The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.
I’ve seen it countless times. Another CISO walks into a board meeting and muddles through stats showing their compliance status. Great, you’re 75% compliant with ISO 27001, but what does this tell anyone about their level of risk?
The truth is, you can spend years implementing all 114 of ISO 27001’s controls, and a determined attacker could bypass your defences in a few hours. As adversaries continuously update their TTPs (Tactics, Techniques, and Procedures), and trick fallible employees, no amount of compliance will cover all your bases. So why are CISOs clinging to compliance figures like an old safety blanket?
Boards tend to respond well to clear signs of progress, which are notoriously difficult to measure in security. But we must change the conversation. In the classic risk management equation of Risk = Threat x Vulnerability, I have no control over the threat actor’s motivation, skill, or resources. I could put all my resources into a comprehensive compliance strategy and still be unsuccessful.
Instead, approaches must be THREAT-LED. This means identifying your most valuable assets, who is likely to target your organisation, and prioritising activities to mitigate the identified risks. CISOs should measure security based on their ability to discover if they’ve been breached, using meaningful metrics like mean time to breach when testing security, or the mean time to detect threats. Then, CISOs can work to bring these numbers down to an agreed level.
To obtain this data, comprehensive red team exercises are essential. Red teams test technology, people, and processes—probing for blind spots and finding unorthodox ways to breach you. This is exactly how a capable threat actor would operate! This gives invaluable data on what has fallen through the cracks, so CISOs can prioritise accordingly and reduce the average time to detect a breach. But currently, few organisations undergo red team exercises, saying they aren’t mature enough. This is music to an attacker’s ears, and they aren’t going to give you the breathing space to mature before they strike. Red team exercises should be carried out when maturity doesn’t allow for better prioritisation against the mitigation of real-world threats.
There’s no other industry that invests so much without objectively measuring the outcome. You wouldn’t drive a car if it wasn’t crash-tested, so why deploy a security strategy without seeing if it can be bypassed? Even regulators are now award of this fact—with schemes like TIBER-EU, demanding banks run red team tests to ensure they move beyond a simple compliance baseline.
In your next board meeting, keep compliance figures as a footnote. Instead, encourage stakeholders to think about the business impact of a breach along with the likelihood that attackers will target your business. Furthermore, discuss the probability of a successful attack playing out. The CEO will care if they make the front page of The Times when your company gets hit by ransomware. As will the CFO, if they are unable to trade while systems are down.
Instead of trying to show that you’re compliant and that the delivery of projects are on track, use meetings to discuss your weaknesses and present the board with options to mitigate them—pushing for budget needed. In today’s dynamic threat environment, plans may need to change mid-year, so it’s crucial that the board understands the risks they are accepting by choosing not to invest.
This blog originally appeared in The Register.