Why Boards should care of security control testing?
What is Cyber security control testing and why should Boards be interested in it?
What is the role of the Board?
Boards are responsible for ensuring there are systems and processes in place to control, monitor and review business performance and compliance, or ‘govern’ the organisation. This framework is ‘corporate governance’. Furthermore, they have effective oversight and control of how the corporation’s objectives are set and achieved, how risk is assessed, managed and monitored, and how performance is measured, monitored and improved.
Why should a Board be interested in cyber security and cyber security control testing?
Good cyber security is all about managing risks. The process for improving and governing cyber security will be similar to the process you use for managing organisational risks. It is a continuous, iterative process and comprises three components: get the information you need to make well informed decisions on the risks you face; use this information to understand and prioritise your risks; and take steps to manage those risks.
The type of threat an organisation faces is shaped by the nature of organisation and the services the organisation provides. For example, the vast majority of organisations won’t be targeted specifically by nation states and so may focus on the threats posed by cyber criminals. However, organisations who form part of, or are providing services to, our Critical National Infrastructure and defence sector may be at risk from nation states.
The Board should have insight into the threats or challenges facing their sector. This should be accompanied by an awareness of the motivations of attackers, and a mechanism for staying up to date with key cyber security advancements (for example, the growth of ransomware). Furthermore, the Board should utilise tangible approaches to managing cyber risks that can test cyber security controls for “real-world” threats.
What is effective cyber security control testing?
In the age where, threat actors are constantly evolving, refining and advancing their tactics, techniques and procedures (TTPs), defenders are often playing catch-up, simply waiting for patch updates or third-party reports to inform them of potential dangers. If security controls are being build in alignment with yesterday’s threats, cyber risk mitigation will always be ineffective, and defenders will always lag the threat actors. Furthermore, whether a security control can actually detect and defend against a true actor is limited, and will be inadequate to detect and defend against a true actor. Hence, aligning a security control test framework that provides the foundation to identify and test against “real-world” threats, whether they are employed by a particular threat actor or something that is commonly exploited gives a much more effective assurance of the security controls, and provides defenders an equal footing against attackers.
In summary:
Utilising true threat actor simulation delivers realistic security control testing, where by defenders have an equal footing against attackers, therefore, providing a tangible approach to managing cyber risks.
Principal Solution Architect (Governance, Risk & Compliance) at Amazon Web Services (AWS) - All views are my own
4 年Wonderfully put Sonali! I would add that regular security incident response simulation is a key control that will help 1 \ reduce primarily impact and some likelihood of threat vectors that are exploited (provided they are grounded in reality); and 2\ build muscle memory to improve completeness of coverage and more importantly response times. It is extremely difficult to prevent all attacks BUT one should be prepared to respond to at least the most common threats - cloud or on-prem.