By Erick Rudiak, VP IT & CISO, Express Scripts.
“Outrage, not hazard, drives reputation. Even significant hazards are usually tolerated when outrage is low, and even insignificant hazards are usually rejected when outrage is high.”
— Peter M. Sandman
As the role of Chief Information Security Officer transforms from respected technical expert to board-facing business enabler, the people leading in this role have transformed as well. The industry and our boards have moved beyond a binary evaluation system for a CISO’s performance, where having a breach – any breach – is a failure and not having a breach suggests success. Boards understand that breaches can happen even to well-funded, well-prepared companies if they are targeted by sophisticated adversaries who don’t adhere to the rule of law, and who receive funding from governments or organized crime outfits to develop sophisticated digital attack tools.
Because of this changing landscape, boards ask more nuanced questions. “Are we secure today?” is reframed as “against whom are we secure today?” This shift acknowledges that not all breaches are equal. There are the breaches that have lasting effect on a company’s brand, reputation, and market value (think of the impact Yahoo’s 2014 breach is having on their ability to close their proposed 2016 deal with Verizon) and the breaches that have short-term impacts but ultimately saw share price rebound to pre-breach levels (think of the 2007 breach at TJ Maxx, the stock prices for which rebounded in just a few months). Ultimately, it comes down to the notion of outrage: was the attack scenario predictable or ingenious? Were the attackers pedestrian or elite? The CISO is expected to anticipate and defend against likely attack scenarios, and to respond with efficiency and surgical precision if a crisis emerges. In other words, our job is to prevent outrageous breaches.
Board evaluations of CISO preparedness can vary, but they come down to several common factors:
- Funding is certainly one factor, and it is the CISO’s job to synthesize a strategy, syndicate it to the right stakeholders, and marshal the support needed to fund information protection at an appropriate level. However, boards are sharp and they understand even well-funded companies are potential victims: Sony reported spending $171 million recovering from their 2011 breaches, only to be hit again three years later; Target appeared to be making significant security technology investments ahead of their 2013 breach, but suffered process breakdowns; JP Morgan was spending $250 million annually on cybersecurity at the time of their 2014 hack.
- Another is whether the CISO is establishing a strong culture of security. Is the tone at the top strong from leaders outside the CISO’s local function; are leaders’ actions when it comes to their own needs and organizations consistent with their verbal support for information protection? Is the company able to react to a changing threat landscape with agility and precision; are investments made and projects redirected when an emerging attack vector arises without a preexisting defense? Does the company’s workforce buy into and support the information protection program, and has the program considered user experience as a requirement for security controls; how many (or few) clicks does it take for the user to make the right choice when presented with a high-risk interaction?
- Independent expert assessment is a third: How does a skilled practitioner of information security with no built-in bias or historical context about an organization’s journey or past choices rate the company’s program on a normalized basis? Are the risks identified manageable and being addressed with well-measured execution?
As the threat landscape evolves, wise boards and executive committees look to multiple sources for validation of their programs’ health. Attack simulations are vital, especially for companies likely to be targeted by sophisticated adversaries. When scoped and performed by skilled assessors, penetration tests, red team campaigns, incident response drills, and vulnerability assessments can each answer a different variation of the question, “against whom are we secure?” For ensuring that the basics are well-executed, a robust controls assessment program based on a comprehensive framework can provide a high level of assurance that circumstances that can lead to outrageous breaches are being well-managed. In healthcare, an industry targeted more and more frequently by both organized crime and nation states, leading companies continue to adopt the HITRUST CSF as the standard by which they gauge themselves and their ecosystem of partners and suppliers. With strong alignment to multiple standards (NIST 800-53, HIPAA, COBIT, ISO 27001, etc.) and the support of the AICPA, which has endorsed the use of the HITRUST CSF to assist assessors in performing SOC 2 assessments on health care firms, CISOs can expect this trend to continue.
Erick Rudiak is VP IT & Chief Information Security Officer, Express Scripts