Cyber Risk Strategy and the Evolving Role of the CISO

Richard Harrison, Chief Information Security Officer, healthAlliance

Richard Harrison, Chief Information Security Officer, healthAlliance

Organizations need a systematic and proactive approach to information security. Threat actors, attack vectors, and IT system complexity are changing quickly.

In a large enterprise environment, the rush for new technologies combined with uncontrolled IoT, the proliferation of ‘low cost’ hacking techniques, and the expansion of criminal motivations from financial to now social, political or strategic has resulted in major security risk.

Every organization needs an information security strategy to protect its systems and assets from minimizing negative impact on the achievement of business goals.

But the problem with many security strategies is that they are often vague or nebulous. There is often a disconnect between business managers and leaders on the one hand and the IT team on the other.

Fundamentally, a security strategy needs to address the following questions:

What is the business trying to achieve?

What are the risks that will impact the achievement of business goals?

How will we address them?

Business goals

Business goals can be expressed in many ways, but the most commonly understood / generic types of goals might be as follows:

• Grow shareholder value

• Diversify and grow revenue streams

Or, in healthcare:

• Efficient, easy to use technology that supports clinical care

• Reduces harm and improves quality and equity

CISO’s need to engage with business leaders and understand what it is that they are trying to achieve.

Understanding risks

Once business goals are understood, the security and technology risks that will impact the achievement of those goals, if not managed, need identifying. They might include:

• Service disruption due to a lack of resilience in critical systems

• Legal costs or fines due to regulatory and compliance failures

• Service disruption due to third party vendor / supply chain risk

• Loss, exfiltration or manipulation of data due to breach

• Emerging technology risk

Every organization has its own risk landscape that will need defining, but it is vital that the CISO expand on the risks with clear ‘what if’ statements. For example:

Data breach risk: If we do not protect our data wherever it is located to prevent a loss, exhilaration, or manipulation of data, then service disruption and decision-making affecting patient care; identity theft affecting patients or staff and reputational damage could result with associated costs of recovery. Boards want to understand the costs or severity associated with a breach, the probability of an attack, and the susceptibility of the business to that risk and the urgency of the risk.

Addressing risks

Addressing risks starts with high-level strategies. Again, these can be tailored to your organization but there are some generic ones that will apply in most situations. These include:

• Improve governance and leadership

• Ensure evaluation and direction

• Compliance, audit, and review

• Protect our information and systems

• Develop resiliency and recoverability

• Implement security operations

• Get ready for digital business

Once you have selected all that apply, you can outline the purpose and vision of the security strategy and connect the high-level strategies to objectives.

An example of purpose statement: To support the business to ensure cost-effective and adequate security controls are implemented that reduce risk to services and increase resilience within risk appetite.

Vision: To equip and empower customers to ensure safe, secure and reliable operations over the entire lifecycle of the environment while supporting the business objectives of today and tomorrow.

Security objectives should be aligned to your security framework of choice whether it is NIST, ISO27001 or other. Using NIST’s framework the objectives written in simple business language may be:

• Know what we have, what is critical, and what we are doing in our environment. (IDENTIFY)

• Implement measures to protect our data (PROTECT)

• Catch the events we didn’t prevent in an acceptable time frame (DETECT)

• Prioritize and deal with incidents (RESPOND)

• Return to operational state as soon as possible (RECOVER)

You can now link your security program initiatives to your framework and objectives. For example, under IDENTIFY you might have things like:

• Asset management

• Governance of the environment

• Risk management

• Vulnerability management

The above method allows you to connect business goals to risks, risks to approaches you will use to manage them. These approaches guide the security objectives of the business and the tactics and initiatives you will employ to achieve them, thus connecting tactics to strategy in a way that senior executives and board members can understand.

Role of the CISO

Success or failure of your strategy in terms of board and executive buy-in will come down to how simply but effectively you communicate the strategy to the board. The focus of a CISO should be on how to improve communication with both the board and the operational functions of the business.

A CISO needs to start speaking the language a board will understand – to quote Steve King, “explanations in Japanese mean nothing to someone who only understands Italian.”

CISO’s need to draw on the principles enshrined in marketing, relationship management, and psychology. He or she needs to build trust and speak quantitatively. The role is not about technology leadership—business skills are now paramount. It is the CISO’s responsibility to translate cyber threats and risks in terms of the board and senior leaders comprehend and can consume so they can make properly informed decisions.