On January 5, 2022, NetSPI CTO Travis Hoyt published an article for the Forbes Technology Council. Read the full article below or online here.
+ + +
Think security is solely the responsibility of the chief information security officer (CISO)? Think again. Finance and risk C-suite leadership have a critical role to play in preventing cybersecurity breaches.
Cybersecurity is a real loss event that has a potentially negative financial impact on a business — and it should be treated as such.
Case in point: According to Digital Hands’ “The Cost of Doing Nothing” report, damages from destructive malware and ransomware were the most expensive cyber attacks at $4.52 million and $4.22 million, respectively. Beyond direct financial losses (e.g., ransom paid), the indirect costs of a ransomware attack — regulatory fines, operational downtime, reputational damage, insurance premiums and legal costs — are also on the rise.
In reality, ransomware and other cybersecurity incidents are a revenue hit. It’s time for security and technology leaders to include finance and risk leadership in cybersecurity conversations, and security testing is a great place to start. Read on for three reasons why.
To Better Understand The Business Risk
For too long, security testing and vulnerability management activities, such as penetration testing, red teaming and breach and attack simulation, among others, have been discussed in an IT or security silo. That’s not where those discussions should be held.
Security professionals must communicate with finance and business leadership to better understand how the organization makes money. At the end of the day, that is what is core to your business and what we are ultimately protecting from cyber threats. Reshaping the way we think about security testing — moving from an engineering focus to a business risk perspective — can help us make more thoughtful decisions on which risks to prioritize, the cybersecurity activities to invest in and which business decisions have limited or negative ROI when incorporating cybersecurity implications.
To Validate And Champion For Cybersecurity Spend
Cybersecurity is often viewed as a cost center, but it should be viewed as a business enabler. When putting your security controls to the test, looping in the CFO and CRO can be invaluable to validate spend and measure ROI.
CFOs, CROs and the like have a unique understanding of loss potential and can help CISOs identify the level of security investment and resources necessary to protect the organization, in line with the organization’s risk appetite.
A running list of vulnerabilities is not the only deliverable you receive following a penetration test. Not anymore, at least. Modern penetration testing models, such as penetration testing as a service (PTaaS), can help you validate your existing security controls (e.g., SIEM, EDR, firewalls) to thoroughly understand the scope of your control coverage.
“Do my controls give me the level of coverage I need to say that I’m effectively securing this value stream?” is the question that CISOs should ask themselves. Speaking the language of the C-suite — in dollars and cents — will help CISOs create security champions among the leadership team. In addition to reporting the critical vulnerabilities and how they are being remediated, showcase that each security investment is working as intended — or not — through your pentesting assessments.
To Shift Your Vulnerability Management Mindset
Today, there are organizations that still implement a “spray and pray” vulnerability management approach. They rely solely on automated scanners for their testing, without human context. Just as businesses are not created equal, all vulnerabilities are not created equal. It requires human intuition to identify the greatest risks to your business and prioritize the remediation efforts. Tech-enabled experts can bring that intuition to bear in an efficient way so as to enable greater coverage in both breadth and depth.
The threat landscape is constantly changing and testing annually is no longer good enough. Businesses are dynamic — CFOs and CROs know this well — so why don’t today’s testing strategies align with this?
Security testing is a critical component of the CFO and CRO’s roles as they focus on adhering to regulatory bodies and auditors in their day to day. An annual, check-the-box pentest may help them adhere to compliance requirements today, but those requirements are evolving. As a risk-based vulnerability management approach gains traction, continuous testing will become the standard.
Applications change and new releases are rapid-fire. Executives must be committed to investing in security, but also investing in process improvements that enable this type of testing to occur more frequently. Reduced friction security engagements can provide reassurances that unidentified risks are not making it into production with each feature release. Work with your CFOs and CROs to help them understand the concept of risk-based vulnerability management and establish a plan for always-on testing, such as implementing a pentesting strategy.
The goal of security testing is no longer to find as many vulnerabilities as possible. It’s now shifting to a model where we are identifying the vulnerabilities that create the greatest risk to an organization in real time. Establishing relationships between security and risk/finance leadership is key to achieving a risk-based security testing program.