Ask the Expert: Cyber Risk and SecOps, Part 1
Kirk Hogan, Chief Innovation Officer at Iceberg Networks sits down with us to answer the top questions we hear from businesses about cyber risk and security operations.
Kirk discusses what CISO’s and security leaders are telling us they’re most challenged with, how to put cyber threats into a business context and what companies who are successfully managing cybersecurity, cyber risk and SecOps are doing differently. The following is an edited transcript of the conversation.
Q: When you’re talking to CISO’s and security leaders, what are they telling you they’re most challenged with?
A: The leaders I speak with are most challenged with prioritizing time, focus, and budget on the right things. Priority setting is difficult because they treat almost everything with the same priority in isolation, so nothing gets solved. If they took a cross-functional view (non-siloed), then they could stack-rank priorities as a holistic exercise.
The other major challenge is the velocity of the challenges, or the dynamic nature of them, because priorities are always changing. If you think about the situation we’re in today, what we thought our priorities were yesterday, have drastically changed for us today, and may again tomorrow, so this is what a normal business environment is, it just takes these large events to make us realize that these are changing all the time.
I also think most businesses are interested in understanding whether they are operating in a safe environment. We are talking about Security Operations, so it really is operating securely. It is more and more critical that leaders know, not only that they are conducting business, but that they’re conducting business safely for their own employees and business, but also the products and services they offer to their clients.
Therefore, they need a level of reporting that will handle that different level of stakeholders because it can become overwhelming, so focus really is the number one challenge.
Q: How do we put the cyber threats we face into a business context?
A: Risk is discussed in a context considering Impact and Likelihood…said differently, if something bad were to happen, how would it affect business and people, and what are the probabilities of it becoming real? That’s the business context. This is not a new language, this is a language that has been used for some time in the risk industry.
It could be as simple as a timeline being missed if something bad were to happen, or as catastrophic as loss of life…and everything in between. Of course it’s rare that just one bad thing would happen or that one risk would be realized, which is why multiple risks are usually identified.
When we talk about digital transformation, it becomes even more critical that we have an accurate, transparent and thorough view of what we have and what we do. This lets people have a full understanding of not just the business, but the technology and the processes that they require to support the delivery of those products and services. It has to start with the data and the information management services first. If that’s in place, you can have an effective vulnerability risk program that is mapped to that business context so you can prioritize properly, so cyber threats can be dealt with quickly and there wouldn’t be material harm.
Proactively, if organizations were to set these up and put in these mitigating controls first, then their cyber risk program would be very successful.
Q: In your experience, what are the companies who are managing cybersecurity/cyber risk/SecOps successfully, what are they doing differently?
A: The thing that they are doing differently is they are applying focus. They are applying focus on a smaller number of objectives and they are going to make the most progress towards those goals. Those that take on the mega programs without that approach and without breaking it into smaller initiatives (or manageable chunks) are doomed to failure or not to realize those values.
The biggest difference I see between those doing it successfully could be attributed to measuring those ‘things’ that we think are critical to the business and applying the right levels of governance.
Many organizations try to outsmart and overthink what the industry has already figured out. By simply doing those basic things, measuring those things and adjusting them will keep expenditures lower because you’re going back to basics. An example might be to start off with your vendors that you do business with. They have access to your internal network, some of your systems and at least the people in your organization. Whether they are working on an essential service or not. Because of the way threat actors are changing the way that they are attacking businesses, those supply chain services now become the focus of these new threat factors. Being able to measure it and adjust it is critical.