How to develop a data-driven, risk-based cybersecurity
program

Collaboration is key to taking your data-driven, risk-based
cybersecurity program beyond best practice.

Whitepaper

By David Grady, Chief Cybersecurity Evangelist, Verizon Business Group

Why read this white paper?

It’s an anecdote retold in a thousand and one security-conference keynote addresses and cited in a million and one articles about cybersecurity: The Chief Information Security Officer (CISO) shows up to brief the leadership and Board of Directors on the state of the company’s cybersecurity. He or she breaks out a big black binder brimming with baffling metrics. Eyes glaze over as pie chart after pie chart of key risk indicators (KRIs) are reviewed, and people start checking their smartphones as page after page of scatter-plot charts are presented.

By the time the CISO gets to the appendix full of colorful histograms, the story goes, they've lost the audience—and quite possibly lost the confidence of the board, as well.

Being able to tell a meaningful, actionable, data-driven story about your organization’s cybersecurity posture is one of the most important skills a CISO can develop. But this white paper isn’t exactly about that. Instead, this paper aims to help security-program stakeholders and influencers—board members, C-suite executives, government officials and senior business-line managers—become more discerning and demanding consumers of security data, so they can more effectively leverage that data to contribute to their organization’s response to cyber risk.

As more companies adopt a “risk-based approach” to cybersecurity, it’s critical that stakeholders ask for, and get, the data they need for strategic decision-making.

Trust the data, not your feelings.
Smart organizations know that when it comes to cybersecurity, you simply can’t do it all, nor should you try. Though the methods of cyberattack appear limitless—every day it seems that a creative new hack leads the news—the resources needed to defend an organization are anything but limitless. Precious security resources must be deployed in a manner that mitigates cyber risks to levels acceptable to stakeholders across the entire organization. That’s data-driven decision-making.
The value of data-driven decision-making may seem obvious—who wouldn’t want data to help them make a good decision? But in many organizations, cybersecurity decision-making is still influenced by a dogmatic adherence to industry best practices and even sometimes by fear. Remember:
- Rigidly following a set security-industry best practices can result in a security program that tries to protect against anything that can possibly happen, rather than what the data shows is more likely to happen. While there’s a feeling of safety in being able to say, “But we followed the best practices” after a data breach, that feeling is misguided. One size security does not fit all.
- Headline-grabbing data breaches can spur panicky C-suite executives or agency leadership - under pressure from the Board or other high-maintenance customers or constituents - to make resource demands on the CISO based solely on what they heard on the news, and not on actual data that quantifies the likelihood of interruption to their own companies. Don’t be that leader.

We need to talk.

Digital transformation has forced an entire generation of non-IT business leaders to become conversational, if not fluent, in the language of Information Technology. The relentless pace of digital transformation over the last 20 years—the advent of e-commerce, the sudden ubiquity of mobile apps and the routine integration of artificial intelligence into business processes—has permanently torn down the walls between “the business line” and IT departments. Product development, manufacturing processes, sales and service delivery, and customer retention, every last element of business is now deeply intertwined with, and reliant on, IT and the interpretation of data. Close collaboration between non-IT leaders and their IT peers has become commonplace as they work to drive the business toward achieving its goals.

But collaboration between non-IT business leaders and their organizations’ cybersecurity teams (long derided in some circles as “the Department of Saying ‘No’”) remains a pain-point for many organizations. The EY Global Information Security Survey 2020 reported that 59% of surveyed organizations stated, “the relationship between cybersecurity and the lines of business is at best neutral, to mistrustful or nonexistent.” Furthermore, “cybersecurity is involved right from the planning stage of a new business initiative” in only 36% of surveyed organizations.

These survey results are troubling and are not dissimilar to the findings of many other surveys and industry reports that examined this dynamic.

Nonetheless, non-IT executives have become keenly aware that the confidentiality of sensitive information, the integrity of data and the systems where that data resides and the uninterrupted availability of both internal and customer-facing applications are as important to them as their balance sheets and profit-and-loss statements. But if the security team isn’t getting involved at the start of a business initiative, or if the department has a “neutral” (or worse) relationship with the security team, it’s unlikely that the organization as a whole will achieve its strategic objectives.

Security data, when presented to stakeholders in an actionable business context, is key to closing the communication/relationship gap between program stakeholders and the CISO’s team.

But what kind of data, exactly?

Data, data everywhere

There is no shortage of data to be found in the realm of cybersecurity. Each time an employee logs in to the network, connects to an external website or attempts to access a database or shared file, or even when a suspicious inbound e-mail gets quarantined, those actions create data that tells part of a bigger security story. Even the smallest of organizations is swimming in security data, simply by being open for business from 9 to 5.

But not all data is created equally, at least not as far as security-program stakeholders and influencers are concerned.

Some security data, such as raw event logs collected from security tools like e-mail filters, firewalls, antivirus systems and web proxy devices, is rich in tactical, operational value. A 24/7 team working in a company’s security operations center (SOC) may oversee the analysis of tens of millions of security events every year, with the assistance of complex analytical tools such as security information and event management (SIEM) systems. This type of data helps security analysts hunt for hackers, identify system vulnerabilities and calibrate cyber defenses accordingly. But this data is of little immediate strategic value to stakeholders. It’s when the CISO and his or her team start analyzing individual data points that they begin to extract information that’s actionable and relevant to program stakeholders. Here’s a simple but illustrative example: Explosive growth in the number of security alerts after a recent acquisition creates more issues than the CISO and his or her team has time to manage every day since a recent acquisition, merger or major project was initiated, the CISO seeks funding for additional headcount or asks the Board for additional capital investments to scale their (SOC)/SIEM operations.

That’s the kind of synthesized, contextualized data that security-program stakeholders—especially those overseeing the budget—should ask for and expect, instead of a big black binder bulging with raw metrics.

Listen to the data.

Outside the boardroom or councils of government, business-line managers and government leaders should regularly ask for and receive contextualized security data that helps them better understand, and mitigate, the risks specific to their operations. While the SOC team, by design, must sift through massive amounts of threat intelligence data to make tactical decisions, just a small amount of synthesized data can have a big impact on business-line managers’ decision-making.

Verizon’s annual Data Breach Investigations Report (DBIR), for example, analyzes the techniques behind tens of thousands of real-world security incidents and thousands of confirmed data breaches, boiling all that information down into insights that are easy to digest, actionable and industry-specific. For example: Year after year, the annual DBIR shows that healthcare is the only industry where “insider threats” outweigh external attacks. Healthcare managers can use this DBIR data to modify business processes that lend themselves to countering insider threats, such as sending personal health data by unsecured fax machine “because that’s the way we’ve always done it.” Knowing that, according to the 2020 DBIR, a large majority of reportable HIPAA violations are caused by deliberate employee misuse of his or her access to private health data, a healthcare business-line manager can invest in additional training and awareness programs to amplify messaging about the consequences of access abuse. The CISO can use that same data to justify deploying scarce resources to coordinate more frequent privileged access reviews.

More examples: The DBIR—called “the gold standard” by Forrester Research—shows that certain industries are more prone to Distributed Denial-of-Service (DDoS) attacks than others. With this DBIR data at hand, a CISO in such an industry could advocate for more investment in DDoS protection, while his or her business-line management peers use the data to justify more frequent business continuity/incident response exercises in the face of that persistent DDoS threat. When the DBIR shows a certain industry is highly likely to have its web applications attacked, the business-line or department manager who relies on the app can join forces with the CISO to help ensure robust people-process-technology safeguards are in place, during app development and after launch.

“Listening” to data allows the security program to focus on likely threats rather than on a wide range of possible threats. A solid governance program that mandates frequent interaction and information-exchange between the business lines or operational teams, and the security team fosters the development of that listening skill. This matters even more now that law enforcement, insurance companies, regulators and oversight entities routinely assess the degree to which an enterprise showed informed diligence in applying reasonable security measures to avoid breaches.

Mind your posture.

Once an organization has embraced and operationalized data-driven decision-making to support a risk-based cybersecurity program, it’s ready for the next level: creating a framework for establishing and monitoring its security risk posture.

Far better than a subjective self-assessment of security capabilities and program maturity, a true security-risk posture framework synthesizes data from a broad array of internal and external sources to generate a numerical score that stakeholders and decision-makers can all understand and influence. Like a credit score, a risk posture score is a presentation layer for all the security data that goes into its calculation. And like a credit score, the risk score can inform decision-making. For example, overextend your debt, and your credit score goes down; properly resource your vulnerability patching efforts, and your risk posture score goes up.

Verizon’s Cyber Risk Monitoring service, for example, collects and correlates data from the deep and dark web, honeypots, endpoint security devices and other sources to generate a daily, dynamic risk score on a scale of zero to 1,000. Knowing your organization’s risk posture score (500, 750, 812, etc.)—and having confidence that the score is the byproduct of real data—helps enable security and business-line leaders to collaborate on how to help improve that score. A risk posture scoring framework encourages “if/then” conversations about risk appetite and mitigation: “If we increase our efforts to evaluate third-party risk, which will require business-line assistance, then our posture score will go up. If we don’t redesign department X’s obsolete workflow to reduce the chance of data leakage, then our risk posture score will drop.”

Self-assessing cybersecurity risks with NIST CSF 1.1
Taking a “risk-based approach” to cybersecurity requires having the right stakeholders at the table and that they all have access to the right kind of data to make better-informed decisions. Section 4 of the National Institute of Standards (NIST) Cybersecurity Framework (CSF) 1.1 addresses the need to provide stakeholders with contextualized security data to enable better decision-making. The following excerpts are from the NIST CSF:
“Ideally, organizations using the Framework will be able to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. The better an organization is able to measure its risk, costs, and benefits of cybersecurity strategies and steps, the more rational, effective, and valuable its cybersecurity approach and investments will be.
Over time, self-assessment and measurement should improve decision-making about investment priorities. For example, measuring—or at least robustly characterizing— aspects of an organization’s cybersecurity state and trends over time can enable that organization to understand and convey meaningful risk information to dependents, suppliers, buyers and other parties. An organization can accomplish this either internally or by seeking a third-party assessment. If done properly and with an appreciation of limitations, these measurements can provide a basis for strong, trusted relationships, both inside and outside an organization.
To examine the effectiveness of investments, an organization must first have a clear understanding of its organizational objectives, the relationship between those objectives and supportive cybersecurity outcomes, and how those discrete cybersecurity outcomes are implemented and managed.
The development of cybersecurity performance metrics is evolving. Organizations should be thoughtful, creative and careful about the ways in which they employ measurements to optimize use, while avoiding reliance on artificial indicators of current state and progress in improving cybersecurity risk management. Judging cyber risk requires discipline and should be revisited periodically. For example, tracking security measures and business outcomes may provide meaningful insight as to how changes in granular security controls affect the completion of organizational objectives.”
You may download the NIST CSF V 1.1 publication here: https://www.nist.gov/cyberframework

Everyone can get their head around that idea, and there’s no need to drag out the big black binder of KRIs for non-IT security program stakeholders.

But keep making the colorful histograms and bar charts. The auditors will definitely want to see those.

Learn more:

To learn how Verizon partners with enterprises to help protect against today’s cyberthreats and prepare for what’s next, visit enterprise.verizon.com/products/security/

Or, request a consultation: 877.297.7816