Written by Brett Galloway and Virginia Gambale
Last year, attacks such as SolarWinds and Colonial Pipeline have served as a powerful wake-up call for enterprises. The SolarWinds supply chain attack demonstrated that cybercriminals could gain access to some of the world’s most highly regarded companies while remaining undetected for months. Meanwhile, the Colonial Pipeline ransomware attack directly impacted the socioeconomic health of the United States through gas shortages and price increases, transforming ransomware into a top-tier national security threat overnight.
Coming off the one-year anniversary of the SolarWinds intrusion, concerns remain about the effectiveness of the capabilities and programs that have been put in place and the effectiveness of the board’s governance of cybersecurity risk.
After a decade of investment and innovation, the time has come to shift from capability development toward outcome-driven cybersecurity readiness. That is where the board needs to step in.
The board of directors is responsible for providing oversight to every aspect of the business, including cybersecurity risk. Boards need to elevate cybersecurity effectiveness by: (1) shifting their focus from compliance to risk management; (2) urging the chief information security officer (CISO) and the security team to implement a threat-informed defense to manage those risks; and (3) forming a cybersecurity oversight committee within the board to increase its capability to govern cybersecurity risk. Here’s why this matters and how it can work.
Shifting from Compliance to Risk Management
Gartner notes that many board-level executives still believe that internal audits and regulatory compliance are their primary guides to address cybersecurity. This typically occurs because cybersecurity board reporting is buried in the audit committee, or there is an over-emphasis on addressing internal audit findings instead of concentrating resources on building an effective program.
All cybersecurity risks are not created equal. Some represent nuisances, and some manifest as catastrophes. If the board is focused solely on compliance, it will encourage a “check box” mentality that tends to push the organization to spread its resources thinly across all risks. To change that, the board must help the security organization focus the security program on the context of the organization’s particular risk profile.
Putting in Place a Threat-Informed Defense
In part, this means shifting from a traditional emphasis on investing in the defensive walls at the organization’s perimeter. For years the CISO reassured the board that this metaphorical wall stood around the company to keep cyber intruders out. Intruders kept breaking through. The era of building higher walls and promising to keep intruders out has come to an end.
Practically, security teams are adopting an “assume breach” mindset, and vendors are moving perimeter-focused technologies to lateral movement and persistence solutions, for example, that help detect and prevent breaches and attacks from happening. If breach is assumed, the central questions for the organization and board of directors become, “Are we ready?” and “Is our security program effective at protecting against the most important and likely risks?”
This requires that the organization to practice what Richard Struse of the Mitre Engenuity Center for Threat-Informed Defense aptly calls a threat-informed defense: the appliction of a deep understanding of adversary tradecraft and technology to protect against, detect and mitigate cyberattacks.
How do members of the board know that the organization is practicing a threat-informed defense? There are several indicators. Is the security team using the Mitre ATT&CK framework of known adversary tactics, techniques and common knowledge to systematically communicate and reason about adversary behavior? Is the team being proactive and strategic about validating control effectiveness rather than only reacting once a breach or attack has occurred?
Breaches don’t happen because companies neglect to develop proper security programs. Breaches don’t happen due to a particularly sophisticated adversary. Breaches happen because security controls — combinations of people, technology and processes designed to detect and block the adversary — fail regularly, and when they do, they fail silently. If you leave it to the adversary to test your defenses, then you are waiting too long to test them, and you will get burned.
Creating a Cybersecurity Committee to Enable More Effective Governance
With the rise in breaches and shift from capability creation to assuring effectiveness, board members must ask questions to ensure technology capabilities are aligned to the
business’s risk profile, and that they sufficiently protect against those risks.
To execute this governance responsibility, board members need to be reasonably well educated on the cybersecurity landscape, including defensive capabilities, threat behaviors and risk management practices. Boards need to form a dedicated cybersecurity committee that can stay deeply engaged and serve as a proxy for all members. This strategy is so critical that Gartner predicts 40% of boards will have a dedicated cybersecurity committee in just three years. Having a cybersecurity subcommittee doesn’t mean that the entire board gets a pass. All members still need to be informed should they have to play a role in significant events and decisions.
Research from Forrester shows enterprise leaders consider accelerating the shift to digital business to be their most critical priority in 2021. As digital transformation initiatives accelerate, so do cybersecurity risks. By applying a threat-informed defense strategy and forming a cybersecurity committee to oversee program effectiveness, the board can shift from compliance management to a more holistic business risk management mindset.