Cybersecurity Risk Questions Boards Should Be AskingFour risk-based questions boards should ask CISOs and security staff to lay the foundation for productive dialogue. By: Barry Hensley
Corporate boards—driven by regulators, shareholders and clients—are increasingly interested in how their companies protect valuable information assets. Given the multitude of topics and competing agendas in their proceedings, board members must maximize their time and ask questions that yield the most telling cybersecurity information in the shortest time. They should engage CISOs and security staff in a meaningful way to expose the state of the security program and establish recurring metrics that drive improvements.
While there are many textbook questions and data points boards can address, boards are better served to ask more risk-based questions that require the CISO to fill in the picture based on local conditions, not just industry comparisons. The following questions provide a solid foundation for such a dialogue.
1. Do we have the visibility to detect the threats most relevant to us, whether that be everyday malware, nation states, cyber criminals, insiders or hacktivists?
A CISO's response should go deeper than the visibility metrics provided by a "security stack" that alerts on commonly known malware. While such protections are important, responses from the CISO should emphasize threats in the context of the organization's unique environment: its brand and perception on the world stage; the location of its digital capital (e.g., intellectual property, electronic currency, personal data) and how that digital capital is secured, as well as any internet-exposed vulnerabilities. Has a good pen test, driven by the latest threat intelligence, been recently conducted? Only by "thinking like the enemy" can the CISO begin to itemize and categorize the company's security risks and give context to what is being seen by the security technology.
Again, this visibility should go beyond malware alerts, because adversaries of all skill levels are increasingly using tools provided with operating systems – leveraging built-in Microsoft technologies, for example -- to carry out their objectives while remaining undetected. To manage the risk of elusive threats, it's critical for your security team to implement logging and behavioral analysis. This will provide an "always on" flight recorder for the network all the way down to the end points, such as personal user systems, where advanced threat actors often gain their foothold and conduct operations. In the event of an incident, log data is the final battle ground for disrupting an adversary and it helps the company respond with a much higher degree of speed and certainty.
Only by “thinking like the enemy” can the CISO begin to itemize and categorize the company’s security risks and give context to what is being seen by the security technology.
2. What do you assess our main cyber risks to be, how well protected against them are we and how are they changing? What gaps exist in current strategies and budgets?
The threat does not remain static, nor does the network or its data. While some threat tactics and tradecraft are well known and are addressed with commercial solutions, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, bad actors are finding ways to impersonate users and hijack credentials for two factor authentication by leveraging a wealth of information found in social media (e.g. LinkedIn, Facebook). Is your risk assessment based on current intelligence? Is your penetration testing informed by the latest adversary tactics? In short, is your risk assessment evolving or revolving? Ensure that your risk assessment teams are basing their work on lessons learned from cutting edge adversary tradecraft rather than recycling the same old "best practices."
3. Are we prepared with a plan to deal with a breach? Do we know when this gets triggered and where responsibilities lie? Has it been tested?
While no company wants to dwell on the potential for serious incidents and breaches, preparation is essential. This cannot be a collective head nod and a vague awareness of the problem, but a real understanding of what constitutes an addressable incident, its triggers, the steps that occur to resolve the incident and the people involved. Key tenets should be established, such as "who's in charge, where is the checklist, how do I contact the key players, and what are the measurable actions we take to address the incident rapidly."
4. Do you feel security training is tailored and delivered to ensure that each workforce segment is aware of threat actors and their CURRENT tactics?
Security training has the potential to mitigate attacks against the network, but it's often too generic or fails to engage the proper audience. One size does not fit all. Do general users understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? Their lack of awareness alone can cost companies millions. Different segments of the workforce present different risks and security maturity, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise.
Boards, company management and CISOs cannot eliminate all cybersecurity risk, but by learning to ask the right questions and prompting a productive dialogue, board members can ensure security staff and employees at large are doing their part to minimize and mitigate risk to the greatest extent possible.
 e.g. PowerShell and WMI