Penetration testing has proven to be an extremely effective means of building executive support for cybersecurity initiatives because it most directly impacts their day-to-day working environment, a cybersecurity expert has advised.
Whether due to lack of education or simply too many conflicting priorities, busy executives can easily minimise their organisational risk exposure to malware, unauthorised network access and other security risks, major general Stephen Day, a former Department of Defence security executive and former head of the Australian Cyber Security Centre (ACSC), recently told CSO Australia.
Effectively managing security within an organisational context “is all about risk appetite and the allocation of resources,” he explained. “It's about culture; it's about protocols; in short, it's got a lot to do with people.” Since those people – executives in particular – were naturally more attuned to immediate threats, Day said, “the trick is to communicate in a way that resonates with them – and that means using the language of risk.
Executives are balancing risk all the time.” Although cybersecurity issues may often fade into the background behind more immediately pressing business issues, “we have found penetration testing to be very successful in getting executive attention,” he continued. “It's always important to personalise it: if you can, for example, get the CEO's inbox.
That really brings it home – and allows a conversation.” Such a conversation is likely to have some strong undertones, since business executives see the CISO's job as being to prevent such hacking in the first place. Yet continuing vulnerabilities around many commonly used information resources are symptomatic of a common momentary approach to security, in which funds are invested and the business assumes the risk has been managed as an outcome.
Many penetration-testing exercises are hobbled by this mentality, Day said, with penetration-testing firms identifying a way to get into the network and then blocking it. “This is largely the way penetration testing is used,” he explained. “The customer feels comfortable but it's a load of baloney because there are a variety of ways you know that you can get in.”
Technologists have long argued about the importance of network visibility, machine learning and other technologies in managing risk from threats such as ransomware, while others have noted that a strong customer-led business approach can reduce the overall damage caused in a breach. Yet with vulnerabilities identified and superficially patched while others remain undetected, Day said that CISOs' efforts must be focused not so much on preventing intrusion but on ensuring that there is adequate support for security as a continuous process, owned and driven by the business.
This approach ensures that whatever policies are put in place reflect the management of risk in a way that is comfortable and relevant for the executives. “The technical people shouldn't own that,” Day said. “It's the executive suite that has to come up with it. And often [the security policy] doesn't mean that they can't get in; it just means that if they get in, they don't get out with much.” Shifting from a block-at-all-costs mentality to a data-triage environment can take time – and flexible thinking, since data loss is one issue but many businesses also run operational systems whose compromise could shut down their operation.
Efforts to engage executives were also struggling in Australia because of an historical lack of sharing about best methods around security, Day added: “It has been difficult to get examples that had meaningful costs and consequences,” he explained, noting the appeal of looming mandatory breach-notification laws but noting that many businesses are heading off potential issues by being more proactive about sharing details of cybersecurity compromises.
“You never have enough resources to deal with everything at once,” Day said. “But if businesses can adopt that proactive approach, I think there will be less pressure to institute something like mandatory breach laws.” “Ultimately, the success statement around security needs to be driven from the executive; you just have to roll your sleeves up and start small.”