How Should We Gauge a Company's Cyber Health?
As an outside observer, how can you tell if a company is staying cyber healthy, asked Jamil Farshchi , CISO, Equifax in a post on LinkedIn. While there is no financial statement equivalency to let you know the strength of a company's security profile, there are signals that'll give you a pretty good idea.
On this week's Defense in Depth, my co-host Geoff Belknap , CISO, LinkedIn and I welcome Matthew Honea , CISO, SmartNews to discuss the following issues. Please pipe up with your thoughts on any and all.
We know we can't rely on any one data source, but at the same time we really want a third-party scorecard. We're in conflict. We want a Rotten Tomatoes scoring system that just gives us a simple 1-100 "they're THIS secure" rating. But at the same time, even if something like that existed, we know we should question its validity. Laura Whitt-Winyard of HMG Strategy pointed out even in finance we can't count on financial statements to provide a full picture of financial risk.
Look for signs of the company's attitude towards security. Mark Felegyhazi of Avatao suggests looking at who the CISO reports to. That's an early indicator of how leadership feels about security. A company that gets breached is not necessarily an indicator of poor security. Although, how a company handles a breach is far more telling, said Shawn M Bowen , CISO, World Fuel Services .
There's a great need and demand for transparency, and more measurements, but there are far too many forces preventing that from happening. Many companies, and auditors as well, are using compliance as a health indicator. But we all know that compliance does not equal security. And as Michael M. of ClubCorp pointed out, those who did try to take the high road of being forthcoming about disclosing issues and vulnerabilities have been met with a lot of industry hostility. Many times the industry has tried to push for more collaboration, especially around threat intel. And while there has been some limited success stories, in general, for organizational safety, secrecy is seen as more desirable.
How is the company improving their security posture over time? Brandy V. of Crum & Forster suggests looking at past security assessments, audits, and financial statements. Get a lot of them and see how they're improving over time. If it's not changing for the better, especially the vulnerabilities, that's a major red flag.
Please listen to the full episode here, or go to our blog post where you can also read the full transcript. And if you're not already a subscriber to Defense in Depth, please get on that now.
Huge thanks to all our other contributors (witting and unwitting): Paul D. of ?óta Signal Analytics , James Olsen of ZenPrivata , and Matt W. of Zoom .
Thanks to our podcast sponsor, Automox
"Hacking Cyber Insurance" -?Super Cyber Friday
Join us this?Friday for?"Hacking Cyber Insurance: An hour of critical thinking about getting the finance side to be working in concert with security and IT.”
It all begins at 1 PM ET/10 AM PT this?Friday, December 2, 2022 with guests?Scott McCrady, CEO,?SolCyber??and?Anthony Dagostino, CEO and founder, Converge. We'll have fun conversation and games, plus at the end of the hour (11 AM PT/2 PM ET) we'll do our meetup.
领英推荐
Thanks to our?Super Cyber Friday?sponsor,?SolCyber
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter?Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be?Terrance Cooley, CISO,?United States Air Force?JADC2 R&D Center.
Thanks to our?Cyber Security Headlines?sponsor,?Automox
Jump in on these conversations?
"What are your thoughts on voluntary security measures versus regulatory mandates?"?(More here)
"Chris Krebs is concerned over being able to buy verification on Twitter because it "opens the information space to a broader community of influencers, clout-chasers, election denialists..."?(More here)
"Now that Twitter is going up in flames, where is infosec Twitter going to go?"?(More here)
Coming up in the weeks ahead we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Co-Founder | CTO | CSO | Advisor | Consulting
2 年I've always liked the idea of a cyber security scorecard, the issue is not that it's one size fits all, but rather it's contextual. First you have to start with understanding the Threat. It's nigh impossible to build a scoring rubric if the answer is "Threat always wins, you just have to make a mistake". That's not an accurate defensive posture. The reality is threat is made up of Threat Actors, who have TTPs and characteristics. We know that some TTPS are used in different sectors, while some are shared across sectors. (Note I'm not talking atomic indicators). Once we understand what adversary is attacking who and how, we can then determine a company's ability to protect and detect (NIST CSF) against a given set of techniques, then those can be rolled up to determine an overall ability. The key is having some framework to contextualize the TTPS. Luckily, MITRE ATT&CK provides the rosetta stone to unlock that. I'll give you an example. In the DoD, we used a process called DoDCAR, CISA used .govCAR - sister programs.
CISO | InfoSec | Risk Management | GRC | Consultant | Business Administration | Bridging security expertise with business reality.
2 年A community sourced scorecard? What comes to mind is VirusTotal... When you look at a file, IP, or hash, you get a response that includes many security sources.
Senior Director @ Fannie Mae | Cybersecurity Leader | Advisory Board Member
2 年So this is going to seem like a selfish answer given my employer, but I was doing this as a customer for many years prior to working here. ?? I have worked for and with many major Fortune 500 organizations over my almost 20 years in cybersecurity. Far too often, large security teams get caught up in the "checkbox" game of making sure they meet the minimum requirements of every regulatory requirement and other industry standards, without always looking at the bigger picture of how their security posture prepares them for a major security incident. And these days... it doesn't matter what solutions you deploy, you will eventually have to respond to a major security incident. Many SOC/IR teams are still conducting traditional tabletop exercises to check a box somewhere. They're sitting around a room while talking through a fictional scenario using a PPT deck, but they're never going to have the same response as when they're actually under attack... watching alerts pop up, PCAPs of customer data going out the door, and 100s of employees with ransomware. This is where live-fire cyber range assessments, using your actual security tools, are critical to identifying gaps not only in your controls.. but also your playbooks, proactively.