Embed Size (px)
Citation preview
© 2015 IBM Corporation
From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs
October 2015
© 2015 IBM Corporation
The CISO Assessments have chronicled critical and emerging issues for security leaders while also identifying leading practices to pursue
2
2012 2013 2014
Finding a strategic voice
A new standard for security leaders
Fortifying for the future
Established three archetypes for security leaders – the Responder, the Protector, and the Influencer – and explored their characteristics.
Identified practical steps for security leaders to reach the position of Influencer – through business practices, technology, and measurement.
Sought to define the next stage in the evolution of security leadership in order to provide recommendations for the future.
© 2015 IBM Corporation
About this report This IBM Center for Applied Insights report is based on “Identifying How Firms Manage Cybersecurity Investment,” an IBM-sponsored study by the Darwin Deason Institute for Cyber Security, part of the Lyle School of Engineering at Southern Methodist University in Dallas, Texas.
In-depth interviews were conducted in a semi-structured approach to explore top cybersecurity risks, how risks are determined, organizational support for cybersecurity initiatives and how investments are prioritized.
In 2015, we took a closer look at how CISOs develop cybersecurity strategy and prioritize security investments
• Cybersecurity risk is a top C-suite priority with funding for security efforts growing to reflect the gravity of the challenge
• Historically, cybersecurity investment decisions were commonly based on the “checkbox” approach to meet compliance requirements
• Security leaders are now transforming their programs to be risk-based by using customized frameworks to determine risks and prioritize security investments
Security leaders interviewed by industry
© 2015 IBM Corporation
Focusing on the “strategic” How do I transform a compliance-based security program into one focused on risk?
Top challenges facing CISOs in transforming to a risk-based program
Communicating priorities How can I best communicate risk to top management and manage expectations?
Making cybersecurity strategy consumable Do I have the skills, resources and tools to implement the right controls for success?
© 2015 IBM Corporation
CISOs are increasingly turning to frameworks as the strategic tool of choice to assess risk and prioritize threats
Key elements of a cybersecurity program:
Consider business priorities, assets, processes
Document formal cybersecurity strategy, objectives and goals
Evaluate and prioritize gaps in current vs desired state across risk management controls
Build a plan to address, monitor and reassess the prioritized control gaps
Define formal framework of risk management controls
© 2015 IBM Corporation
Frameworks, past attacks on firms, and industry best practices rank as the top cybersecurity prioritization approaches to risk management
© 2015 IBM Corporation
Customized frameworks help to move beyond compliance to risk-based strategy
“Security has to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there’.” -‐-‐ CISO, Retail
• Traditional focus on security compliance doesn’t ensure organizations are best prepared for potential security breaches
• Frameworks provide a better basis for risk assessment to thoroughly and consistently assess security challenges and determine gaps
• Companies developing their own cyber-risk frameworks are more likely to have a deeper understanding of the real risks to their organizations
© 2015 IBM Corporation
Frameworks help increase collaboration with the C-suite to communicate priorities
• Frameworks are an effective communication tool for CISOs to relay cybersecurity strategy to upper management for buy-in
• 85% of CISOs reported that upper-management support for cybersecurity efforts has increased
• 88% of CISOs reported that their security budgets have increased
• 25% of CISOs surveyed who thought they were spending appropriately also used frameworks as a strategic tool
“Senior leadership is looking for me to articulate what the security strategy is in words, in projects, and in dollars that make sense to them.” -‐-‐ CISO, Retail
© 2015 IBM Corporation
Frameworks provide guidance to move from cybersecurity strategy to implementation
“The key is the ability to develop a new skill set where people can adapt to changing environments versus teaching state-‐of-‐the-‐art routines in cybersecurity.” -‐-‐ Associate Professor of Managed Information Security, United States
• Perceived “risk reduction” and “compliance” still top the list to ensure that baseline security objectives are met
• The talent shortage has led many CISOs to look externally to supplement skills and resources
• CISOs rely on peer networks, third-party information and third-party threat intelligence data
© 2015 IBM Corporation
To combat the talent shortage, security leaders and academic institutions can take a collaborative approach to skills development
• Train students to be facilitators between technology and business by integrating business components into technical curriculum and vice versa
• Create holistic curriculum that mimics real-world conditions and the challenges of security leaders
• Produce versatile experts who use predictive and behavioral analytics to understand and stay ahead of attacks
“Cybersecurity has evolved, and the education has evolved correspondingly. It’s moved from being primarily technical and hands-‐on to incorporating more management, leadership and policy.” -‐-‐ Director, Managed Security Information Program, United States
Source: Shaping security problem solvers: Academic insights to fortify for the future, IBM Center for Applied Insights, 2015
© 2015 IBM Corporation
While compliance continues to be a big focus, frameworks are helping to drive investments in risk reduction
© 2015 IBM Corporation
Key takeaways for developing risk-based cybersecurity programs
Move beyond compliance to risk-based strategy Customize frameworks to enable strategic assessment of the real risks to the organization, highlighting cybersecurity priorities.
Increase collaboration with the C-Suite Use frameworks as an effective communications tool to relay cybersecurity strategy in a more consumable way to stakeholders for buy-in.
Apply framework-driven cybersecurity insights Engage the right skills, third-party intelligence and industry best practices to implement the guidance derived from frameworks.
© 2015 IBM Corporation 14
© Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America December 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The findings described in this report are not to be construed as an endorsement by the Darwin Deason Institute for Cyber Security at SMU. The Darwin Deason Institute for Cyber Security neither agrees nor disagrees with the opinions provided in this report.
