As networks evolve, visibility remains key to managing IT-security risk in business terms

To package information security for executive consumption, CISOs must learn the language of risk management

Information security's roots in IT have traditionally left CIOs and CISOs wrestling to contain the business risks it creates, but growing board and C-level involvement in cybersecurity is reshaping that tradition as business guidance holds cybersecurity practitioners to new standards of governance and risk management.

This significant change in philosophy is being driven by growing recognition that lack of attention to information-security governance now, is likely to translate to major problems down the track when security is breached and fingers are pointed. For those that believe board-level involvement in cybersecurity isn't crucial, just consider the dismissal of high-level executives of US retail giant Target – or the recent dismissal of FACC's CEO after a fake email scam costed the company $65m – showed after that company's large-scale compromise, those fingers are inevitably pointed at business leaders.

Many organisations are still in the transition between CIO-driven security practices and those with board involvement, with a recent CSO survey finding that 1 in 4 CISOs only present a security update to their board once per year and 30 percent do so quarterly.

Increasing that frequency is a key outcome for CISOs whose struggle to boost visibility at the executive level remains a key part of their everyday activities. But gaining that visibility, as many find out, can be difficult in its own right – particularly as businesses expand their network complexity and attack surfaces by integrating their networks with cloud-based applications and services.

As if it weren't already hard enough for CISOs to evaluate and convey the risk status of their internal networks, the shift towards cloud-based business has broken conventional network perimeters and obscured visibility of the processes inside the cloud – creating blind spots that could represent potential new risks if left improperly secured.

“A sensible cloud infrastructure would have multiple perimeters,” explains Ian Farquhar, security virtual field team lead for ANZ with Gigamon, whose network visualisation tools help surface the activities of on-premises and cloud-based applications so that CISOs can more accurately assess current risk profiles.

“Businesses need to extend their visibility capability into the cloud so they can see what's happening there,” Farquhar continues. “Intruders always play around the margins: they are looking for the way in that you are not looking at. Yet they might not be coming anywhere near your organisation, where all your detection tools are – and if they stay in the cloud, how do you capture that?”

This question will be front of mind for many at the Gartner Security & Risk Management Summit 2016 (GSRMS), where business experts will share their thinking around how cloud and on-premises environments can be managed within the sights of monitoring tools that have become crucial to applying business-level discipline over the risk that cloud presents.

Those tools are a natural fit for evolving risk-management frameworks such as the US government's Cybersecurity Framework (CSF) and Risk Management Framework (RMF), which have been established to help US government agencies better quantify and manage their risk from cybersecurity and other forms of operational risk.

The CSF, for example, is among the processes to be discussed at GSRMS and outlines a seven-step process by which organisations can develop and iteratively improve a cybersecurity framework. By helping organisations create a Current Profile and a Target Profile, the policy says, comparing the gaps between the two “enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements” that are encompassed within formal Action Plans.

Visibility of those activities is crucial to delivering on CSF-driven Action Plans, with continuous monitoring capabilities positioned as a core enabler of the Detect element of CSF's five Framework Core Functions – which include Identify, Protect, Detect, Respond, and Recover.

The Detect function, the standard says, “enables timely discovery of cybersecurity events” – and this is where board-level involvement with cybersecurity is truly put to the test. After all, if security practitioners lack the visibility to meet requirements around timely discovery of cybersecurity events, they also lack the ability to keep high-level business executives apprised of the organisation's real risk profile – and it's only a matter of time until this omission comes back to bite all concerned.

While surveys show greater executive recognition of the security of cloud platforms, the workloads they carry each have their own vulnerabilities that must be managed by the organisations running those workloads. And this, says Farquhar, underscores the need for a comprehensive visibility framework that supports CSF and other risk-management processes.

“Workloads need to be deployed with proper attention to privacy and compliance,” he explains. “By moving workloads to the cloud service provider you haven't lost responsibility for that workload. What you have lost, if you leave it, is the visibility you need to properly deal with that responsibility. And if a business requires this visibility, it needs to be selecting the CSPs that offer what they need.”

Armed with the right visibility and the right tools for evaluating overall information-security risk, CISOs are better equipped than ever to communicate the changing risk profile of the organisation to an ever more-receptive executive audience.

Better visibility and metrics will also allow the creation of key risk indicators (KRIs) – dashboard-style measures of risk exposure that, as Gartner vice president and distinguished analyst Paul Proctor will outline at the GRSMS, allow the establishment of frameworks for building “business-aligned security and technology risk metrics”.

These metrics – which will span operational networks, cloud environments, industrial control systems, legacy networks, and other environments – will support structured reporting of security risk to board members and business executives. This, in turn, will help them plan a pragmatic business strategy with a better sense of the real risks that their IT-security platform poses.

As organisations increasingly adopt bimodal architectures combining cloud and on-premise infrastructure, maintaining that enabling visibility capability will become the difference between success and failure. And that, says Farquhar, is why CISOs need to engage the board now to avoid difficult conversations later.

“The cloud makes our perimeters disappear and reduces our visibility,” he explains. “But it shouldn't matter where the network traffic is; you should be able to see it. Organisations are now saying that visibility is a key attribute of any network that they're building: they need situational awareness in the cloud, and the first step to get that is visibility.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityIT-security riskinformation securityGigamonnetwork visibilityC-levelCISOCSO Australianetwork visualisation

More about CSOGartnerGigamon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts