 back to blog

Being “Threat-Led” is the answer. Your ISO certificate won’t save you from a breach!

The Masked CISO
January 20, 2022
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.

I’ve seen it countless times. Another CISO walks into a board meeting and muddles through stats showing their compliance status. Great, you’re 75% compliant with ISO 27001, but what does this tell anyone about their level of risk?

The problem with ISO compliance

The truth is, you can spend years implementing all 114 of ISO 27001’s controls, and a determined attacker could bypass your defences in a few hours. As adversaries continuously update their TTPs (Tactics, Techniques, and Procedures), and trick fallible employees, no amount of compliance will cover all your bases. So why are CISOs clinging to compliance figures like an old safety blanket?

Boards tend to respond well to clear signs of progress, which are notoriously difficult to measure in security. But we must change the conversation. In the classic risk management equation of Risk = Threat x Vulnerability, I have no control over the threat actor’s motivation, skill, or resources. I could put all my resources into a comprehensive compliance strategy and still be unsuccessful.

Be “Thread-Led”

Instead, approaches must be THREAT-LED. This means identifying your most valuable assets, who is likely to target your organisation, and prioritising activities to mitigate the identified risks. CISOs should measure security based on their ability to discover if they’ve been breached, using meaningful metrics like mean time to breach when testing security, or the mean time to detect threats. Then, CISOs can work to bring these numbers down to an agreed level.

To obtain this data, comprehensive red team exercises are essential. Red teams test technology, people, and processes—probing for blind spots and finding unorthodox ways to breach you. This is exactly how a capable threat actor would operate! This gives invaluable data on what has fallen through the cracks, so CISOs can prioritise accordingly and reduce the average time to detect a breach. But currently, few organisations undergo red team exercises, saying they aren’t mature enough. This is music to an attacker’s ears, and they aren’t going to give you the breathing space to mature before they strike. Red team exercises should be carried out when maturity doesn’t allow for better prioritisation against the mitigation of real-world threats.

There’s no other industry that invests so much without objectively measuring the outcome. You wouldn’t drive a car if it wasn’t crash-tested, so why deploy a security strategy without seeing if it can be bypassed? Even regulators are now award of this fact—with schemes like TIBER-EU, demanding banks run red team tests to ensure they move beyond a simple compliance baseline.

Raise awareness in the next board meeting

In your next board meeting, keep compliance figures as a footnote. Instead, encourage stakeholders to think about the business impact of a breach along with the likelihood that attackers will target your business. Furthermore, discuss the probability of a successful attack playing out. The CEO will care if they make the front page of The Times when your company gets hit by ransomware. As will the CFO, if they are unable to trade while systems are down.

Instead of trying to show that you’re compliant and that the delivery of projects are on track, use meetings to discuss your weaknesses and present the board with options to mitigate them—pushing for budget needed. In today’s dynamic threat environment, plans may need to change mid-year, so it’s crucial that the board understands the risks they are accepting by choosing not to invest.

This blog originally appeared in The Register.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch