Feature Story

How to Build a Strategic Security Foundation

Companies with a solid strategy in place can respond quickly and calmly to new threats, instead of lurching through patches and crises.

At Austria’s lakeside Romantik Seehotel Jaegerwirt hotel, attackers recently locked guests out of their rooms and froze the hotel’s key system. Then demanding, by email, that the hotel pay two Bitcoins (roughly $1,800) to make everything work again.

That’s the Internet of Things, ransomware, and cryptocurrency, all wrapped up in one tidy New York Times headline. It illustrates the risks that accompany this new digital business world.

And the hotel wasn’t alone. According to Cisco’s 2017 Annual Cybersecurity Report, 49 percent of the 2,824 companies surveyed had to manage public scrutiny of a security breach last year.

Security: It’s at the Board Level

CEOs, boards of directors, and certainly CIOs know by now that they have to up their security game.

It’s been six years since the Securities and Exchange Commission issued guidance about disclosing material on cybersecurity risk. The digitization of business has only accelerated since.

“Cyber risk and regulation [are] adding to [the] scope and depth of risk boards must manage,” said Holly Morris, speaking at CIOs as Digital Directors an event in St. Paul, Minnesota, in October 2016. That’s tough to juggle as boards are “still coming up to speed on digital and what that means for their business,” she said.

As a result, many boards are looking to add members with digital expertise. That’s a smart move, but not an easy one to pull off, said Nicholas Percoco, CISO at Uptake.

“Everybody would like to find a board-level appointment with deep security knowledge, but not that many of those people actually exist,” Percoco said.

Plugging Holes is Not a Strategy

As a result, while the technologies that underpin digital business rapidly evolve, it’s easy to let digital security amount to a hunt for new technical vulnerabilities.

As the hotel example illustrates, network-connected devices may be targets, with increasingly significant potential consequences. Especially as sensors and controls play larger roles in corporate business.

“IoT means you just have more holes to plug,” said Per Melker, vice president of security and innovation accelerators at research firm IDC. “These devices are so new, and many of them aren’t built on a security-first principle.” Most devices, on the other hand, will end up connected through some form of gateway. Melker said the gateway thus becomes a logical place to apply additional security controls.

Similarly, in a business world reliant on algorithms and machine learning, those algorithms are potential targets for theft or malicious modification. “Is someone going to hijack cognitive code at some point? Of course,” Melker said.

“Everything new that we deploy brings in new potential vulnerabilities.”

And for corporate leadership, that’s the real problem. Constant business and technical evolution means that more than ever, it’s impossible to have all the holes plugged.

“Boards can wind up reading superficial articles and asking questions like ‘Do we have two-factor authentication enabled?’” said Percoco. “But that’s not a board-level question that helps you drive strategic decision-making.”

Percoco and Melker offer four points toward a different and more strategic way of thinking about security at the top of the corporation:

1. Know your adversary.

Percoco previously worked as a security consulting lead at KPMG and also lead a vulnerability research lab. In those roles, he interacted with a number of companies that had basic security and compliance technologies in place, but still suffered a significant compromise.

“When I was doing advisory work, I would start the conversation by asking ‘Who’s your adversary? Who are we building to defend against?’” he said.

“I’ve never found anyone who had a real clear picture.”

Strategic security decisions rest on risk management. That means understanding which vulnerabilities are most significant as well as how likely they are to be exploited.

Without an understanding of who might want to exploit them—and to what end—Percoco said it’s impossible to know whether you are spending your efforts and money on the highest priority defenses.

In the hijacked hotel system example, did it cost the company two Bitcoins? Was its biggest loss aggravated guests? Or was the biggest loss the reputational hit for its appearance in the New York Times?

Those are questions every leadership team has to consider in their own context. An autonomous car maker, an omnichannel retailer, and an analytics-driven oil company all have different threat and risk profiles.

“The CISO of a Swedish bank told me, ‘My biggest risk is not that someone will hack in and steal some money,’” Melker recounted. Instead, the CISO’s top concern was that ‘Our bank customers will lose faith in us and the platforms we have, and want to go back and bank some other way.’

2. Always ask for more context.

Even if current board members learn to ask more technical questions of its CIO and CISO, Percoco said, the more critical challenge is in having enough contextual knowledge to evaluate the answer.

“If a board member asks ‘What do we do to prevent exposure?’ and the answer is ‘We run a vulnerability scan every four months and fix all those issues,’ that may sound awesome but it’s really the bare minimum, like limping across the threshold,” he said.

A follow-up question that can add context to this and almost every answer would be “How does that match what our industry peers are doing in this regard?”

A further follow up would be “Do you, as CISO, think this is sufficient? Why?”

And to guide the discussion in a still more strategic direction, “How will this have to change given our business plans and goals in the next year or two?” Percoco noted that this requires the security team be aware of those plans in advance, rather than added to the discussions as an afterthought when a merger is about to close or a product about to launch.

3. Make security everyone’s job.

‘Everyone’ starts at the top.

“If the CEO and board aren’t completely bought in on security, I wouldn’t take the CISO job,” said Percoco, as it’s an obvious recipe for failure.

However, that ownership of security has to go much further. In reviewing those companies that had suffered a breach, he said in many cases the CEO believed security was a priority. But when Percoco interviewed other corporate officers such as the CFOs, “often that same level of commitment was not there, and the impacts weren’t fully understood. It wasn’t part of the culture.”

To prevent this cultural issue at Uptake, Percoco’s team created a “security manifesto” of nine sentences, fitting on a 4’’x6” card that he distributes personally to every new hire at the company.

Instead of stating policies or general awareness language, this manifesto “talks about our role as a company working across many industries, and how our customers’ ability to do business depends on our products working securely,” he said.

With continual reinforcement of this message—and its effect on decision-making throughout the company—from upper management, Percoco said he sees employees buying in.

“When people cite that manifesto in meetings or quote it back to me, that’s how we know it’s working,” he said.

4. Sign off on the risks you accept.

Smart security plans and careful prioritization of spending will still leave risks. To Melker’s point, trying to eliminate all risk would require never implementing a new technology or creating any new products and services.

The ultimate challenge for boards and CEOs is to accept responsibility for those risks.

“This is a 101 lesson from the best CISOs: When the business leaders put in writing that they own or co-own the risk, that’s going to ensure they manage it intelligently and invest in the right level of security,” Melker said.

Recall the ransom demand at the Romantik Seehotel Jaegerwirt? The hotel manager decided to pay that ransom in order to get his business back up and running.

Boards are lucky to face a similar decision now, but with an option the hotel no longer had: You have the option to prioritize threats and pay for security up front, instead of waiting for hackers to send you their bill.