American companies are being actively targeted by hackers and state-sponsored hacking groups. Chief information security officers realize it's not a matter of if their company will have a cybersecurity incident, but when it might happen. While there's no way of knowing exactly when an attack may occur, CISOs can minimize the likelihood of a breach by having a holistic strategy that includes people, processes, and technology. However, since hacker tactics and technology are constantly evolving, it's important to understand the company's current state on an ongoing basis.
Not all organizations have a CISO, however. In smaller companies especially, the CIO or CTO may have both the authority and responsibility for cybersecurity even through they're probably not security experts. While a CIO or CTO can certainly upskill to become more proficient as an acting or full-time CISO, they should understand what it takes to do a CISO's job well, regardless. Part of that is assessing the company's current state.
"Risk assessment can help an organization figure out what assets it has, the ownership of those assets and everything down to patch management. It involves figuring out what you want to measure risk around because there are a bunch of different frameworks out there [such as] NIST and the Cyber Security Maturity Model, (C2M2)" said Bill Lawrence, CISO at risk management platform provider SecurityGate.io. "Then, in an iterative fashion, you want to take that initial baseline or snapshot to figure out how well or how poorly they're measuring up to certain criteria so you can make incremental or sometimes large improvements to systems to reduce risk."
Asset Visibility Is a Problem
One of the most common complaints a head of cybersecurity will have, irrespective of their title, is a lack of visibility into the company's assets. Without understanding what the ecosystem of hardware, software, network connections and data is, it's impossible to understand which vulnerabilities and threats are even relevant.
"The Center for Internet Security produces a top 20 list of security controls. The No. 1 thing they say is that you should focus on having an inventory of your devices, software and data," said George Finney, CISO at Southern Methodist University. "You have to know what you have in order to protect it, but that visibility is such a challenge to achieve. You may be able to wrap your arms around the on-premises assets, but if your environment is changing rapidly because you're in the cloud, it's much more difficult to achieve."
Having a Baseline Is Important
Dave Cronin, VP, head of cyber strategy and center of excellence (CoE) at Capgemini North America, said the word, "assessment" has fallen out of favor among clients thanks to compliance.
"What's happening is they've been assessed against a compliance requirement and it doesn't necessarily lead to anything because if I'm just checking a box against compliance, it's really a snapshot in time," said Cronin. "It gives you advice like you should have a patch management program, so I check a box, but being compliant doesn't mean being secure. You really want a baseline, so you understand what you have, what you own, where you are today."
If a baseline doesn't exist yet, then the first snapshot will serve that purpose. Based on that, it's easier to understand the amount of budget it will take to make some immediate progress. However, there should also be a roadmap that explains how risks will be mitigated over time and what the associated costs will likely be.
"In addition to knowing the environment, it's basically putting in a more holistic cyber strategy, and you're not going to be able to catch everything," said Cronin. "The trick is to minimize the risk by implementing the right people, processes, and technology and have a layered approach so it's more difficult to break in."
Third-Party Risk Assessment Is Also Necessary
Companies are connected (literally) to their partners and customers these days and those connections can facilitate the spread of malware. Similarly, compromised email accounts can help facilitate phishing campaigns.
Meanwhile, ransomware threats have evolved from "single" to "double" to "triple", which means that bad actors may not just demand a ransom for a decryption key, they may also demand a ransom for not publishing sensitive data they've acquired. More recently, there's a third element that extends to a company's partners and customers. They, too, are being asked to pay a ransom to keep their sensitive information from being published.
Bottom line, a company may only be one of many targets in an entire supply chain.
"Looking at your own scorecard is a good way to get started and thinking about assessments because ultimately you're going to be assigning the same types of weights and risk factors to your vendors," said Mike Wilkes, CISO at cybersecurity ratings company SecurityScorecard. "We need to get beyond thinking that you're going to send out an Excel spreadsheet [questionnaire] once a year to your core vendors."
One of the core questions an annual vendor questionnaire includes is whether the vendor has been breached in the last 12 months. Given the long, time window, it's entirely possible to discover a vendor was breached 11 months ago.
Wilkes said companies are wise to look at N-party risks because dangers lurk beyond even third-party risks.
"People are thinking about one degree of ecosystem change -- who provides me with a service and whom I provide a service to," said Wilkes. "We really need to expand that entire thing because if the pandemic taught us anything last year it's that entire supply chains were disrupted."
A similar trend is happening at the individual software application level because developers are using more third-party and open source libraries and components to meet shrinking software delivery cycles. However, without understanding what's in the application, it's virtually impossible to build a secure application. There are simply too many pieces outside the developer's control and also software dependencies that may not be entirely understood. That's why companies are increasingly using software composition analysis (SCA) tools and generating a software bill of materials (SBOM). The SBOM not only includes all of an application's components but also their respective versions.
"If we can start caring about where the software came from and what it's made of, we can actually start scoring software and quantifying the risk," said Wilkes. "It's definitely a useful thing, a needed thing and something that we as security officers want to see because then I can make conscious decisions about using a software vendor or swapping out a library or package on something that makes up my infrastructure."
Assessing a company's cybersecurity posture is an in-depth exercise that requires visibility into the company's technology ecosystem and beyond. The sheer complexity of an enterprise's assets alone necessitates the use of modern tools that can speed and simplify the superhuman task of understanding a company's own attack surface. And, as noted above, the sleuth work shouldn't stop there.
"A lot of people who don't have a risk assessment framework in place are trying to build one themselves, but once you start forwarding spreadsheets back and forth, you're lost because you don't know who made the latest update," said SecurityGate's Lawrence. "When you have digital tools, you can get that information quickly and you don't have to have a meeting to figure out what should go in the spreadsheet. In a digital format, it makes it a lot easier."
Also, if your company lacks a CISO, get CISO-level assistance from a consulting partner who understands the cybersecurity landscape, how cyberattacks are evolving and what your company needs to do to dissuade bad actors.
"You don't want to play catchup on a lot of the really foundational things that good risk assessment can bring you," said Lawrence. "It's a matter of keeping up to date with the threats that are out there and continually assessing your risk so you can do what you can to mitigate it."
What to Read Next: