SlideShare une entreprise Scribd logo

From checkboxes to frameworks

A
Andréanne Clarke

CISO insights on moving from compliance to risk-based cybersecurity programs

Technologie
1  sur  12
Télécharger pour lire hors ligne
From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs ibm.com/ibmcai | ibmcai.com
2 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Cybersecurity risk is an immense threat. It’s also a top C-suite priority, with funding for security efforts growing to reflect the gravity of the challenge. Security leaders are realizing that simply “checking the box” to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.
3 Cybersecurity risk is a first-class threat to organizations of all sizes. Managing it is now a top C-suite priority, and funding for security efforts is increasing to reflect its importance. However, the growing number of public breaches occurring despite this increased visibility has led many Chief Information Security Officers (CISOs) and other high-level security leaders to examine their underlying motivations and assumptions. There’s a new effort by security leaders to look for fundamental ways to influence and improve both their own programs as well as best practices in effectively defining and applying risk management. This IBM Center for Applied Insights report, based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by Southern Methodist University, outlines how CISOs are stepping up cybersecurity efforts to focus on addressing one of the most prevalent underlying issues globally—a programmatic focus on compliance instead of risk-based business outcomes.1 In short, CISOs now know that simply being compliant isn’t acceptable for a well- governed organization. About the study This IBM Center for Applied Insights report is based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by the Darwin Deason Institute for Cyber Security, part of the Lyle School of Engineering at Southern Methodist University in Dallas, Texas. Researchers surveyed dozens of senior security executives in various industries, with emphasis on financial services, healthcare, retail and government. In-depth interviews were conducted in a semi-structured approach to explore top cybersecurity risks, how risks are determined, organizational support for cybersecurity initiatives and how investments are prioritized. How do I transform a compliance- based security program into one focused on risk? How can I best communicate risk to the organization and manage expectations? Do I have the skills, resources and tools to implement the right controls for success? To address these questions, CISOs are adopting more sophisti- cated approaches to determine threats and to prioritize and fund security initiatives. Increasingly, security leaders are using custom frameworks as a strategic tool to transform their organizations into ones focused on real cybersecurity risk. About the IBM Center for Applied Insights ibm.com/ibmcai | ibmcai.com The IBM Center for Applied Insights introduces new ways of thinking, working and leading. Through evidence-based research, the Center arms leaders with pragmatic guidance and the case for change.
4 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs What do CISOs struggle with? Communicating priorities While the majority of senior leaders across organizations realize the importance of cybersecurity, CISOs still need to convey strategy and technical requirements to the C-suite in language they understand. In addition, CISOs acknowledged that showing ROI for security projects is often difficult—in fact, many firms now view security as a necessary business expense. However, metrics are nonetheless valuable for locking in support for specific initiatives directed by their cybersecurity strategy. Making cybersecurity strategy consumable Often, the bigger concern for the C-suite is not whether it should fund cybersecurity initiatives, but whether security teams are equipped to successfully implement controls and manage numerous projects to support the organization. Part of the challenge is that cybersecurity strategy is not always consumable. Relaying it in a clear implementation plan, select- ing the right solutions and developing a deployment schedule that doesn’t disrupt the organization involve a variety of critical factors. CISOs are struggling to find the right skills to handle the rollout—this requires talent with an exacting mix of technical knowledge and business savvy. Security leaders also have to stay current on market trends, industry best practices and new security product releases. Focusing on the strategic Historically, cybersecurity investment decisions were com- monly based on meeting compliance requirements using best practices and industry-accepted technologies—a “checkbox” approach that satisfied baseline requirements. Industry best practices were a benchmark for CISOs to gauge whether they had effectively addressed key risk factors for their organizations. If their peers were doing something, it meant they likely should too. And if they were compliant, they could check the box. The challenge for CISOs is that, all too often, a compliance-based approach doesn’t address the actual security risks faced by their organizations. “Good compliance does not equal good security.” — CISO, Government 88% of CISOs reported that their security budgets have increased
5 CISOs today face three major challenges CommunicationStrategy Consumability Communicating priorities Making cybersecurity strategy consumable Focusing on the strategic Communicating priorities Making cybersecurity strategy consumable Focusing on the strategic “I always try to make the compliance argument the last thing because I think that way too many pro- grams are aligned around ‘What’s the minimum thing I have to do to get a check mark?’” — CISO, Retail “Senior leadership is looking for me to articulate what the security strategy is in words, in projects, and in dollars that make sense to them.” — CISO, Retail “It doesn’t matter how good the tool is if the program is in the drawer and not on the floor.” — CISO, Financial Services
6 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Using risk-based frameworks to represent and implement cybersecurity strategy To address the challenges around strategy, communication and implementation, CISOs are increasingly turning to customized frameworks as the primary way to formalize their approach to cybersecurity. Risk-based frameworks provide standards, best practices and guidelines for protecting systems, applications and data. Frameworks in use range from widely adopted NIST, ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs. Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure invest- ment, and communicate progress for the most pressing security initiatives. Creating effectual policies A CISO of a financial services firm operates with a clear “three lines of defense” strategy. This means that under the leadership of the COO who has visibility across the orga- nization’s operations, the CIO creates policies around risk, or what is needed, while the CISO translates those policies into practical implementations, or how it will be done. It’s the difference between “principle-based” policies that address strategy, and “effectual policies” that address how strategy is implemented. This approach allows the CISO to create effectual policies, investing in controls that address the real underlying threats to the organization. It also allows investments to be based on customer expectations rather than internal requests. A phased rollout of security controls also helps ensure there are no disruptions to the business and that there’s a positive impact on overall security. 0% 5% 10% 15% 20% 25% Frameworks are ranked as the most strategic prioritization approach Gut What peers are doing Cost-value estimation Board recommendations Past attacks on other firms Quantitative measures Past attacks on your firm Ranked #1 Ranked #2 Ranked #3 Frameworks Industry best practices
7 Moving beyond compliance to risk-based strategy Many of the CISOs interviewed acknowledged that the traditional focus on security compliance allowed them to check a box, but it didn’t ensure that the organization was best prepared for potential security breaches. Frameworks, on the other hand, provide a better risk assess- ment model, allowing an organization to more thoroughly and consistently assess security challenges and determine gaps. While most frameworks include elements of business assets, processes, vulnerabilities and probabilities, CISOs point to the real value that comes from customizing them based on their environment. This customization mitigates the potential of frameworks to simply become more advanced checkboxes. Companies developing their own cyber-risk frameworks are more likely to have a deeper understanding of the real risks to their organizations. In most cases, elements of existing frame- works such as NIST and COBIT are used as a foundation to build best-fit frameworks that can be used to inform company- wide standards. “Security has to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there.’” —CISO, Retail Workbooks for cybersecurity implementation A VP of security compliance at a data management company takes a different approach that focuses more on assessing cybersecurity risk and less on the actual imple- mentation of cybersecurity strategy. His team develops a project workbook that defines the characteristics of each system to be secured. This workbook provides the approach that is then implemented by the VP of security. The value of continuous testing is something he stresses: “I don’t believe that email, the Internet, anything is secure. Period.” Leveraging his background in penetration testing, he continually tests the company’s outward-facing applica- tions from an external location, prepared with controls to manage zero-day scenarios. Being nimble allows the secu- rity organization to react quickly and protect the company. Strategic cybersecurity programs include five key elements Document formal cybersecurity strategy, objectives and goals Define formal framework of risk management controls Consider business priorities, assets, processes Evaluate and prioritize gaps in current vs. desired state across each control Build a plan to address, monitor and reassess the prioritized control gaps
8 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Increasing collaboration with the C-suite Frameworks are also proving to be an effective communication tool, arming CISOs with a translation mechanism to relay cybersecurity strategy to upper management for buy-in. Eighty-five percent of CISOs reported that upper- management support for cybersecurity efforts has increased and 88 percent of CISOs reported that their security budgets have increased. Nevertheless, when asked about whether they felt that they and peers in other organizations were spending adequately on security initiatives, more than half of the CISOs thought they were spending too little. It’s noteworthy that a quarter of the CISOs surveyed who thought they were spending appropriately also used frameworks as a strategic tool. Orchestrating the lifecycle of cyber defense A CISO of a financial services firm takes a targeted approach to frameworks in order to address the company’s business priorities. Using NIST, ISO and SANS, he developed a customized framework to address the attacks the company was seeing. The framework focuses on key risks including loss of finan- cial data, financial account compromise, business continuity and regulatory risk. The framework also identified primary threat agents including hacktivists and organized crime. His team then developed a phased rollout plan to protect against the most common risks using a variety of tools orchestrated to span the full lifecycle of cyber defense, helping ensure business continuity even in the event of a single tool failure. Instead of a peer network of CISOs to guide his investment decisions, this maverick taps the Silicon Valley venture capital community to learn about disruptive new tools that can address his company’s security challenges. 85% of CISOs reported that upper- management support for cybersecurity efforts has increased “It seems like we’ve all been engaged in a cyber arms race for which we have no option to opt out or seek treaty. There’s no other choice but to respond to that threat.” —CISO, Financial Services
9 Applying framework-driven cybersecurity insights With insights gleaned from new strategic frameworks, what are CISOs prioritizing as drivers for cybersecurity investment? “Perceived risk reduction” and “compliance” still top the list to ensure that baseline security objectives are met. Compliance requirements eat up a significant portion of the security budget. However, perceived risk reduction, evaluated through a framework approach, is helping to drive investment in other security initiatives. But even when security projects are successfully funded, many CISOs encounter roadblocks to implementation, especially when it comes to finding the right skills. Some CISOs that encountered pushback on budget requests from upper management found that it was because of the concern that the security team wouldn’t be able to absorb the approved security spend and execute properly. This talent shortage has led many CISOs to rely on contractors to supplement the skills gap and sometimes even to act in a mentoring capacity to train internal teams. A recent IBM Center for Applied Insights study, “Shaping security problem solvers: Academic insights to fortify for the future,” also highlighted the need to nurture the right security skills to meet the growing needs of organizations.2 Today’s academic security programs are producing versatile experts with technical and business skills who can act as facilitators between IT and the business, bringing predictive and behavioral analysis skills critical to managing cybersecurity programs. “The key is the ability to develop a new skill set where people can adapt to changing environments versus teaching state-of-the- art routines in cybersecurity.” —Associate Professor of Managed Information Security, United States Cost reduction General process improvement Customer requirements Industry best practices Compliance Perceived risk reduction 0% 10% 20% 30% 40% 50% Ranked #1 Ranked #2 Ranked #3 Competitive advantage Frameworks are helping to drive investments in risk reduction
10 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Whether they are assessing risk, identifying threats or making decisions on the right tools to support their cybersecurity strategy, CISOs overwhelmingly rely on their peer networks as well as third-party information to help inform their decisions. Some CISOs find it valuable to use third-party threat intelli- gence data feeds to increase visibility to security threats, while others rely on data-loss prevention (DLP) technology. Given these kinds of inputs, 85 percent of CISOs said they had as much information as they needed to select the right security offerings for their organization. 85% of CISOs reported having the right information to select security solutions for their organization Raising the bar for cybersecurity strategy While there’s no accounting for the unknown, and all CISOs worry about blind spots, using frameworks as a process enables better preparation, instilling confidence that the right controls are in place and the business is protected. By focusing on custom-building their own frameworks based on industry standards, supplemented by third-party intelligence and input from peer networks, cybersecurity leaders are confronting the actual risks that their organizations face. In addition, frameworks themselves have become a key lens through which to define risk perception at the board level and to prioritize investments in security.
11 Evolving your cybersecurity program Move beyond compliance to risk-based strategy Customize frameworks to enable strategic assessment of the real risks to the organization, highlighting cybersecurity priorities. Increase collaboration with the C-suite Use frameworks as an effective communications tool to relay cybersecurity strategy in a more consumable way to stakeholders for buy-in. Apply framework-driven cybersecurity insights Engage the right skills, third-party intelligence and industry best practices to implement the guidance derived from frameworks. Develop Direct Deliver
Please Recycle © Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America October 2015 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. About the authors Bob Kalka is Vice President of IBM Security, responsible for IBM’s global technical sales, strategic accounts and enablement programs. He has held a number of leadership positions in product management, sales, business development, marketing management and product development. Bob is Certified in Risk and Information Systems Control (CRISC) by ISACA, and is ITIL certified. He also holds a US Patent related to secure distributed computing software. Bob can be reached at bkalka@us.ibm.com. Cynthya Peranandam is Principal Consultant for the IBM Center for Applied Insights, providing data-driven thought leadership to foster strategic conversations. Previously, she led marketing strategy for IBM Social Business solutions and IBM’s private cloud platform. Cynthya has worked with clients across the digital spectrum, and has driven adoption and commercialization of emerging technology through IBM’s early-adopter program. Cynthya can be reached at cynthya@us.ibm.com and on Twitter @cperanandam. Also check out her posts on the Center’s blog. Contributors David Jarvis Caleb Barlow Sue Ann Wright Ellen Cornillon Laura DeLallo Angie Casey Walker Harrison 1 “Identifying How Firms Manage Cybersecurity Investment,” Southern Methodist University, October 2015, http://bit.ly/CISO-cybersecurity- investment 2 Jarvis, David. Shaping security problem solvers: Academic insights to fortify for the future, IBM Center for Applied Insights, 2015, http://bit.ly/academic- insights-on-cybersecurity The findings described in this report are not to be construed as an endorsement by the Darwin Deason Institute for Cyber Security at SMU. The Darwin Deason Institute for Cyber Security neither agrees nor disagrees with the opinions provided in this report. WGL03092-USEN-00

Recommandé

RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 

Recommandé

RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
David X Martin
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
Maurice Dawson
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
Ramón Gómez de Olea y Bustinza
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
The Economist Media Businesses
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
Scalar Decisions
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
Chris Cornillie
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
Mighty Guides, Inc.
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
Cognizant
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
Vincent Toms
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Academics and the development of IFRS
Academics and the development of IFRSAcademics and the development of IFRS
Academics and the development of IFRS
kathemarquez
 
El Buyer Journey: Personalización y contexto
El Buyer Journey: Personalización y contextoEl Buyer Journey: Personalización y contexto
El Buyer Journey: Personalización y contexto
Eilis Boyle
 

Contenu connexe

Tendances

The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
Chris Cornillie
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
patmisasi
 

Tendances (20)

For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 

En vedette

View computational thinking_v2
View computational thinking_v2View computational thinking_v2
View computational thinking_v2
Shiyong Lu
 
Ack prez mlrng
Ack prez mlrngAck prez mlrng
Ack prez mlrng
lleedavis
 
CarsDirect Internet Sales 20 Group
CarsDirect Internet Sales 20 Group CarsDirect Internet Sales 20 Group
CarsDirect Internet Sales 20 Group
Sean Bradley
 
Financial & mgt. accounting
Financial & mgt. accountingFinancial & mgt. accounting
Financial & mgt. accounting
Rohit Mishra
 

En vedette (20)

Academics and the development of IFRS
Academics and the development of IFRSAcademics and the development of IFRS
Academics and the development of IFRS
 
El Buyer Journey: Personalización y contexto
El Buyer Journey: Personalización y contextoEl Buyer Journey: Personalización y contexto
El Buyer Journey: Personalización y contexto
 
(2015-02-17) HIPERPLASIA PROSTÁTICA BENIGNA. (PPT)
(2015-02-17) HIPERPLASIA PROSTÁTICA BENIGNA. (PPT)(2015-02-17) HIPERPLASIA PROSTÁTICA BENIGNA. (PPT)
(2015-02-17) HIPERPLASIA PROSTÁTICA BENIGNA. (PPT)
 
Prostatitis patologia
Prostatitis patologia Prostatitis patologia
Prostatitis patologia
 
View computational thinking_v2
View computational thinking_v2View computational thinking_v2
View computational thinking_v2
 
The India Bar Show 2012
The India Bar Show 2012The India Bar Show 2012
The India Bar Show 2012
 
Sport films research
Sport films researchSport films research
Sport films research
 
Ack prez mlrng
Ack prez mlrngAck prez mlrng
Ack prez mlrng
 
5 November 12
5 November 125 November 12
5 November 12
 
CarsDirect Internet Sales 20 Group
CarsDirect Internet Sales 20 Group CarsDirect Internet Sales 20 Group
CarsDirect Internet Sales 20 Group
 
كتاب الرد على البهتان فى رواية يوسف زيدان عزازيل
كتاب الرد على البهتان فى رواية يوسف زيدان عزازيلكتاب الرد على البهتان فى رواية يوسف زيدان عزازيل
كتاب الرد على البهتان فى رواية يوسف زيدان عزازيل
 
10.1007_s40090-015-0039-7 (1)
10.1007_s40090-015-0039-7 (1)10.1007_s40090-015-0039-7 (1)
10.1007_s40090-015-0039-7 (1)
 
شرح أصول الإيمان أندراوس واطسون - إبراهيم سعيد-1
شرح أصول الإيمان أندراوس واطسون - إبراهيم سعيد-1شرح أصول الإيمان أندراوس واطسون - إبراهيم سعيد-1
شرح أصول الإيمان أندراوس واطسون - إبراهيم سعيد-1
 
Khemjira portfolio 2558
Khemjira portfolio 2558Khemjira portfolio 2558
Khemjira portfolio 2558
 
Svbcrm
SvbcrmSvbcrm
Svbcrm
 
Presentation photo sharing
Presentation photo sharingPresentation photo sharing
Presentation photo sharing
 
Byzantium
ByzantiumByzantium
Byzantium
 
Financial & mgt. accounting
Financial & mgt. accountingFinancial & mgt. accounting
Financial & mgt. accounting
 
1995 Complete
1995 Complete1995 Complete
1995 Complete
 
Permak 2012
Permak 2012Permak 2012
Permak 2012
 

Similaire à From checkboxes to frameworks

CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
IBM Security
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Sherry Jones
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
MargenePurnell14
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
bagotjesusa
 

Similaire à From checkboxes to frameworks (20)

Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attention
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security framework
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJNIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docxINTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

From checkboxes to frameworks

  • 1. From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs ibm.com/ibmcai | ibmcai.com
  • 2. 2 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Cybersecurity risk is an immense threat. It’s also a top C-suite priority, with funding for security efforts growing to reflect the gravity of the challenge. Security leaders are realizing that simply “checking the box” to address compliance requirements is no longer a sufficient strategy. Those further up the maturity curve are transforming their programs to be truly risk-based by using a sophisticated approach to determine risks and prioritize security investments.
  • 3. 3 Cybersecurity risk is a first-class threat to organizations of all sizes. Managing it is now a top C-suite priority, and funding for security efforts is increasing to reflect its importance. However, the growing number of public breaches occurring despite this increased visibility has led many Chief Information Security Officers (CISOs) and other high-level security leaders to examine their underlying motivations and assumptions. There’s a new effort by security leaders to look for fundamental ways to influence and improve both their own programs as well as best practices in effectively defining and applying risk management. This IBM Center for Applied Insights report, based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by Southern Methodist University, outlines how CISOs are stepping up cybersecurity efforts to focus on addressing one of the most prevalent underlying issues globally—a programmatic focus on compliance instead of risk-based business outcomes.1 In short, CISOs now know that simply being compliant isn’t acceptable for a well- governed organization. About the study This IBM Center for Applied Insights report is based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by the Darwin Deason Institute for Cyber Security, part of the Lyle School of Engineering at Southern Methodist University in Dallas, Texas. Researchers surveyed dozens of senior security executives in various industries, with emphasis on financial services, healthcare, retail and government. In-depth interviews were conducted in a semi-structured approach to explore top cybersecurity risks, how risks are determined, organizational support for cybersecurity initiatives and how investments are prioritized. How do I transform a compliance- based security program into one focused on risk? How can I best communicate risk to the organization and manage expectations? Do I have the skills, resources and tools to implement the right controls for success? To address these questions, CISOs are adopting more sophisti- cated approaches to determine threats and to prioritize and fund security initiatives. Increasingly, security leaders are using custom frameworks as a strategic tool to transform their organizations into ones focused on real cybersecurity risk. About the IBM Center for Applied Insights ibm.com/ibmcai | ibmcai.com The IBM Center for Applied Insights introduces new ways of thinking, working and leading. Through evidence-based research, the Center arms leaders with pragmatic guidance and the case for change.
  • 4. 4 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs What do CISOs struggle with? Communicating priorities While the majority of senior leaders across organizations realize the importance of cybersecurity, CISOs still need to convey strategy and technical requirements to the C-suite in language they understand. In addition, CISOs acknowledged that showing ROI for security projects is often difficult—in fact, many firms now view security as a necessary business expense. However, metrics are nonetheless valuable for locking in support for specific initiatives directed by their cybersecurity strategy. Making cybersecurity strategy consumable Often, the bigger concern for the C-suite is not whether it should fund cybersecurity initiatives, but whether security teams are equipped to successfully implement controls and manage numerous projects to support the organization. Part of the challenge is that cybersecurity strategy is not always consumable. Relaying it in a clear implementation plan, select- ing the right solutions and developing a deployment schedule that doesn’t disrupt the organization involve a variety of critical factors. CISOs are struggling to find the right skills to handle the rollout—this requires talent with an exacting mix of technical knowledge and business savvy. Security leaders also have to stay current on market trends, industry best practices and new security product releases. Focusing on the strategic Historically, cybersecurity investment decisions were com- monly based on meeting compliance requirements using best practices and industry-accepted technologies—a “checkbox” approach that satisfied baseline requirements. Industry best practices were a benchmark for CISOs to gauge whether they had effectively addressed key risk factors for their organizations. If their peers were doing something, it meant they likely should too. And if they were compliant, they could check the box. The challenge for CISOs is that, all too often, a compliance-based approach doesn’t address the actual security risks faced by their organizations. “Good compliance does not equal good security.” — CISO, Government 88% of CISOs reported that their security budgets have increased
  • 5. 5 CISOs today face three major challenges CommunicationStrategy Consumability Communicating priorities Making cybersecurity strategy consumable Focusing on the strategic Communicating priorities Making cybersecurity strategy consumable Focusing on the strategic “I always try to make the compliance argument the last thing because I think that way too many pro- grams are aligned around ‘What’s the minimum thing I have to do to get a check mark?’” — CISO, Retail “Senior leadership is looking for me to articulate what the security strategy is in words, in projects, and in dollars that make sense to them.” — CISO, Retail “It doesn’t matter how good the tool is if the program is in the drawer and not on the floor.” — CISO, Financial Services
  • 6. 6 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Using risk-based frameworks to represent and implement cybersecurity strategy To address the challenges around strategy, communication and implementation, CISOs are increasingly turning to customized frameworks as the primary way to formalize their approach to cybersecurity. Risk-based frameworks provide standards, best practices and guidelines for protecting systems, applications and data. Frameworks in use range from widely adopted NIST, ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs. Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure invest- ment, and communicate progress for the most pressing security initiatives. Creating effectual policies A CISO of a financial services firm operates with a clear “three lines of defense” strategy. This means that under the leadership of the COO who has visibility across the orga- nization’s operations, the CIO creates policies around risk, or what is needed, while the CISO translates those policies into practical implementations, or how it will be done. It’s the difference between “principle-based” policies that address strategy, and “effectual policies” that address how strategy is implemented. This approach allows the CISO to create effectual policies, investing in controls that address the real underlying threats to the organization. It also allows investments to be based on customer expectations rather than internal requests. A phased rollout of security controls also helps ensure there are no disruptions to the business and that there’s a positive impact on overall security. 0% 5% 10% 15% 20% 25% Frameworks are ranked as the most strategic prioritization approach Gut What peers are doing Cost-value estimation Board recommendations Past attacks on other firms Quantitative measures Past attacks on your firm Ranked #1 Ranked #2 Ranked #3 Frameworks Industry best practices
  • 7. 7 Moving beyond compliance to risk-based strategy Many of the CISOs interviewed acknowledged that the traditional focus on security compliance allowed them to check a box, but it didn’t ensure that the organization was best prepared for potential security breaches. Frameworks, on the other hand, provide a better risk assess- ment model, allowing an organization to more thoroughly and consistently assess security challenges and determine gaps. While most frameworks include elements of business assets, processes, vulnerabilities and probabilities, CISOs point to the real value that comes from customizing them based on their environment. This customization mitigates the potential of frameworks to simply become more advanced checkboxes. Companies developing their own cyber-risk frameworks are more likely to have a deeper understanding of the real risks to their organizations. In most cases, elements of existing frame- works such as NIST and COBIT are used as a foundation to build best-fit frameworks that can be used to inform company- wide standards. “Security has to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there.’” —CISO, Retail Workbooks for cybersecurity implementation A VP of security compliance at a data management company takes a different approach that focuses more on assessing cybersecurity risk and less on the actual imple- mentation of cybersecurity strategy. His team develops a project workbook that defines the characteristics of each system to be secured. This workbook provides the approach that is then implemented by the VP of security. The value of continuous testing is something he stresses: “I don’t believe that email, the Internet, anything is secure. Period.” Leveraging his background in penetration testing, he continually tests the company’s outward-facing applica- tions from an external location, prepared with controls to manage zero-day scenarios. Being nimble allows the secu- rity organization to react quickly and protect the company. Strategic cybersecurity programs include five key elements Document formal cybersecurity strategy, objectives and goals Define formal framework of risk management controls Consider business priorities, assets, processes Evaluate and prioritize gaps in current vs. desired state across each control Build a plan to address, monitor and reassess the prioritized control gaps
  • 8. 8 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Increasing collaboration with the C-suite Frameworks are also proving to be an effective communication tool, arming CISOs with a translation mechanism to relay cybersecurity strategy to upper management for buy-in. Eighty-five percent of CISOs reported that upper- management support for cybersecurity efforts has increased and 88 percent of CISOs reported that their security budgets have increased. Nevertheless, when asked about whether they felt that they and peers in other organizations were spending adequately on security initiatives, more than half of the CISOs thought they were spending too little. It’s noteworthy that a quarter of the CISOs surveyed who thought they were spending appropriately also used frameworks as a strategic tool. Orchestrating the lifecycle of cyber defense A CISO of a financial services firm takes a targeted approach to frameworks in order to address the company’s business priorities. Using NIST, ISO and SANS, he developed a customized framework to address the attacks the company was seeing. The framework focuses on key risks including loss of finan- cial data, financial account compromise, business continuity and regulatory risk. The framework also identified primary threat agents including hacktivists and organized crime. His team then developed a phased rollout plan to protect against the most common risks using a variety of tools orchestrated to span the full lifecycle of cyber defense, helping ensure business continuity even in the event of a single tool failure. Instead of a peer network of CISOs to guide his investment decisions, this maverick taps the Silicon Valley venture capital community to learn about disruptive new tools that can address his company’s security challenges. 85% of CISOs reported that upper- management support for cybersecurity efforts has increased “It seems like we’ve all been engaged in a cyber arms race for which we have no option to opt out or seek treaty. There’s no other choice but to respond to that threat.” —CISO, Financial Services
  • 9. 9 Applying framework-driven cybersecurity insights With insights gleaned from new strategic frameworks, what are CISOs prioritizing as drivers for cybersecurity investment? “Perceived risk reduction” and “compliance” still top the list to ensure that baseline security objectives are met. Compliance requirements eat up a significant portion of the security budget. However, perceived risk reduction, evaluated through a framework approach, is helping to drive investment in other security initiatives. But even when security projects are successfully funded, many CISOs encounter roadblocks to implementation, especially when it comes to finding the right skills. Some CISOs that encountered pushback on budget requests from upper management found that it was because of the concern that the security team wouldn’t be able to absorb the approved security spend and execute properly. This talent shortage has led many CISOs to rely on contractors to supplement the skills gap and sometimes even to act in a mentoring capacity to train internal teams. A recent IBM Center for Applied Insights study, “Shaping security problem solvers: Academic insights to fortify for the future,” also highlighted the need to nurture the right security skills to meet the growing needs of organizations.2 Today’s academic security programs are producing versatile experts with technical and business skills who can act as facilitators between IT and the business, bringing predictive and behavioral analysis skills critical to managing cybersecurity programs. “The key is the ability to develop a new skill set where people can adapt to changing environments versus teaching state-of-the- art routines in cybersecurity.” —Associate Professor of Managed Information Security, United States Cost reduction General process improvement Customer requirements Industry best practices Compliance Perceived risk reduction 0% 10% 20% 30% 40% 50% Ranked #1 Ranked #2 Ranked #3 Competitive advantage Frameworks are helping to drive investments in risk reduction
  • 10. 10 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs Whether they are assessing risk, identifying threats or making decisions on the right tools to support their cybersecurity strategy, CISOs overwhelmingly rely on their peer networks as well as third-party information to help inform their decisions. Some CISOs find it valuable to use third-party threat intelli- gence data feeds to increase visibility to security threats, while others rely on data-loss prevention (DLP) technology. Given these kinds of inputs, 85 percent of CISOs said they had as much information as they needed to select the right security offerings for their organization. 85% of CISOs reported having the right information to select security solutions for their organization Raising the bar for cybersecurity strategy While there’s no accounting for the unknown, and all CISOs worry about blind spots, using frameworks as a process enables better preparation, instilling confidence that the right controls are in place and the business is protected. By focusing on custom-building their own frameworks based on industry standards, supplemented by third-party intelligence and input from peer networks, cybersecurity leaders are confronting the actual risks that their organizations face. In addition, frameworks themselves have become a key lens through which to define risk perception at the board level and to prioritize investments in security.
  • 11. 11 Evolving your cybersecurity program Move beyond compliance to risk-based strategy Customize frameworks to enable strategic assessment of the real risks to the organization, highlighting cybersecurity priorities. Increase collaboration with the C-suite Use frameworks as an effective communications tool to relay cybersecurity strategy in a more consumable way to stakeholders for buy-in. Apply framework-driven cybersecurity insights Engage the right skills, third-party intelligence and industry best practices to implement the guidance derived from frameworks. Develop Direct Deliver
  • 12. Please Recycle © Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America October 2015 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. About the authors Bob Kalka is Vice President of IBM Security, responsible for IBM’s global technical sales, strategic accounts and enablement programs. He has held a number of leadership positions in product management, sales, business development, marketing management and product development. Bob is Certified in Risk and Information Systems Control (CRISC) by ISACA, and is ITIL certified. He also holds a US Patent related to secure distributed computing software. Bob can be reached at bkalka@us.ibm.com. Cynthya Peranandam is Principal Consultant for the IBM Center for Applied Insights, providing data-driven thought leadership to foster strategic conversations. Previously, she led marketing strategy for IBM Social Business solutions and IBM’s private cloud platform. Cynthya has worked with clients across the digital spectrum, and has driven adoption and commercialization of emerging technology through IBM’s early-adopter program. Cynthya can be reached at cynthya@us.ibm.com and on Twitter @cperanandam. Also check out her posts on the Center’s blog. Contributors David Jarvis Caleb Barlow Sue Ann Wright Ellen Cornillon Laura DeLallo Angie Casey Walker Harrison 1 “Identifying How Firms Manage Cybersecurity Investment,” Southern Methodist University, October 2015, http://bit.ly/CISO-cybersecurity- investment 2 Jarvis, David. Shaping security problem solvers: Academic insights to fortify for the future, IBM Center for Applied Insights, 2015, http://bit.ly/academic- insights-on-cybersecurity The findings described in this report are not to be construed as an endorsement by the Darwin Deason Institute for Cyber Security at SMU. The Darwin Deason Institute for Cyber Security neither agrees nor disagrees with the opinions provided in this report. WGL03092-USEN-00