As chief information security officer, you’re constantly being pressed to communicate how you’re enabling the business, balancing security risk with business demands, and continuously improving security—not to mention reducing costs, becoming more efficient, and demonstrating return on investments.

If you delve into complex security topics and use jargon foreign to non-technical executive audiences (in other words, talk the typical IT security talk), you’ll lose their interest. We’ve all been in meetings where the presenter missed the mark, and you don’t want to be “that guy” or gal. So how can you accurately depict the state of your organization’s security in a way that everyone can understand? Applying analytics to your attack surface may provide significant help.

Imagine the ability to summarize everything you, your teams and your technologies do to secure your IT infrastructure into a single, meaningful score. If this was possible, it would provide a simple yet powerful way to communicate your organization’s security posture to non-technical executives, board members and other stake holders. If this score was accurate, and you could add business context to it, you would have an effective way to demonstrate exactly how your security investments enable the business.

The financial industry has a lot of history defining and using this type of analysis. Companies and individuals can be sized up with a single credit score. Financial institutions frequently develop singular scores for rating risk, volatility, comparison with peers, and many other key indicators.

For example, Morningstar, an independent investment research firm, scores investments using a star rating system that relies on many underlying metrics. In the sports world, professional baseball has been experimenting with this idea—a single score that indicates a player’s performance and chance of future success (as seen in the movie Moneyball)—for years.

A single, valid security score may seem impossible. It’s daunting to envision the processes and technologies required to aggregate, normalize and summarize a multitude of factors into a single index, score, or grade—especially given the range of security technologies deployed in most organizations.

Tripwire is working on an innovative and emerging new technology called attack surface analytics (ASA). The goal is to equip CISOs and their security teams with newfound visibility into enterprise attack surface risk, enabling them to communicate the organization’s security posture quickly and understandably, especially to executive audiences.

Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk.

A typical attack surface has complex interrelationships among three main areas of exposure: software attack surface, network attack surface and the often-overlooked human attack surface.

The Software Attack Surface

The software attack surface is comprised of the software environment and its interfaces. These are the applications and tools available to authorized (and unauthorized) users.

The software attack surface is calculated across a lot of different kinds of code, including applications, email services, configurations, compliance policy, databases, executables, DLLs, web pages, mobile apps and device OS, etc.

The Network Attack Surface

The network attack surface presents exposure related to ports, protocols, channels, devices (from routers and firewalls to laptops and smart phones), services, network applications (SaaS) and even firmware interfaces.

Depending on your infrastructure, you may need to include cloud servers, data, systems and processes to your network attack surface.

The Human Attack Surface

Humans have a range of complex vulnerabilities that are frequently exploited. One of the great strengths of highly secure organizations is their emphasis on communicating security awareness and safety principles to their employees, partners, supply chain and even their customers (as when using the web to gain secure access to bank or 401K accounts).

Many breaches begin with an exploit directed at humans, and it’s very clear that malicious intent, inadvertent errors and misplaced trust can all be exploited to cause great harm. Examples of successful attacks vary widely, (most notably phishing and spear phishing), but a comprehensive index should include processes, physical security, and privileges (including the ability to attach, read or write to removable devices).

In summary, to accurately determine your attack surface risk, all three of these attack surfaces must be considered. Using existing and emerging ASA technologies can provide improved insight and visibility to your organization’s security posture in each of these areas, as well as provide the underlying basis for the score.

Executive leadership (including the board member) is not typically interested in operational security details such as answers to questions about specific security control metrics. This information is too detailed and will be viewed as “noise” by those outside the IT and security teams.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

In many organizations, executives really don’t care about security risks, but they are required by law to be informed of a significant security breach through regulations, standards of ‘due care’ or because of the fiduciary responsibility.

Instead of endless spreadsheet graphs and technical jargon, they want credible information about the organization’s security posture over time that provides a frame of reference for trends indicating directionality. Eventually, this type of index could be used for competitive comparisons across organizations, business functions or processes.

It’s also important to note that credible information is very different from an opinion. The informed impression is supported by verifiable facts. CFOs are asked for this type of information constantly (and they will often just deliver it verbally on the fly), particularly when the underlying financial frameworks (such as GAAP analysis) are already understood by executives.

Over time, they have developed trust with the executive leadership team. Being able to back up the impression in a factual, convincing manner is one of the key ways to build trust with non-technical executive leadership.

As a CISO, you’ll want to demonstrate how your group’s activities protect and enable the organization. And you’ll need to communicate that in ways that non-technical executive teams can understand.

Ultimately, ASA technology can allow visibility and communication of security status through the lens of factual and actionable business context, suitable for consumption by executives.

In short, CISOs need what CFOs have—a framework of solid, well-understood metrics that make it possible to inform business and risk decisions by non-security executives. Further, this framework and these metrics will also enable the business to improve understanding and a shared accountability for security results.

The challenge with communicating to non-technical executives is often how to distill the mountains of security control data your team manages into a meaningful visualization. Ideally, you’ll limit yourself to one or two slides, and be able to meaningfully communicate (without jargon) this to non-technical executives within 5–15 minutes