Strategy and Governance /

Getting real business value out of cyber security assessments

Information governance

7 real-life tips for cyber security practitioners and senior executives who want to look beyond technical “box-checking” approaches

Cyber security assessments can be conducted for a variety of reasons. More often than not, in response to regulatory concerns, third-party requests or executive management questions following a widely publicised data breach (the “could-it-happen-to-us?” type of scenario).

They are also often ordered by incoming senior executives trying to understand the true nature of the security landscape around them.

Key – in this context – is to create an assessment dynamic that will produce reliable actionable results, instead of a mere “tick-in-the-box” exercise that middle-management could manipulate to justify existing IT projects or the status-quo.

There are countless software assessment tools that can be used in that space, but it is key to start from governance, process and methodology, before looking for the right automation tool.

The most common mistake with cyber security assessments – in particular in large organisations – is to design an assessment practice around the capabilities of a software tool. Business value will not come directly from any software functionality, but from the assessment’s relevance, the true engagement of key stakeholders and their trust in the validity of the results.

Relevance will come from understanding the legacy context in which the assessment is rooted. Engagement and trust will come out of honesty, competence, transparency and the independence of the assessors from any legacy situation.

In order to generate a true transformational dynamic out of this, a number of key management rules have to be followed.

Steps on Cyber Security Assessments

 

1 – Cyber Security Assessments must start from the start: What are the cyber threats the organisation faces?

The assessment practitioners should start by “doing their homework” instead of relying on generic ready-made statements, and identify threats agents, attack vectors and attack surfaces in the actual context of the organisation being assessed.

They should look without complacency at the true geographical footprint of the business and its dependency on thid-parties, as well as industry dynamics around threats & recent attacks.

On that basis, they must assemble a number of compelling war stories to open the eyes of executive management (if necessary) on the real nature of the cyber threats their business is facing.

2 – Understand the existing organisation and its culture to build a clear governance framework surrounding the assessment from the start

Getting the governance context right from the start is also fundamental to engineer acceptance of the assessment results and – ultimately – drive corrective action by the right stakeholders at the right level.

The assessment sponsors must be clearly identified: The assessment practitioners must understand without ambiguity who they are working for and what the sponsors objectives are, how the assessment’s results are going to be used (e.g. reporting into risk and compliance or audit committees), and by whom, for what purpose, and at which frequency. The internal culture surrounding “controls” at large must also be understood.

The purpose and context of the exercise must be clear: Assessing Compliance? (against what?) Assessing Risk? (what does that mean?) Assessing Maturity? (according to which model?) Is this going to be a “one-off” or a periodic exercise? What are the timeframes involved?

The actual scope of the exercise and the key stakeholders must be clearly identified: Who is in charge of what? Is there one specific individual identified as being in charge of cyber security? Practitioners must understand as much as possible the roles – past and present – of the various parties in relation to the existing cyber security posture of the organisation being assessed, and their reporting lines. Again, they must not underestimate the true geographical footprint of the business and its dependency on third-parties.

On the basis of the analysis detailed above, a clear steering committee format, membership and meeting schedule should be defined and signed off with all parties to oversee the assessment exercise over the required timeframes (multiple committees may be required at different levels for large organisations; equally, existing committee structures may be re-used where relevant).

3 – Assembling the assessment team: Balance experience with common sense and inquisitiveness

The team can be structured around internal resources or rely on external consultants, but in all cases, it must be totally independent from the pre-existing cyber security organisation and any legacy situation or arrangement.

Assessment team members must have a degree of knowledge of the cyber security field, but they do not need to be all subject-matter experts and they must not be all technologists.

They must have enough experience to spot nonsense, understand what to challenge and where to stop. At the same time, they need to have the inquisitiveness to dig in the right areas or look behind the curtains.

Fundamentally, they must be empathetic and able to build trust with stakeholders by showing them they understand their constraints.

4 – Assembling the assessment checklist: Firmly root your assessment in existing material – good or bad; Do not trust ready-made checklists

Practitioners must start from existing internal material in terms of policies, procedures and guidelines to build their assessment checklist, instead of relying on ready-made material: Most large organisations would have had Information Security practices for years and practitioners should find a vast amount of existing internal material in that space:

  • If the existing internal material is too large or too complex, simplify it
  • f it’s too vague, enrich it with the right amount of (relevant) good practice

But in all cases, traceability to pre-existing internal material must be regarded as paramount.

It should give stakeholders a sense of continuity and coherence, and value their past efforts where relevant: Ignoring valued pieces of existing documentation that might have taken vast efforts to assemble or replacing them with arbitrary external good practices can only alienate stakeholders.

But practitioners must also assess upfront the pre-existing governance model surrounding all internal material collected: How was it assembled? by whom? when? when was it last updated? what are the internal validation processes surrounding it? how was it communicated to relevant stakeholders?

They must tailor their assessment checklist to focus on the sponsor’s objectives and the purpose of the exercise (e.g. Compliance vs. Risk vs. Maturity Assessment, as highlighted above) while respecting:

  • The validity and relevance of pre-existing material (ensuring such material remains traceable throughout)
  • The prescribed timeframes and your own resources (both might be constrained by the budget available to perform the exercise)

Simplicity, industry relevance and clarity of language must rule throughout.

This type of exercise will bring the assessment practitioners in contact with the key cyber security players (typically the CISO – or equivalent –  and their team), and will give them an important vehicle to win their trust by showing they understand their capabilities and constraints. This degree of trust (between the assessor and the assessed) will be fundamental to the accuracy and honesty of the assessment itself. From the accuracy of the assessment will be derived the results relevance and actionability, and from there the genuine value of the exercise to the business as a whole.

5 – The practice of the assessment itself: Listen, Listen, Listen

Cyber security is a complex topic, where problems are often rooted in decades of short-termism, under-investment, adverse prioritization, or excessive focus on arbitrary technical solutions at the expense of sound governance practices and common sense.

In any large organisation, the assessment practitioners are likely to come across a complex historical context, and often a vast amount of technical and personal legacy. It is essential to capture – or at least understand – the “softer” (human) aspects:

  • Practitioners should analyse their checklist and group subjects by themes.
  • They should identify relevant stakeholders, book meetings in advance and meet with them on their turf, preferably face to face to form a personal bond even if it forces them to travel.
  • They must not follow the structure of their checklist to the letter: Instead, they should ask open questions, let the stakeholders talk, and LISTEN, LISTEN, LISTEN before re-assembling the stakeholders’ input to match the intended output of the checklist.

Practitioners are also likely to find situations where a number of initiatives or projects are already underway in the cyber security space. They must understand their scope, their context, their degree of advancement, and the stakeholders involved.

They should record fairly without burying bad news and give due credit to unstructured practices where they are efficient.

Overall, the assessment team must be kept small and compact even for large scale assessments; meeting notes should be recorded ASAP and shared with other members of the assessment team.

Validation must take place transparently with key stakeholders throughout the assessment and step by step: It will ensure they buy into the overall approach, drive a common interpretation of the assessment checklist and ultimately engineer a stronger acceptance of the findings.

6 – Analysing and presenting results: Do not catch senior management unaware

The assessment practitioners must understand upfront what works best in terms of presentation format for the organisation being assessed, i.e. the type of format that is already being used, that senior management would recognise and be comfortable with.

Assessment results must be formally linked to the threats identified upfront, and work underway – initiatives and projects; good or bad – must be acknowledged.

The strength of graphical models should be used to allow “what-if” scenarios to be visualised, typically around quick wins (should there be any) or projects already underway.

Again, simplicity and clarity of language must rule throughout. The focus must be on hard facts and the hard reality of the assessment results, instead of fuzzy numbers, arbitrary “ROI” calculations and other highly disputable business justifications.

Fundamental to results acceptance is not to catch senior management unaware if results are bad: Nobody likes to be “embarrassed” publicly in meetings; instead senior assessment team leaders should book briefing sessions ahead of key validation meetings with relevant stakeholders and allow them to voice their views in private.

7 – Creating change dynamics and driving real action

Real and lasting change in the cyber security space can be complex and take time to be delivered: It is fundamental to put actions in the right perspective in terms of timeframes and build on work underway – good or bad – as much as realistically possible.

The focus must not be purely on technical solutions: Technology should support and enable sound security processes. Large organisations facing complex cross-silos problems (e.g. in the Identity & Access Management space) must resist the urge to build security processes around technical platforms for the sake of winning time: This is rarely the case, and many large companies have been getting it wrong for the last 15 years (and in many instances pushed by shameless vendors).

Equally, the focus must not be on looking for arbitrary quick wins, as there may not be any.

Instead, the focus must be on looking into the past for roadblocks that have prevented progress and finding ways to remove them or circumnavigate them, challenging the organisational status-quo if necessary: People and organisational structures in place may be unable to lead change and it could be that changing those is the right place to start.

Most cyber security problems will be rooted in culture, governance and process: This is where corrective action should be rooted too to be successful.

Building a support coalition amongst business leaders is fundamental to ensure funding over the mid- to long-term. The approach highlighted above – clear governance established upfront with all stakeholders and constructive assessment leading to genuine findings acceptance – should lead to it naturally.

 

JC Gaillard

Managing Director

Corix Partners


Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.