What to do when there’s no CSO
With no CISO/CSO, how can you make cybersecurity a core part of your culture and business strategy, and maybe even a competitive advantage? Here’s a roadmap to get you going until you can hire one.
Part 2: Cybersecurity playbook: Critical services
SolarWinds really threw a wrench into your well-laid plans. On top of everything else that is going on now, the people you ultimately work for are starting to ask uncomfortable questions: can this happen to us? How much is our risk? Are we sufficiently protecting our key assets? What do we need to do in the future? How does cyberescurity align with our business strategy?
Unfortunately, you haven’t been able to hire your first (or next) head of security yet, or you could get the answers from her. You have a good security team (or you’re still trying to hire one), but they’re not strategic thinkers. You’re the CIO or CTO or the most technical founder, which leaves you as the only one who can answer those questions.
Can you?
How much is your risk?
The bad news: if you’re a tech company, then your risk is higher than any other industry sector (remember, risk ≠ probability). According to a report from the good people at Deloitte Netherlands, the Cyber Value-at-Risk for tech companies is about 17 percent of income. For those in traditional banking, for example, cyber VaR is about 7 percent of income. If you’re a fintech or neobank, then I’d assume your risk is in the absolute worst neighborhood.
SolarWinds should be an object lesson for us all: the day before the announcement of the ‘largest and most sophisticated attack’ ever, their stock closed at 23.55 USD (December 11, 2020). One week later the price had dropped to $14.18. That’s a 40 percent loss in value. The stock has recovered slightly, and closed on March 1, 2021 at $16.73 — a loss of only 29 percent. You can see now how the cyber VaR method might be a little conservative, particularly if your incident gets a lot of press.
The threat landscape is continually evolving
No matter how bad you’ve heard it is, the threat landscape is worse than you think. I’m not trying to scare you, but it’s common practice for many organizations to avoid any formal reporting of cyber incidents, and threat actors are at the cutting edge of innovation and collaboration. Ever heard of Insider-as-a-Service? Great CV, great interview, but he actually works for the bad guys — as a service to a third party (criminal client).
Is your product going to be part of the supply chain?
Again, thanks to Solarigate, there’s tremendous focus now on securing the supply chain. No doubt you know whether your competitors make a big deal about their cybersecurity chops. If they don’t, then now is the time to make cybersecurity certification one of your competitive advantages.
But I’m not a cybersecurity pro!
Fortunately, for you, cybersecurity is not about correlating alerts from your SIEM. Cybersecurity is fundamentally a risk management discipline. Nobody in cybersecurity expects to be able to prevent every attack — so they do their best to manage risk. I know risk management isn’t sexy, but it’s better than standing before your investors to explain that your source code has been encrypted and is being held for ransom. On a positive note, once you start down the cybersecurity road, you get to toss out terms like “attack surface” and “threat landscape,” with some authority, so there’s that.
I am not saying that you do not need to hire a security specialist. On the contrary, hire one as soon as you can, or use a virtual CISO until you find the right candidate. What I am saying is that you can’t wait to manage your risk. Fortunately, again, there are invaluable and free resources available to you, thanks to the American taxpayer, numerous non-profits and the governments of most nations. And there’s me. I’m here to help you get your house in order, too.
It doesn’t matter if you’re a three person team of startup-founders taking your first steps to unicorn status, or the CTO of a hospital in the corn belt, or the CIO of a bank in a developing nation, your approach to cybersecurity will be the same. It’s only the details, timeline and price tag that will be different.
There are three parallel streams of work you’ll need to start:
Act now: you must start this stream now. Time’s-a-wasting!
Governance: A stream to ensure that you deliver the value that is needed by your business.
Improve: this is the general, long-term roadmap.
In order to successfully complete the Act now stream, you will have to decide on a cybersecurity framework. This should be fairly easy.
tl;dr
There’s not much more I can say in the space allotted (I will continue this series), so I will summarize:
1. Your overarching goal is to increase the operational resilience of your org by increasing cyber resilience. Visibility is the cornerstone of resilience.
2. Cyber resilience is a risk management practice. You can definitely do this!
3. The threat landscape is constantly evolving; digital transformation is constantly increasing the size of your attack surface; thanks to multicloud/hybrid, SaaS and mobile, your perimeter is dissolving; threat actors are collaborating and now offer insider-threat-as-a-service; your CS team is probably understaffed; CS technology is constantly evolving; your CS strategy must constantly evolve and improve; your cybersecurity plan must constantly evolve and improve.
4. Business strategy must drive your CS strategy.
5. Your strategic CS goals will be the focus of your roadmap, implementation plan and budget.
6. There are things you must do now:
7. Improve cyber resilience: Critical services and their technology dependencies must be identified and documented.
8. Create a baseline of security controls and visibility on those critical services.
9. Perform a gap analysis based on SANS or NIST. SANS even offers a small business no budget implementation of their SANS 20 Security Controls.
10. Fill the gaps between your existing controls and the framework’s controls.
11. Improve basic cyber hygiene now (patching, passwords and policies).
12. Fully adopt a CS framework: SANS to start, then NIST, maybe ISO/IEC 27001 certification one day if you’ve got the cash.
13. Best practices are not enough to protect high-value assets.
14. Mobile apps are easy targets: constantly look for vulnerabilities and repair. OWASP
15. Your supply chain is probably your #1 vulnerability: all those apps and 3rd party libs you run on-premise or on your customers’ devices.
16. Cloud blind spots will kill you: you don’t have the visibility in place because it wasn’t part of your cloud strategy. Spend money on cloud security.
17. Technology that is open and integrated can save your assets, and save money if you can use it. Platforms are your future.
18. Cheap incident response can cost a lot of money. Have a communications strategy ready and do table-top exercises with all players including your vendors and CSPs.
19. Cyber hygiene is everyone’s responsibility: get help from the board, HR and digital transformation teams.
20. Every six months, review and do it all again.
21. Be ready to spend gifts from above.
Remember: SolarWinds lost 40 percent of its stock value in one week. Don’t be like SolarWinds.
I will be continuing this series over the coming days and weeks. I look forward to positive comments and questions!
