- Email: [email protected]
Coming of age: how organisations achieve security maturity
FEATURE exploit is still active, it’s still a top concern for your organisation.
Remediation and threat levels With intelligently prioritised vulnerabilities, remediation action is focused in the right place. While exposed vulnerabilities or those actively exploited in the wild require immediate attention, other vulnerabilities posing a potential threat – including those with known but inactive exploits – can be dealt with in time as part of gradual risk reduction processes.
“Vulnerability management programmes already taking network context into account can quickly identify compensating controls that can cut off the vulnerability from attack paths” However, potential threats also need to be monitored in a way that uses intelligence of the current threat landscape. If an exploit is observed in the wild, a vulnerability should be elevated to an imminent threat. Likewise, if there is a change in the
network topology that exposes the vulnerability, this too is now an imminent threat and needs to be mitigated immediately. When vulnerabilities necessitate an immediate response, patching isn’t always an option, either because no patch is available or it can’t be applied for various reasons. But for vulnerability management programmes already taking network context into account, they can quickly identify compensating controls such as changes to firewall rules, cloud security tags, IPS signatures, and so on that can cut off the vulnerability from attack paths.
Threat-centric approach A programme that considers the full array of not just vulnerabilities, business concerns and hybrid network context, but also current threat intelligence will more accurately prioritise vulnerability remediation. It focuses action on the small subset of vulnerabilities most likely to be used in an attack – whether they’re zero-days or older than the business itself. The threat-centric approach not only has the greatest impact on risk reduction, it increases the efficiency and effectiveness of vulnerability management
teams – especially beneficial as their responsibilities are expanded to new network environments like cloud and OT. It creates a systematic process to intelligently address risk, but that can adapt as the organisation changes and the threat landscape evolves, even if that means reaching back to exploits of the past.
About the author Marina Kidron is the leader of the Skybox Research Lab, a dedicated team of security analysts who daily scour data from public and private feeds and investigate more than 700,000 sites on the open and deep web. Kidron has over 10 years of experience in business and statistical data analysis, data modelling and algorithms development, working for companies in the fields of IT, mobile technology, Internet and financial services. Kidron holds a Master’s in Political Marketing and a Bachelor of Computer Science and Mathematics.
Reference 1. ‘Threat Landscape Report Q2 2017’. Fortinet. Accessed Nov 2017. https:// www.fortinet.com/content/dam/fortinet/assets/white-papers/Fortinet-ThreatReport-Q2-2017.pdf.
Coming of age: how organisations achieve security maturity
Steve MansfieldDevine
Steve Mansfield-Devine, editor, Computer Fraud & Security When it comes to security, organisations have had a lot of growing up to do. Facing up to the volume and complexity of today’s cyber-threats requires a level of maturity that is achievable only when you understand not just the world around you but yourself. As Kevin Down, chairman of the CNS Group, explains in this interview, organisations have a lot to gain from determining their degree of maturity when it comes to information security, with benefits for everyone from those working at the operational level right up to the board. The first question to ask, of course, is what do we mean by cyber-security matu16
Computer Fraud & Security
rity? For Dowd, it’s a matter of seeing the big picture. Many people focus on com-
pliance or specific technical controls that they think are important (or have been told are important). But Dowd believes a broader view is required. “You can term it information security or information assurance – those terms have different definitions depending on who you’re talking to,” he says. “But it’s December 2017
FEATURE
Kevin Dowd is chairman of the CNS Group (www.cnsgroup.co.uk) as well as a CLAS Consultant, PCI DSS QSA and a former CHECK Team leader. Having moved from Natwest to start CNS over 20 years ago, he was instrumental in starting the CNS Security Practice and is now responsible for development of the compliance tool set as well as the assessment and audit team.
about trying to view that in the round and see not only what controls are in place – from a technical perspective, from a governance and people perspective, and in terms of compliance – but also looking at the level of effectiveness of those controls. Not just whether they are in place, but whether they are audited, reported upon, logged. It’s trying to give people a framework to work to.”
“Board members will get worried because they see something in the press. They’ll ask, do we need to be worried, are we ready? Are we doing everything that we need to do?” Some of the interest in measuring security maturity is driven by press headlines. “Board members will get worried because they see something in the press,” says Dowd. “They’ll ask, do we need to be worried, are we ready? Are we doing everything that we need to do? And it’s typically quite difficult for people to answer that question, because they don’t have a comprehensive view.” December 2017
The motivation runs the other way, too. While IT and security professionals have a better grasp than the executives of what the organisation is doing in terms of protecting itself against attacks, the picture isn’t always as clear as it might be. According to Dowd: “These people say we know what we’re doing, and we know roughly how well we’re doing it – although that needs to be assessed and scored – but what aren’t we doing? What are the things that are going to come and bite us, because we haven’t considered them? So it’s really about trying to take a comprehensive view of that.”
Measuring it Organisations get into trouble when it turns out their security isn’t nearly as good as they thought it was. And this state of affairs comes about for a number of reasons. Sometimes it’s because the organisation has been judging its situation on the wrong criteria – for example, focusing too much on compliance regimes. Or it’s the consequence of leaving judgements about security to instinct. Maybe you’ve given yourself a nice warm fuzzy feeling about your cyber-readiness because of all the shiny boxes you’ve installed. Everyone feels safer when there are lots of blinking lights. This is an area, though, where relying on gut feeling often ends badly. So coming to terms with your level of cybersecurity maturity means measuring something – having some defined metrics. The approach used by CNS Group with its maturity benchmarking process involves asking 74 questions across five domains, with respondents providing a confidence level for each of their answers. These questions are answered during the course of a half-day workshop. Establishing the confidence level is an interactive process. “One of the first steps is to ask is what assurance do we need about some of the answers that were given, or what do we need to find
out about some of the gaps in knowledge?” explains Dowd. “It might concern the number of events generated by your SOC [security operations centre], whether your security files are being reviewed on a quarterly basis, the efficacy of that review and so on. It’s a very straightforward process.” He adds: “Those questions have been put together in such a way as to be relevant to as many compliance regimes as possible. We have the ability to add in separate domains and subsidiary questions if there are particular areas that people want to go into in any more detail, whether that’s payment card security, GDPR, ISO or a sector regulation regime.”
“One of the first steps is to ask is what assurance do we need about some of the answers that were given, or what do we need to find out about some of the gaps in knowledge?” This is also a process that needs to be repeated regularly to derive the full benefit. Typically, says Dowd, firms will go through a full assessment annually with quarterly reviews of how the organisation is doing with regard to the roadmap. “What we’ve found is that it’s very much an ongoing dialogue. We generate the roadmap and that generates a series of conversations, questions and actions. So it’s a very collaborative thing.” There’s also a great deal an organisation can glean from changes in the scoring over time. “I’ve been involved in lots of big security and/or compliance projects when nothing much happens,” says Dowd. “Or people think things have happened and they actually haven’t. It’s often quite eye-opening when you sit in a meeting and somebody says, yeah, we’ve done that, and somebody else says, no, it didn’t happen because of x, y or z.” The way that this maturity benchmarking can help, says Dowd, is in Computer Fraud & Security
17
FEATURE
Level
Title
Description
0
Non-existent
Process does not exist.
1
Initial
Ad-hoc processes are in place, very dependent upon the efforts of diligent individuals, often going above and beyond.
2
Repeatable
Some procedures are in place that allow for repeatable outcomes but the process still relies on individual knowledge.
3
Defined
Processes are documented and standardised, but are not yet sophisticated enough and success is not adequately measured.
4
Quantitatively Managed
Compliance with the defined processes is measured and controls are put around significant deviations from process.
5
Optimised
Continuous improvement is the outcome of continuous feedback into process improvement, to the point where deviations from process are reduced to an acceptable minimum.
Table 1: Grading the maturity of processes and controls, based on the COBIT maturity scale. Source: CNS Group.
answering certain key questions. “Are we actually doing the things that we think we’re doing? Are these things getting completed and then run and controlled effectively? Are we getting value from what we think we’ve achieved? And if not, do we have broader lessons to learn about how we go about that?”
Who is it for? The end result of this benchmarking is a score with an accompanying confidence level for each of the domain areas as well as a overview. So who needs to see these numbers – the security professionals or should the results be bumped up the chain of command to the C-suite?
“The top-level scoring is aimed at the board, because that allows the security professionals to give a demonstration of what it is they’re doing, where the gaps are, where they need to focus and what progress they’re making” “It’s both really,” says Dowd. “I’d describe it as a tool. The top-level scoring is aimed at the board, because that allows the security professionals to give 18
Computer Fraud & Security
a demonstration of what it is they’re doing, where the gaps are, where they need to focus and what progress they’re making. Cyber-security’s one of those things where it’s working if nothing happens. A maturity score is something demonstrable you can show to the board to say ‘this is how we’ve improved’. Otherwise security just looks like money out the door for no demonstrable or obvious return. So that helps the information security professionals.” By applying weightings to specific questions or domains and by carrying out this exercise at regular intervals, an organisation can identify where improvements are being made, where gaps still exist and create a roadmap that the organisation can use to focus its efforts, both within and beyond compliance regimes. For this to work, the process has to match the nature of the business and so it will vary from organisation to organisation. That said, Dowd explains that the questions themselves remain relatively common from one client to another. “That’s important because one question we get asked is, how are we doing against everybody else?” That’s not easy to answer at the moment, he says, because the CNS Group programme is
still in its early stages and hasn’t built up the body of knowledge required to give a meaningful response – although he’s confident that will come in time. And there are inevitable variations. “The make up and the number of people in the room, and the breadth of infrastructure that you’re talking about, can vary significantly from client to client,” he says. “And our role can vary. In some cases we generate the roadmap and drive the work; and in others that’s very much an output to the client to feed into its organisational structure and get things done. Indeed one of the domains is about how good are you about transformation and maturity? Do you have the structures in place to get change done in the organisation? That’s one of the real signifiers we’ve seen of success in cyber-security projects – are you, as an organisation, good at change? If you are, you’ve got half a chance of being good at implementing cyber-security.”
Asking the right questions It’s all very well having all these answers and it’s easy to see how people might put a great deal of faith in the subsequent scores. But they’re significant only if you’ve asked the right questions. How confident is Dowd that this process is hitting all the important issues and not leaving anything out?
“Lots of our day-to-day effort is working with compliance regimes, so we’ve got a good idea of the types of things you need to ask people to assess where they are with their cyber-security” “We’ve got a high level of confidence from two perspectives,” he says. “One is that we have obviously used the various compliance regimes, the various scoring mechanisms, the top tens, all of those sorts of things that are out there, as reference points to generate as comprehensive a view as possible. And indeed,
December 2017
FEATURE lots of our day-to-day effort is working with compliance regimes, so we’ve got a good idea of the types of things you need to ask people to assess where they are with their cyber-security. Second is the body of knowledge that we’ve generated over the years. It’s very useful for us as a business to have not just an advisory team, but a solutions team and NOC [network operations centre], a SOC and a penetration-testing team. That allows us to pool the knowledge and stay on top of emerging technologies – because if we’re talking about controls, we’ve got to know what’s out there. We’ve got to know the types of things that are coming down the road.” It’s important not to get too distracted by the minutiae of specific products or technologies, he says. However, major developments, such as the Internet of Things (IoT), do require an adjustment in the framework. “That might be a customer who’s in a particular space. We have smart meter customers, for example, so there’s a different set of questions to ask them. Anybody who’s got a significant installed base with consumers offers a different set of challenges to the traditional corporate environment. And there are emerging threat types as well. There’s a balance to be struck. And even where there are issues that you’re not formally scoring, we tend to cover them in discussion. It’s a continuing dialogue.”
Justifying the cost Security can be a difficult thing to sell – too many organisations see it as a pure cost with no obvious return. So how do you convince them that it’s worth spending money on this kind of process? Dowd’s answer acknowledges that organisations are certainly going to need some kind of cyber-security budget.
“Put simply, it allows you to target that spend,” he says. “In any case, the world has turned a bit and people are a bit better than they were in doing some of the necessary but unsexy things like training and awareness, generating a good security culture, etc. Part of what we’re saying here is that technical controls are, of course, very important. But culturally we need to move away from being an industry that’s distracted by the shiny box with the shiny lights and think a bit more in the round about what’s really effective in managing cybersecurity in an organisation. Culture can be a big part of that. Ransomware is a good example. The technical responses to ransomware are partially effective with an evolving threat. They’re not going to be 100%. But the cultural response to this – training and awareness, being good at back ups – is equally important. So what we’re saying to people is, we want to take your spend and use a part of it on more effectively directing that. I can’t think of any business that we’ve seen which couldn’t benefit from that.”
Security strategy In terms of an organisation’s broader security strategy, this process of measuring security maturity has a similar role to play as that for spending – by providing guidelines for future development. “It’s about providing that roadmap and seeing where the points of weakness are,” says Dowd. “That can be very client-dependent, depending on the types of individuals in key positions, their background, their interests, where they want to go, whether they’re primarily from a tester background or a more rounded security specialist and so on.” The maturity process highlights those areas where change is required, he says,
and you can feed this into the top-level information security strategy. And often this involves less technical and sometimes neglected concerns, such as user training.
“Culturally we need to move away from being an industry that’s distracted by the shiny box with the shiny lights and think a bit more in the round about what’s really effective in managing cyber-security in an organisation” “They’re time-consuming and they’re not necessarily all that exciting,” says Dowd, “but they are nonetheless very necessary. It’s about making sure that you focus on the right areas, that your strategy is complete and nothing has fallen by the wayside.” The maturity process sits well with other information security activity, too, such as penetration testing – partly, Dowd believes, because they cover different ground. “Pen-testing offers a view of technical vulnerabilities at a point in time,” he says. “Pen-testing tells you the immediate problems that you have to remediate or there might be a problem tomorrow. Maturity benchmarking takes two steps back to look at why you have those problems, what missing processes and controls have led to you having those problems.”
Being compliant Not surprisingly, the issue of compliance crops up a lot in discussions about security maturity. And as we all know, being compliant with even the most stringent regulations is not the same as being secure. Continued on page 20...
www.computerfraudandsecurity.com
December 2017
Computer Fraud & Security
19
FEATURE/CALENDAR ...Continued from page 19 being secure. Is there a danger that an organisation could achieve an excellent score for compliance and be fooled into thinking that its security posture is excellent?
“We’re finding that the people who are engaging enthusiastically want to improve. They’re looking for the weaknesses. They’re not looking for a comfort blanket” “You do need to be wary of that,” says Dowd. He goes on to explain, however, that this is where the assigning of a confidence level comes in. At the start of the process, the confidence level given to any part of the client’s security is likely to be low. The assessors will want to see robust evidence that the client has adequate controls in place before raising that confidence level. “For example, if it’s server logging, well let’s see the evidence of that, let’s see the outputs, let’s see how we’re responding, and so on. An important part of the process is evidencing. I don’t think anybody’s going to come out of an initial session with a particularly high score. And we’re finding that the people who are engaging enthusiastically want to improve. They’re looking for the weaknesses. They’re not looking for a comfort blanket, they’re not looking for something that says, yes, everything’s fine. They’re looking to know they can improve.”
Outside job Predictably, this process is one that Dowd feels is best conducted by someone from outside the organisation. But that’s not just because that’s his business. “We work with some very good and knowledgeable people in our client base,” he says. The problem is with their own organisations not listening to them. Dowd’s advice to organisations often echoes what their own people 20
Computer Fraud & Security
have been saying, but carries more weight – possibly because the client is paying for it. There is also the fact that, in common with many other areas of information security, a specialist firm benefits from experience gained across a large number of engagements in many different sectors. “We have a broader view necessarily than someone working inside a client – of the industry as a whole and what other people are doing,” he says. That doesn’t mean that the in-house talent goes to waste, though. “The most powerful thing is when you’re partnered with a really good security professional inside the client who has detailed day-to-day knowledge. The process is most effective when you’ve got somebody on the ground who understands what we’re trying to achieve, but also understands the business and its strengths and weaknesses from the cyber-security perspective.”
Full of surprises As we said at the start, people often have a gut instinct about the state of the organisation’s security. So, when they go through a maturity benchmarking process, are they often surprised by what they find? “They are,” says Dowd. “Not because they don’t know any of it. They know the answers. But there’s a lot of ground to cover in any effective cyber-security regime. And when you look at it in the round, look at all the things that one should be doing and how you measure up, that’s the eye-opener. We’ve yet to have someone say, we hadn’t even thought of that, unless it’s some of the more advanced endpoint solutions. But what we have had is people saying, well there’s more work to do here than we fully appreciated.”
About the author Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Computer Fraud & Security and its sister publication Network Security.
EVENTS 8–11 January 2018 FloCon 2015
Tucson, AZ, US http://bit.ly/2iVp6Tn
8–11 January 2018
International Conference on Cyber Security (ICCS) New York, US http://iccs.fordham.edu
10–12 January 2018 Real World Crypto Zurich, Switzerland https://rwc.iacr.org/2018/
19–21 January 2018 Shmoocon
Washington, DC, US www.shmoocon.org
22–24 January 2018
International Conference on Information Systems Security and Privacy Funchal, Madeira, Portugal www.icissp.org
23–24 January 2018
Cyber Defence and Network Security London, UK https://cdans.iqpc.co.uk
2–4 February 2018 REcon Brussels Brussels, Belgium https://recon.cx
7–8 February 2018 Manusec Europe
Munich, Germany www.manusecevent.com/europe/
9 February 2018 Hackron
Canary Islands, Spain www.hackron.com
16–18 February 2018
Munich Security Conference Munich, Germany www.securityconference.de/en/
December 2017
Remediation and threat levels With intelligently prioritised vulnerabilities, remediation action is focused in the right place. While exposed vulnerabilities or those actively exploited in the wild require immediate attention, other vulnerabilities posing a potential threat – including those with known but inactive exploits – can be dealt with in time as part of gradual risk reduction processes.
“Vulnerability management programmes already taking network context into account can quickly identify compensating controls that can cut off the vulnerability from attack paths” However, potential threats also need to be monitored in a way that uses intelligence of the current threat landscape. If an exploit is observed in the wild, a vulnerability should be elevated to an imminent threat. Likewise, if there is a change in the
network topology that exposes the vulnerability, this too is now an imminent threat and needs to be mitigated immediately. When vulnerabilities necessitate an immediate response, patching isn’t always an option, either because no patch is available or it can’t be applied for various reasons. But for vulnerability management programmes already taking network context into account, they can quickly identify compensating controls such as changes to firewall rules, cloud security tags, IPS signatures, and so on that can cut off the vulnerability from attack paths.
Threat-centric approach A programme that considers the full array of not just vulnerabilities, business concerns and hybrid network context, but also current threat intelligence will more accurately prioritise vulnerability remediation. It focuses action on the small subset of vulnerabilities most likely to be used in an attack – whether they’re zero-days or older than the business itself. The threat-centric approach not only has the greatest impact on risk reduction, it increases the efficiency and effectiveness of vulnerability management
teams – especially beneficial as their responsibilities are expanded to new network environments like cloud and OT. It creates a systematic process to intelligently address risk, but that can adapt as the organisation changes and the threat landscape evolves, even if that means reaching back to exploits of the past.
About the author Marina Kidron is the leader of the Skybox Research Lab, a dedicated team of security analysts who daily scour data from public and private feeds and investigate more than 700,000 sites on the open and deep web. Kidron has over 10 years of experience in business and statistical data analysis, data modelling and algorithms development, working for companies in the fields of IT, mobile technology, Internet and financial services. Kidron holds a Master’s in Political Marketing and a Bachelor of Computer Science and Mathematics.
Reference 1. ‘Threat Landscape Report Q2 2017’. Fortinet. Accessed Nov 2017. https:// www.fortinet.com/content/dam/fortinet/assets/white-papers/Fortinet-ThreatReport-Q2-2017.pdf.
Coming of age: how organisations achieve security maturity
Steve MansfieldDevine
Steve Mansfield-Devine, editor, Computer Fraud & Security When it comes to security, organisations have had a lot of growing up to do. Facing up to the volume and complexity of today’s cyber-threats requires a level of maturity that is achievable only when you understand not just the world around you but yourself. As Kevin Down, chairman of the CNS Group, explains in this interview, organisations have a lot to gain from determining their degree of maturity when it comes to information security, with benefits for everyone from those working at the operational level right up to the board. The first question to ask, of course, is what do we mean by cyber-security matu16
Computer Fraud & Security
rity? For Dowd, it’s a matter of seeing the big picture. Many people focus on com-
pliance or specific technical controls that they think are important (or have been told are important). But Dowd believes a broader view is required. “You can term it information security or information assurance – those terms have different definitions depending on who you’re talking to,” he says. “But it’s December 2017
FEATURE
Kevin Dowd is chairman of the CNS Group (www.cnsgroup.co.uk) as well as a CLAS Consultant, PCI DSS QSA and a former CHECK Team leader. Having moved from Natwest to start CNS over 20 years ago, he was instrumental in starting the CNS Security Practice and is now responsible for development of the compliance tool set as well as the assessment and audit team.
about trying to view that in the round and see not only what controls are in place – from a technical perspective, from a governance and people perspective, and in terms of compliance – but also looking at the level of effectiveness of those controls. Not just whether they are in place, but whether they are audited, reported upon, logged. It’s trying to give people a framework to work to.”
“Board members will get worried because they see something in the press. They’ll ask, do we need to be worried, are we ready? Are we doing everything that we need to do?” Some of the interest in measuring security maturity is driven by press headlines. “Board members will get worried because they see something in the press,” says Dowd. “They’ll ask, do we need to be worried, are we ready? Are we doing everything that we need to do? And it’s typically quite difficult for people to answer that question, because they don’t have a comprehensive view.” December 2017
The motivation runs the other way, too. While IT and security professionals have a better grasp than the executives of what the organisation is doing in terms of protecting itself against attacks, the picture isn’t always as clear as it might be. According to Dowd: “These people say we know what we’re doing, and we know roughly how well we’re doing it – although that needs to be assessed and scored – but what aren’t we doing? What are the things that are going to come and bite us, because we haven’t considered them? So it’s really about trying to take a comprehensive view of that.”
Measuring it Organisations get into trouble when it turns out their security isn’t nearly as good as they thought it was. And this state of affairs comes about for a number of reasons. Sometimes it’s because the organisation has been judging its situation on the wrong criteria – for example, focusing too much on compliance regimes. Or it’s the consequence of leaving judgements about security to instinct. Maybe you’ve given yourself a nice warm fuzzy feeling about your cyber-readiness because of all the shiny boxes you’ve installed. Everyone feels safer when there are lots of blinking lights. This is an area, though, where relying on gut feeling often ends badly. So coming to terms with your level of cybersecurity maturity means measuring something – having some defined metrics. The approach used by CNS Group with its maturity benchmarking process involves asking 74 questions across five domains, with respondents providing a confidence level for each of their answers. These questions are answered during the course of a half-day workshop. Establishing the confidence level is an interactive process. “One of the first steps is to ask is what assurance do we need about some of the answers that were given, or what do we need to find
out about some of the gaps in knowledge?” explains Dowd. “It might concern the number of events generated by your SOC [security operations centre], whether your security files are being reviewed on a quarterly basis, the efficacy of that review and so on. It’s a very straightforward process.” He adds: “Those questions have been put together in such a way as to be relevant to as many compliance regimes as possible. We have the ability to add in separate domains and subsidiary questions if there are particular areas that people want to go into in any more detail, whether that’s payment card security, GDPR, ISO or a sector regulation regime.”
“One of the first steps is to ask is what assurance do we need about some of the answers that were given, or what do we need to find out about some of the gaps in knowledge?” This is also a process that needs to be repeated regularly to derive the full benefit. Typically, says Dowd, firms will go through a full assessment annually with quarterly reviews of how the organisation is doing with regard to the roadmap. “What we’ve found is that it’s very much an ongoing dialogue. We generate the roadmap and that generates a series of conversations, questions and actions. So it’s a very collaborative thing.” There’s also a great deal an organisation can glean from changes in the scoring over time. “I’ve been involved in lots of big security and/or compliance projects when nothing much happens,” says Dowd. “Or people think things have happened and they actually haven’t. It’s often quite eye-opening when you sit in a meeting and somebody says, yeah, we’ve done that, and somebody else says, no, it didn’t happen because of x, y or z.” The way that this maturity benchmarking can help, says Dowd, is in Computer Fraud & Security
17
FEATURE
Level
Title
Description
0
Non-existent
Process does not exist.
1
Initial
Ad-hoc processes are in place, very dependent upon the efforts of diligent individuals, often going above and beyond.
2
Repeatable
Some procedures are in place that allow for repeatable outcomes but the process still relies on individual knowledge.
3
Defined
Processes are documented and standardised, but are not yet sophisticated enough and success is not adequately measured.
4
Quantitatively Managed
Compliance with the defined processes is measured and controls are put around significant deviations from process.
5
Optimised
Continuous improvement is the outcome of continuous feedback into process improvement, to the point where deviations from process are reduced to an acceptable minimum.
Table 1: Grading the maturity of processes and controls, based on the COBIT maturity scale. Source: CNS Group.
answering certain key questions. “Are we actually doing the things that we think we’re doing? Are these things getting completed and then run and controlled effectively? Are we getting value from what we think we’ve achieved? And if not, do we have broader lessons to learn about how we go about that?”
Who is it for? The end result of this benchmarking is a score with an accompanying confidence level for each of the domain areas as well as a overview. So who needs to see these numbers – the security professionals or should the results be bumped up the chain of command to the C-suite?
“The top-level scoring is aimed at the board, because that allows the security professionals to give a demonstration of what it is they’re doing, where the gaps are, where they need to focus and what progress they’re making” “It’s both really,” says Dowd. “I’d describe it as a tool. The top-level scoring is aimed at the board, because that allows the security professionals to give 18
Computer Fraud & Security
a demonstration of what it is they’re doing, where the gaps are, where they need to focus and what progress they’re making. Cyber-security’s one of those things where it’s working if nothing happens. A maturity score is something demonstrable you can show to the board to say ‘this is how we’ve improved’. Otherwise security just looks like money out the door for no demonstrable or obvious return. So that helps the information security professionals.” By applying weightings to specific questions or domains and by carrying out this exercise at regular intervals, an organisation can identify where improvements are being made, where gaps still exist and create a roadmap that the organisation can use to focus its efforts, both within and beyond compliance regimes. For this to work, the process has to match the nature of the business and so it will vary from organisation to organisation. That said, Dowd explains that the questions themselves remain relatively common from one client to another. “That’s important because one question we get asked is, how are we doing against everybody else?” That’s not easy to answer at the moment, he says, because the CNS Group programme is
still in its early stages and hasn’t built up the body of knowledge required to give a meaningful response – although he’s confident that will come in time. And there are inevitable variations. “The make up and the number of people in the room, and the breadth of infrastructure that you’re talking about, can vary significantly from client to client,” he says. “And our role can vary. In some cases we generate the roadmap and drive the work; and in others that’s very much an output to the client to feed into its organisational structure and get things done. Indeed one of the domains is about how good are you about transformation and maturity? Do you have the structures in place to get change done in the organisation? That’s one of the real signifiers we’ve seen of success in cyber-security projects – are you, as an organisation, good at change? If you are, you’ve got half a chance of being good at implementing cyber-security.”
Asking the right questions It’s all very well having all these answers and it’s easy to see how people might put a great deal of faith in the subsequent scores. But they’re significant only if you’ve asked the right questions. How confident is Dowd that this process is hitting all the important issues and not leaving anything out?
“Lots of our day-to-day effort is working with compliance regimes, so we’ve got a good idea of the types of things you need to ask people to assess where they are with their cyber-security” “We’ve got a high level of confidence from two perspectives,” he says. “One is that we have obviously used the various compliance regimes, the various scoring mechanisms, the top tens, all of those sorts of things that are out there, as reference points to generate as comprehensive a view as possible. And indeed,
December 2017
FEATURE lots of our day-to-day effort is working with compliance regimes, so we’ve got a good idea of the types of things you need to ask people to assess where they are with their cyber-security. Second is the body of knowledge that we’ve generated over the years. It’s very useful for us as a business to have not just an advisory team, but a solutions team and NOC [network operations centre], a SOC and a penetration-testing team. That allows us to pool the knowledge and stay on top of emerging technologies – because if we’re talking about controls, we’ve got to know what’s out there. We’ve got to know the types of things that are coming down the road.” It’s important not to get too distracted by the minutiae of specific products or technologies, he says. However, major developments, such as the Internet of Things (IoT), do require an adjustment in the framework. “That might be a customer who’s in a particular space. We have smart meter customers, for example, so there’s a different set of questions to ask them. Anybody who’s got a significant installed base with consumers offers a different set of challenges to the traditional corporate environment. And there are emerging threat types as well. There’s a balance to be struck. And even where there are issues that you’re not formally scoring, we tend to cover them in discussion. It’s a continuing dialogue.”
Justifying the cost Security can be a difficult thing to sell – too many organisations see it as a pure cost with no obvious return. So how do you convince them that it’s worth spending money on this kind of process? Dowd’s answer acknowledges that organisations are certainly going to need some kind of cyber-security budget.
“Put simply, it allows you to target that spend,” he says. “In any case, the world has turned a bit and people are a bit better than they were in doing some of the necessary but unsexy things like training and awareness, generating a good security culture, etc. Part of what we’re saying here is that technical controls are, of course, very important. But culturally we need to move away from being an industry that’s distracted by the shiny box with the shiny lights and think a bit more in the round about what’s really effective in managing cybersecurity in an organisation. Culture can be a big part of that. Ransomware is a good example. The technical responses to ransomware are partially effective with an evolving threat. They’re not going to be 100%. But the cultural response to this – training and awareness, being good at back ups – is equally important. So what we’re saying to people is, we want to take your spend and use a part of it on more effectively directing that. I can’t think of any business that we’ve seen which couldn’t benefit from that.”
Security strategy In terms of an organisation’s broader security strategy, this process of measuring security maturity has a similar role to play as that for spending – by providing guidelines for future development. “It’s about providing that roadmap and seeing where the points of weakness are,” says Dowd. “That can be very client-dependent, depending on the types of individuals in key positions, their background, their interests, where they want to go, whether they’re primarily from a tester background or a more rounded security specialist and so on.” The maturity process highlights those areas where change is required, he says,
and you can feed this into the top-level information security strategy. And often this involves less technical and sometimes neglected concerns, such as user training.
“Culturally we need to move away from being an industry that’s distracted by the shiny box with the shiny lights and think a bit more in the round about what’s really effective in managing cyber-security in an organisation” “They’re time-consuming and they’re not necessarily all that exciting,” says Dowd, “but they are nonetheless very necessary. It’s about making sure that you focus on the right areas, that your strategy is complete and nothing has fallen by the wayside.” The maturity process sits well with other information security activity, too, such as penetration testing – partly, Dowd believes, because they cover different ground. “Pen-testing offers a view of technical vulnerabilities at a point in time,” he says. “Pen-testing tells you the immediate problems that you have to remediate or there might be a problem tomorrow. Maturity benchmarking takes two steps back to look at why you have those problems, what missing processes and controls have led to you having those problems.”
Being compliant Not surprisingly, the issue of compliance crops up a lot in discussions about security maturity. And as we all know, being compliant with even the most stringent regulations is not the same as being secure. Continued on page 20...
www.computerfraudandsecurity.com
December 2017
Computer Fraud & Security
19
FEATURE/CALENDAR ...Continued from page 19 being secure. Is there a danger that an organisation could achieve an excellent score for compliance and be fooled into thinking that its security posture is excellent?
“We’re finding that the people who are engaging enthusiastically want to improve. They’re looking for the weaknesses. They’re not looking for a comfort blanket” “You do need to be wary of that,” says Dowd. He goes on to explain, however, that this is where the assigning of a confidence level comes in. At the start of the process, the confidence level given to any part of the client’s security is likely to be low. The assessors will want to see robust evidence that the client has adequate controls in place before raising that confidence level. “For example, if it’s server logging, well let’s see the evidence of that, let’s see the outputs, let’s see how we’re responding, and so on. An important part of the process is evidencing. I don’t think anybody’s going to come out of an initial session with a particularly high score. And we’re finding that the people who are engaging enthusiastically want to improve. They’re looking for the weaknesses. They’re not looking for a comfort blanket, they’re not looking for something that says, yes, everything’s fine. They’re looking to know they can improve.”
Outside job Predictably, this process is one that Dowd feels is best conducted by someone from outside the organisation. But that’s not just because that’s his business. “We work with some very good and knowledgeable people in our client base,” he says. The problem is with their own organisations not listening to them. Dowd’s advice to organisations often echoes what their own people 20
Computer Fraud & Security
have been saying, but carries more weight – possibly because the client is paying for it. There is also the fact that, in common with many other areas of information security, a specialist firm benefits from experience gained across a large number of engagements in many different sectors. “We have a broader view necessarily than someone working inside a client – of the industry as a whole and what other people are doing,” he says. That doesn’t mean that the in-house talent goes to waste, though. “The most powerful thing is when you’re partnered with a really good security professional inside the client who has detailed day-to-day knowledge. The process is most effective when you’ve got somebody on the ground who understands what we’re trying to achieve, but also understands the business and its strengths and weaknesses from the cyber-security perspective.”
Full of surprises As we said at the start, people often have a gut instinct about the state of the organisation’s security. So, when they go through a maturity benchmarking process, are they often surprised by what they find? “They are,” says Dowd. “Not because they don’t know any of it. They know the answers. But there’s a lot of ground to cover in any effective cyber-security regime. And when you look at it in the round, look at all the things that one should be doing and how you measure up, that’s the eye-opener. We’ve yet to have someone say, we hadn’t even thought of that, unless it’s some of the more advanced endpoint solutions. But what we have had is people saying, well there’s more work to do here than we fully appreciated.”
About the author Steve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Computer Fraud & Security and its sister publication Network Security.
EVENTS 8–11 January 2018 FloCon 2015
Tucson, AZ, US http://bit.ly/2iVp6Tn
8–11 January 2018
International Conference on Cyber Security (ICCS) New York, US http://iccs.fordham.edu
10–12 January 2018 Real World Crypto Zurich, Switzerland https://rwc.iacr.org/2018/
19–21 January 2018 Shmoocon
Washington, DC, US www.shmoocon.org
22–24 January 2018
International Conference on Information Systems Security and Privacy Funchal, Madeira, Portugal www.icissp.org
23–24 January 2018
Cyber Defence and Network Security London, UK https://cdans.iqpc.co.uk
2–4 February 2018 REcon Brussels Brussels, Belgium https://recon.cx
7–8 February 2018 Manusec Europe
Munich, Germany www.manusecevent.com/europe/
9 February 2018 Hackron
Canary Islands, Spain www.hackron.com
16–18 February 2018
Munich Security Conference Munich, Germany www.securityconference.de/en/
December 2017