Addressing Cyber Security Strategically

By David L Stevens, CIO, Maricopa County

David L Stevens, CIO, Maricopa County

Cyber Security has increasingly become more important to an organizations’ ability to conduct business. This stems from the high visibility associated with large data breaches that have been reported by various fortune 500 companies. As a result, organizations are realizing at an increasing rate, that the ability to stem the risk of Cyber Attackers may be directly related to their ability to stay in business.  According to a Gov loop article entitled “Securing Government: Lessons from the Cyber Frontlines,” there was a 782 percent increase in the number of Cyber Threats between the years 2006 and 2012. It is also estimated in the same article that the annual cost of cybercrime worldwide is upwards of 400 billion dollars. These increases in Cyber Attacks are growing at an alarming rate, and thus the risk to organizations’ and their ability to execute on their mission.

As the problem is becoming more and more prevalent, companies are trying to determine what they can and should do to reduce the likelihood that they will be the next victim.  The biggest problem is the lack of visibility associated with the root cause of the incidents, namely that most companies lack a Cyber Security strategy to execute against. In the Global State of Information Security Survey: Key Findings and Trends, published by Price water house Coopers, LLP (PwC), only 42 percent of respondents reported even having an overall Cyber Security Strategy that the Board of Directors was aware of.  Moreover, only 40 percent of Boards have endorsed a Cyber Security budget, to address this growing concern. It can be inferred from these statistics that most companies have no visible strategy nor do they support Cyber Security initiatives at a strategic level. The result is that the problem and associated solutions are not well understood, which will likely result in more and more issues over the coming years.

“A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for the organization”

A Strategy addresses most problems by outlining an approach to meet long term goals and objectives. Without a strategy and appropriate performance metrics to measure the results, there is no meaningful direction for the organization to achieve success. Using the statistics outlined in PwC’s report, 58 percent of Boards of Directors around the globe do not understand how they will address the Cyber Security risk. This may imply they are unaware that their organizations are vulnerable. A Strategy that is visible to organizational leadership will ensure an understanding of the scope of the problem, as well as the action plan, that if executed will address the risk. These leaders also need to understand the complexities associated with Cyber Security, which include the fact that all risks cannot be remediated. This is due to the fact that new vulnerabilities are being discovered daily, factored with human error and the need to have a public presence. Cyber Security is then the ability to reduce the likelihood of something happening, by implementing controls and mitigating known vulnerabilities.

A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for the organization. The Cyber Security leader must be cognizant of how the risks and issues are communicated to the Board of Directors so as to not create unnecessary panic. This is accomplished by defining what Cyber Security is, through a vision statement that is easily understood. A vision statement might be that “the organization will identify, manage and mitigate the risk of Cyber threats.” The next question is of course, how, which is derived through the statement itself.  An organization must be able to identify Cyber Security threats and vulnerabilities, determine what to do about them, and take action to remediate the possibility of breach or reduce the impact of one. This logic will result in the establishment of a Cyber Security Monitoring capability to address the identification gap, creation of a Risk Management program to quantify the root cause of incidents realized and a Security Architecture capacity to implement processes and technologies to mitigate the root causes identified.

Addressing Cyber Security from this perspective ensures that Board members and senior organizational leadership understand that there is a need to identify, quantify and remediate threats. With this understanding, there is buy in and support to establishing programs to support these efforts.  With the programs established, board members and senior executives will understand the need to support the resources and needs of them, in order to realize their benefit. These programs however need to include measurements, so that senior leaders can quantify success and failure. This is where Cyber Security leaders have to be willing to institute processes, which may put them in a compromising state.  For example, if you report on the number of threats that have compromised the network, senior leadership will expect that their risks have been fully remediated. However, in Cyber Security, once the threat has been identified, the incident has likely already occurred. As a result Cyber Security leaders need to convey an understanding of what really needs to be done to address the root cause of an incident, namely through investment in technology, processes, and education that support the strategy.

Furthermore, demonstrating that there is a problem through measurements will result in investments into the portfolio of programs. These investments need to be measured and should always demonstrate support for the goals and objectives defined in the strategic plan.  This all ensures accountability for the Cyber Security organization as well as demonstrating the current state of risk posture that an organization maintains. The goal in the end is to reduce the likelihood that something will occur through execution of strategic initiatives. Therefore Cyber Security is really a risk management issue, whereby problems and issues are addressed by reducing the risk of their occurrence. With Senior Management recognizing that Cyber Security is a managed risk vs. one that cannot be completely eliminated, and the Cyber Security leader understanding that they must be accountable for what is to be accomplished, then the return on investments in the portfolio will be realized through a reduced risk profile.