipblog. Submit questions or comments for Hayden via email at firstname.lastname@example.org.