In this second installment of our two-part Questions and Answers column we’ll continue our discussion with David Mount, senior director of product marketing at Cofense, about how CISOs and their ongoing discussions with the board of directors about phishing security. Part 1 of this two-part series posted earlier this month.
SC Media: Some boards today are becoming far more involved with cyber and data security due to new GRC regulations. How is this changing the way some companies deal with security and what else has to be done?
David Mount: Boards must continue to recognize that every organization has data that is of value to someone else. New regulations such as the European General Data Protection Regulation, and the associated threat of punitive penalties for data breach has refocused many organizations as it relates to cyber and data security.
Mandatory data breach reporting, and obligations placed on these organizations around notification of data breaches to impacted individuals means that reputations, consumer trust and financial bottom line can be impacted in a heartbeat. It’s an often cited quote that “it’s not a case of if you get breached, it’s when”. Boards must ensure that teams are working effectively to get visibility of incidents and compromise that could lead to a breach, and shut them down, fast.
Being able to demonstrate that attacks were identified, and neutralized quickly will pay dividends when communicating with regulators and consumers alike.
SC: When working a board of directors, it is essential that the CISO speak in terms the board understands rather than in techno-geek. What are the key elements a board will want to know about the needs of the cybersecurity team and what should be left out of the discussion?
DM: The cyber threat landscape is diverse, and noisy. The CISO must be able to cut through this noise to articulate an understanding of the specific risks posed to the data and intellectual property that is so valuable to the organization, and board, and the priorities for protecting it.
The CISO should be able to provide metrics to the board on the progress of the activities and programs that are in place to address the identified risks. For example, as this relates to phishing defense, the CISO should be able to update the board with metrics around three key capabilities:
Recognition Capability – how well are employees recognizing evolving phishing threats, as delivered through phishing simulations that represent the type of attacks experienced by the organization.
Reporting Capability – how resilient are employees? Resilience is measured by dividing the number of users who report a simulation by the number that are susceptible. By measuring resilience to phishing, organizations can understand the trend of users who are actually taking action to protect the organization, rather than merely being passive participants in the process.
Response Capability – This is where the rubber hits the road. Here we begin to understand how well Incident Response teams are able to consume reports of suspicious emails from users, understand them and disrupt attacks. Metrics such as the volume of suspicious email reported by users over the past ‘x’ days, together with the number found to be malicious provides insight into the operational capability of users to identify, and provide visibility into threats that technical controls have missed. Other metrics, including time to report, and time to mitigate allows the organization to measure trends in response effectiveness. It’s also important to recognize employees that are reporting real phishing messages, allowing for a balance between simulation reports and real reports. Also include stories of real phishing incidents to demonstrate the team’s capabilities when it comes to the real event.
SC: As cybersecurity – and particularly discussions on phishing, malware and ransomware – move into the board room, it is not just the board members who need to be educated on new technologies. The security teams need to be educated on the board’s needs. Specifically, what areas of education would be most useful for the technical teams?
DM: Teams at the coalface can often feel out of touch with the true priorities of the business. The desire for the latest and greatest tools and technology by operational teams can sometimes be out of step with what is actually needed, leading to misplaced investment requests and decisions. The communication between the board operational teams is essential, and it’s critical that it is bi-directional. The board must communicate strategic priorities, and operational teams must communicate what is actually happening in the trenches, and how this impacts the ability of the business to deliver on its objectives.
The CISO should bring info back from the board – allowing the teams to know they are being recognized and heard by the board. Bring business leaders into their staff meetings to provide the strategic vision. Allow the teams to offer support and collaboration on how to made secure business decision and balance the risk / reward conversation.