CISOs are busy. We have a thousand things going on at any given time and there’s a lot of weight on our shoulders. How do we effectively drive change with other executives and the board of directors in a way that they’ll understand and relate to? This is a common struggle, but it's one that can be solved with logic. Here are two recent examples, from my own experience, where we used an assumed breach to drive change.
Example No. 1: Chasing Compliance And Putting Out Fires
At this global organization, information security has been discussed from time to time, but not with any regularity or cadence. There is no information security strategy, and their approach to information security revolves around chasing compliance and putting out fires. The board of directors isn’t aware of the company's most significant security risks.
Recently, the organization conducted an information security risk assessment and received a FISASCORE of 605. A company’s FISASCORE is like a personal credit score, plotted on a scale between 300 and 850. A FISASCORE in the 600s is “fair.” It will be unlikely for this organization to improve any further without more formality, board-level involvement and sound strategic direction.
The CIO and CTO, who are tasked with information security responsibilities, are struggling with how to present the message in a manner that will resonate with board members. They’re paralyzed in delivering their message to the board for fear that they might get it wrong.
In this case, I’m the consultant, the outsider who’s coaching this organization. My task is to ensure that we develop and deliver our message together, along with the CIO and CTO. During a recent meeting, they discussed their ideas about how we should make our case, but most of the ideas revolved around using scare tactics and specific scenarios. Instead of focusing on any one specific scenario or set of scenarios, why not just assume that we’re already breached and play it out from there?
Example No. 2: Doing An Assessment Is Good Enough
This health care organization has done information security risk assessments for years, and some of us would think that they’re doing things well until you review the results of their assessments. Their FISASCORE in 2015 was 460. 2016 didn’t fare much better with 478, and last year’s FISASCORE was 473. A FISASCORE in the 400s is “very poor.” So, why hasn't this company done better? Because the right message hasn’t been sent to the board, and they believe that doing an assessment is good enough.
What happens when we just assume that we’ve already been breached?
The name of the information security game is not risk elimination -- it’s risk management. Given enough time, and the right circumstances, a breach will occur and we’ll be faced with the need for a response. When a breach occurs, what do we have to defend ourselves? We’re not talking about defense from the traditional attacker -- the damage is already done. We’re talking about the defense against the new attackers knocking at the gate after a breach: regulators, state attorney generals, lawyers leading lawsuits against us and our customers who are angry with us. What do we have to defend ourselves against the post-breach attackers? What makes us defensible?
There was a day, not too long ago, when ignorance was defensible. Board members could claim that they didn’t know. Those days are long gone. After a breach occurs, claiming that we didn’t know won’t get us much traction in court or in the public view. Boards of directors need to know -- it’s their responsibility to know. But know what? They need to know what makes them defensible.
I’m not a lawyer, but I’ve been around many of them during and after a breach. And I’ve read enough to know two things that lawyers like to refer to a lot: due care and negligence. Due care is defensible, negligence is not.
So, assume we’ve been breached. We don’t want to be negligent because this could imply liability and, in some cases, a lot of it. The question then becomes, did we do what an ordinary and reasonable person would do? Back to our examples.
Large Global Company: Since this organization does not have an information security strategy, the question then becomes: Is this defensible? My suggestion is that it’s not. The board does not receive information security status and guidance on a regular basis. Defensible? The organization has not formally implemented foundational information security concepts, things like information security risk management, information security governance, asset management and access control. Defensible?
What can the organization do to become defensible? Lots of things, but the best place to start is by formalizing an information security program. Its security team should focus on the fundamentals while regularly communicating the status of an information security strategy to the board of directors.
Large Healthcare Organization: How do you defend an information security program that has been rated as “very poor” for each of the past three years? Not knowing is not defensible -- knowing you’re “very poor” and not doing anything makes it indefensible.
Getting this point across to the board, in the right tone and manner, has changed this organization’s perspective on information security. The message to the board was one where we asked them to assume that they’ve already been breached. What would they do? It’s not a scare tactic -- it’s a preparation tactic using facts and logic.
Assume You’re Already Breached
This mentality helps you to focus on the facts and to better prepare you and your company for the inevitable. Is the organization defensible? Is the board of directors defensible? These are good questions for discussion, and good discussions will hopefully create a more secure environment for everyone involved.
