In late 2014, as Home Depot was recovering from its data breach of customer payment data, then Chairman of Home Depot, Frank Blake, made several statements regarding the breach that sums up many of the problems too many organisations face.
In particular, “We believed we were doing things ahead of the industry. We thought we were well-positioned,” said Blake on 6 November, 2014 in an article in Wall Street Journal.
Imagine yourself in a large conference room full of your peers, board and executive leadership team and influential partners. You are giving a presentation on current cyber risks in your industry and someone asks you a simple question:
“Are we well-positioned for the cyber risk in our organisation and how do we rate in relation to our competitors?”
How would you answer that question? More specifically, do you have data available that gives you confidence in your answer? If the truthful answer is you don’t know, don't worry. You're certainly not alone. I've been asking this question for the past several months and have yet to find anyone who can articulate a confident answer.
Note I use the term “confident.” Not necessarily good or correct or right or wrong. The key focus here should be how confident are you in articulating an answer to the question. It is a question that must be answered and in fact should be the core mission of your entire cyber security program.
Cyber security mission statement: ”Be well-positioned for cyber risk in our organisation”
But how do you go about defining this answer? How much technical versus non-technical input do you leverage? How do you map it back to the business?
The first step is to define what well positioned even means to your organisation. To do that, try leveraging some program management terminology and examples.
Too many organisations rely on tools alone to solve their problems but tools have outputs, not outcomes. Programs have outcomes which should map back to your goal.
”Tools have outputs, programs have outcomes”
First, what kind of program do you want to create? Is it an IT Security Program? Cyber Security Program? Risk Management Program? I would propose it is none of those terms, rather a Cyber Risk Intelligence Program. Here’s why.
Today, cyber is in everything we do: your supply chain, your customer base, your business support applications, your financials, your infrastructure, your marketing and your communication. It’s everywhere. But for some reason, it continues to be treated as a purely technical area versus a business resilience effort.
It is also measured at the executive level as an audit function. Audit efforts of course have their place but by design, they are reactive. In today's cyber world, finding issues after the fact does not render you resilient against cyber risk nor do they give you situational awareness of what's currently occurring in your environment (compared to others in your industry).
Home Depot said they assembled an ‘incident response team’ and went through a five-hour review with the audit committee. Reading this at face value, Home Depot had to rely on the audit function to understand where they stood at the time of the attack. It would seem that measuring cyber risk was not a recurring effort from an operations resilience view.
Instead, it was treated as an internal control, a benchmark review, a check box. We all know where that got them. To be fair, Blake also said, “Assessments of the nature of the threat weren’t sufficient.”
But why a ‘Cyber Risk Intelligence’ program?
The answer is simple. Intelligence focuses your organisation on making decisions and taking action. Especially evaluated intelligence. Your organisation already likely collects intelligence on sales, marketing, logistics, competitors, yet “cyber” continues to have little visibility.
Make Cyber Risk Intelligence a core pillar in an organisation’s overall enterprise risk management program. Address it at the same level as other areas of measured risk the organisation deems crucial to success. Cyber Risk Intelligence is about giving the decision makers an idea of how you are positioned, how you compare to others in your industry, and what people, process and technology needs to be brought to bear in order to reduce your risk exposure to current risks at all levels of the organisation.
And it isn’t just about what new signatures you can pump into your SIEM; it isn’t only about what you're SOC Analyst can see. This is not just an Information Technology problem. It is a brand problem, a financial problem, a resilience problem.
To keep things simple, group cyber risk intelligence into these 4 areas:
1.Tactical ─ Low Level, signature and behavioral based, SOC integrated
2.Strategic ─ High Level, supports planning and aligned to key business areas
3.Internal ─ Internal observed risk, internal data should show how you are positioned
4.External ─ External observed risk , external data helps correlate against internal intel
Again intelligence is about making decisions and taking actions; some would call this due diligence and due care. Therefore, when you look at your current cyber risk intelligence program or capability gaps, ask yourself, ‘how does your cyber risk intelligence affect’:
- The decisions of the incident responder
- The decisions of the CIO
- The decisions of the CISO
- The decisions of the C-Suite (i.e. Business Unit Leaders)
- The decisions of the Board
If you find your cyber intelligence only affects the decisions of your incident responder, how is that supporting your organisation's resilience? How about Customers & Suppliers? Brand & Reputation? Financials? Infrastructure? How does that capability feed into the overall enterprise risk decisions?
Intelligence is about making decisions and taking action. “Cyber Risk” needs to be a dedicated intelligence program, part of the overall enterprise risk management strategy with a mission statement of “Be well-positioned for cyber risk in our organisation.”
Build your program to include Tactical, Strategic, Internal and External information points that produce evaluated cyber risk intelligence that affect the decisions of incident responders, the CIO, CISO, business unit leaders and the Board. Only then are you on your way to well positioned.
Adam Meyer is chief security strategist at SurfWatch Labs.