As chief information security officer, you’re constantly being pressed to communicate how you’re enabling the business, balancing security risk with business demands, and continuously improving security—not to mention reducing costs, becoming more efficient, and demonstrating return on investments.
If you delve into complex security topics and use jargon foreign to non-technical executive audiences (in other words, talk the typical IT security talk), you’ll lose their interest. We’ve all been in meetings where the presenter missed the mark, and you don’t want to be “that guy” or gal. So how can you accurately depict the state of your organization’s security in a way that everyone can understand? Applying analytics to your attack surface may provide significant help.
Imagine the ability to summarize everything you, your teams and your technologies do to secure your IT infrastructure into a single, meaningful score. If this was possible, it would provide a simple yet powerful way to communicate your organization’s security posture to non-technical executives, board members and other stake holders. If this score was accurate, and you could add business context to it, you would have an effective way to demonstrate exactly how your security investments enable the business.
The financial industry has a lot of history defining and using this type of analysis. Companies and individuals can be sized up with a single credit score. Financial institutions frequently develop singular scores for rating risk, volatility, comparison with peers, and many other key indicators.
For example, Morningstar, an independent investment research firm, scores investments using a star rating system that relies on many underlying metrics. In the sports world, professional baseball has been experimenting with this idea—a single score that indicates a player’s performance and chance of future success (as seen in the movie Moneyball)—for years.
A single, valid security score may seem impossible. It’s daunting to envision the processes and technologies required to aggregate, normalize and summarize a multitude of factors into a single index, score, or grade—especially given the range of security technologies deployed in most organizations.
Tripwire is working on an innovative and emerging new technology called attack surface analytics (ASA). The goal is to equip CISOs and their security teams with newfound visibility into enterprise attack surface risk, enabling them to communicate the organization’s security posture quickly and understandably, especially to executive audiences.
Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk.
A typical attack surface has complex interrelationships among three main areas of exposure: software attack surface, network attack surface and the often-overlooked human attack surface.
The Software Attack Surface
The software attack surface is comprised of the software environment and its interfaces. These are the applications and tools available to authorized (and unauthorized) users.
The software attack surface is calculated across a lot of different kinds of code, including applications, email services, configurations, compliance policy, databases, executables, DLLs, web pages, mobile apps and device OS, etc.
The Network Attack Surface
The network attack surface presents exposure related to ports, protocols, channels, devices (from routers and firewalls to laptops and smart phones), services, network applications (SaaS) and even firmware interfaces.
Depending on your infrastructure, you may need to include cloud servers, data, systems and processes to your network attack surface.
The Human Attack Surface
Humans have a range of complex vulnerabilities that are frequently exploited. One of the great strengths of highly secure organizations is their emphasis on communicating security awareness and safety principles to their employees, partners, supply chain and even their customers (as when using the web to gain secure access to bank or 401K accounts).
Many breaches begin with an exploit directed at humans, and it’s very clear that malicious intent, inadvertent errors and misplaced trust can all be exploited to cause great harm. Examples of successful attacks vary widely, (most notably phishing and spear phishing), but a comprehensive index should include processes, physical security, and privileges (including the ability to attach, read or write to removable devices).
In summary, to accurately determine your attack surface risk, all three of these attack surfaces must be considered. Using existing and emerging ASA technologies can provide improved insight and visibility to your organization’s security posture in each of these areas, as well as provide the underlying basis for the score.
Executive leadership (including the board member) is not typically interested in operational security details such as answers to questions about specific security control metrics. This information is too detailed and will be viewed as “noise” by those outside the IT and security teams.
In many organizations, executives really don’t care about security risks, but they are required by law to be informed of a significant security breach through regulations, standards of ‘due care’ or because of the fiduciary responsibility.
Instead of endless spreadsheet graphs and technical jargon, they want credible information about the organization’s security posture over time that provides a frame of reference for trends indicating directionality. Eventually, this type of index could be used for competitive comparisons across organizations, business functions or processes.
It’s also important to note that credible information is very different from an opinion. The informed impression is supported by verifiable facts. CFOs are asked for this type of information constantly (and they will often just deliver it verbally on the fly), particularly when the underlying financial frameworks (such as GAAP analysis) are already understood by executives.
Over time, they have developed trust with the executive leadership team. Being able to back up the impression in a factual, convincing manner is one of the key ways to build trust with non-technical executive leadership.
As a CISO, you’ll want to demonstrate how your group’s activities protect and enable the organization. And you’ll need to communicate that in ways that non-technical executive teams can understand.
Ultimately, ASA technology can allow visibility and communication of security status through the lens of factual and actionable business context, suitable for consumption by executives.
In short, CISOs need what CFOs have—a framework of solid, well-understood metrics that make it possible to inform business and risk decisions by non-security executives. Further, this framework and these metrics will also enable the business to improve understanding and a shared accountability for security results.
The challenge with communicating to non-technical executives is often how to distill the mountains of security control data your team manages into a meaningful visualization. Ideally, you’ll limit yourself to one or two slides, and be able to meaningfully communicate (without jargon) this to non-technical executives within 5–15 minutes