GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

The CIO Guide to a successful Information Security Practice

Posted on : 30-06-2015 | By : jo.rose | In : Cyber Security

Tags: , , , , , ,

1

Our colleagues at Corix Partners have recently published on their blog a series of articles highlighting the eight key management rules CIOs and CISOs should follow to build and deliver a successful Information Security practice. We publish below a summary of the series which deconstructs in-depth eight views commonly held by Information Security practitioners and explores the Governance and Leadership dynamics which surround Information Security.

1. Think of Information Security as a Control function and not as a Support function

Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.

2. Create a sense of reality around the threats and do not focus only on IT aspects

A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.

3. Focus resources on the proper implementation of key Controls and sell success

It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.

4. Pin tactical initiatives against a long-term Information Security roadmap

Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.

5. Assign Information Security Responsibilities and Accountabilities

Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).

6. Operate Information Security as a cross-silo practice and not just as a technical discipline

Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.

7. Operate Information Security as an ongoing structured practice and not just a series of technical projects

Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.

8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products

In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.

Thanks to JC Gaillard and Neil Cordell for this contribution. The full series, ‘The CIO Guide to Information Security Practice: 8 Key Management Pitfalls to Avoid’ can be found on the Corix Partners’ blog.

The Reporting Line of the CISO is Key to Success

Posted on : 30-04-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , ,

0

This article examines the organisational relationships between the role of the Chief Information Security Officer (CISO) and the corporate environment around it, with a focus on why reporting lines are essential and how they should be structured.

Why is the reporting line of the CISO still a hot topic amongst Security communities?

The actual role of the CISO varies greatly from one organisation to another – even if, on paper, job descriptions often look similar.

Of course, the best reporting line for the CISO is the one that positions the role in the best way within the organisation – in relation to the real challenges that the CISO is expected to resolve.

But in practice, corporate governance across large organisations also varies greatly, depending of industry sectors and geographical dispersion. Many large organisations operate (efficiently or not) matrix organisations – and, in those cases, it’s unlikely that the CISO will have a single reporting line, leading to a large number of variations where formal and informal authority have to be combined. This is well analysed by Peter Berlich in a recent post.

Annual surveys published by the Big 4 consultancy firms over the past 10 years have been highlighting such diversity, and show that the reporting lines now span almost the entire spectrum of board members (including the CEO, COO, CAO, CFO, CRO and Legal counsel). Results indicate that a reporting line to the CIO seems to be the most common in the field, however, this still only accounts for approximately one third of the responses to the surveys on average (with all caveats due to the fact that the methodologies vary from one firm to another and respondents could be different from one year to the next).

Reporting lines into IT departments (at levels below the CIO) remain common in many industries, for example accounting for up to 26% of respondents in the Life Sciences sector according to the EY 2014 Global Information Security Survey. Reporting lines into audit and compliance departments are still commonplace today.

In addition, many of these job titles – in particular, the COO, CAO, CRO and CIO – could hide a variety of actual roles and individual profiles. This is particularly true in larger firms, where multiple reporting and “dotted lines” can also lead to situations where accountability is seen as a vague and relative concept.

In short, the current situation seems to reflect the confusion that has been surrounding Information Security Strategy and Governance for the past 10 to 15 years. Beyond the natural diversity of the CISO roles in terms of content, it seems that many large organisations have treated the CISO reporting line in a casual and ambiguous manner, instead of positioning it in the best way to protect themselves against the genuine threats they’re facing.

How important is the reporting line of the CISO?

The reporting line of the CISO is the most essential channel of authority, as it presents to all stakeholders – in an un-equivocal manner – the real level of importance placed on Information Security by the organisation.

Because Information Security is a matter that cuts across too many corporate silos (HR, Legal, Business Units and IT etc.), matrix reporting and “dotted lines” should be avoided. These multiple reporting lines are rarely efficient, rarely understood fully and generally add to the confusion. This can hinder the leadership of the CISO and their ability to deliver.

It is key to go back to basic organisational principles. Ideally, the CISO should have a single reporting line – positioned at a level in the organisation that will maximise the impact of the role. The profile of the CISO should be adequate and suited to a Board-level reporting line and the CISO should have the gravitas, credibility and management experience to influence their peers (as discussed in the Corix Partners February 2015 feature on the C-Suite blog). If the Board feels that’s not the case, the Board should start by addressing this issue.

If the CISO is expected to get things done across the organisation, the reporting line should be to the CIO or the COO – as these executives are most likely to be the closest to Information Security matters within an organisation.

But ultimately, the actual reporting line decision should be made at Board level – and based on the results of a high level assessment of the maturity of security controls across the organisation.

From that point, the Board should be able to focus on inspiring the right spirit for the role – and there are, broadly speaking, three different types of profiles the CISO can fall under:

The CISO as a Figurehead

The Board may feel that the business is well-protected against Information threats and that the CISO needs to be a “figurehead” – a well-networked senior executive, credible with business leaders and capable of representing the firm at conferences and global events. A reporting line to the CEO or another board member (possibly the COO) may be suitable, particularly for industry sectors or smaller firms where controls are already a mindset.

The CISO as a Firefighter

If the Board is primarily driven by short-termist views and concerned only with the resolution of recurring audit or compliance matters, its priorities will almost always drive a tactical agenda. The CISO will end up in a complex programme manager role, constantly having to influence stakeholders and act as a “firefighter” to keep projects on track – ensuring priorities remain set as they should be across IT and the business.

A reporting line to the CIO or the COO is essential in such context, given the complexity of the CISO role and the cross-silo nature of Information Security challenges. Delegating down must be avoided at all costs, simply because it sends a highly dangerous message across the organisation. Irrespective of the personal profile of the CISO, downward delegation implies that Information Security is not that important and can only fuel internal politics and confuse prioritisation amongst stakeholders.

But this alone is not sufficient enough to ensure success, and the actual success of the CISO will rely entirely on having a proper Information Security Governance Framework in place to ensure that all stakeholders have a clear understanding of their respective roles and responsibilities in the programme delivery, and the way C-level management will be involved.

Most tactical approaches in the Information Security space fail simply because they compromise too much on the last two points.

The CISO as a Change Agent

If the Board is concerned about the maturity level of controls and wants to drive lasting improvements across the organisation, the CISO needs to be a “change agent”. It’s in this situation that the positioning of the reporting line is most critical.

The reporting line must be given, without exception, to a control-minded senior executive that the Board trusts to supervise change in the Information Security space. Again, this should ideally be the CIO or the COO – and delegating down must still be avoided at all costs, as this is one of the most common failure factors.

Where controls maturity issues are serious enough – particularly in large organisations with a high Internet footprint facing serious cyber security challenges that may bring the whole business down – the CEO must consider whether the situation has reached a critical point.  Here, a direct involvement in the resolution of these issues is required and the CEO must consider taking the CISO role as a direct report as a result.

In other situations, where controls maturity is low, it’s the need to drive improvement that should be a key factor in the reporting line decision – not arbitrary separation of duties considerations. Separation of duties considerations are often negative organisational devices aimed at dealing with conflicts of priorities generated by non-control-minded executives. In large organisations, these considerations can create more problems than they solve, by engineering arbitrary political barriers with the potential to damage the CISO’s leadership ability and hinder change delivery. Internal politics often make it extremely hard to influence change “across the fence” (i.e. in parts of the organisations where you don’t belong).

It is key to look at the problem from a positive angle and only give the CISO reporting line to a control-minded senior executive who can be trusted by the Board on their prioritisation, because the key issues are in their area of accountability.

How to determine the best reporting line for the CISO?

The prime focus should be on delivering results, based on a thorough examination of the prime operational focus of the organisation (People/Process/Technology) and its dependency on information attributes (Confidentiality/Integrity/Availability). The CISO reporting line should be positioned in the area where the most change is required and where most of the efforts will be targeted.

 

 

 Fig 1 – Recommended Reporting Line for the CISO position

If most of the problems are in IT, the reporting line of the CISO should be to the CIO. If most of the problems are outside IT, the reporting line of the CISO should be to the COO.

Multiple lines of defence and separation of duties considerations must come second to, or be wrapped around, the need to drive results – in particular where Information Security maturity levels are low. Those can be left for the CIO or the COO to drive, as mentioned in this February 2015 feature on the C-Suite blog.

If these individuals are not control-minded or the Board feels they cannot be trusted with a Security change programme (or if these individuals simply think they’re too busy to take on the role), the Board should ask itself whether it is the attitude that the CIO or COO shows towards Security and controls which is the root cause of the low maturity situation the Board is aiming to resolve.

—————————————

This article was courtesy of one of close partners, Corix (details below).

JC Gaillard (jcgaillard@corixpartners.com)

Managing Director

Corix Partners