From firefighters to change agents: it’s time for CISOs to help boardrooms take ownership of cyber resilience

Don’t expect leadership to engage if you don’t make it easy to understand the risk

The concept is over half a decade old. Yet, beyond the banking sector, critical national infrastructure organisations have been slow to embrace cyber resilience. Security is binary and difficult to measure. On the other hand, the language of cyber resilience facilitates board-level engagement of cyber risk. It’s time to stop aiming for total security and start aiming for resilience. It doesn’t need to be a huge, paralysing programme. Start simple: baseline your cyber resilience, get your board’s buy-in, then work systematically towards improving it over time, based on your risk appetite and the budget you can unlock.

100 per cent prevention is just not realistic. Let’s stop to think about our own human body, which is colonised by bacteria and viruses in numbers that are hard to fathom. Our aspiration, inhabiting our bodies, is to feel and be well, not necessarily to keep out all the microbes. And if we do fall ill, all we want to do is get back up on our feet as quickly as possible. Even if the analogy is imperfect, we can all agree the key to a great quality of life is through resilience, not just prevention.

In the same vein, mature security teams have been working towards a more balanced and sustainable approach. Cyber resilience is the ability to continuously deliver critical business processes despite being under a cyber threat. It encompasses prevention and adaptability to new types of threats, combined with some built-in durability and fast recovery. It is about weathering the storm. Minimising customer harm, financial loss and reputational damage; not the alternative, expensive approach of trying to remove the risk entirely.

It’s something that’s relatively easy to describe and conceptualise, but the set-up work required takes some commitment, so this isn’t an approach that is widely adopted yet. Metrics that bring it to life are sometimes hard to find and it can feel like a daunting transformation to embark on.

CISOs that have started embracing this approach head-on e.g. through the Bank of England CBEST framework for the financial services sector, are finding their board members better engaged and taking ownership. For the first time, they are speaking a common language of risk, investment and business impact.

Clearly if we are going to improve cyber resilience, accountability at leadership is key. But let’s not expect management to be security experts. As practitioners, we can do more to demystify cyber-risk. We need to help leadership understand the cyber risk, quantify the potential impact and bring to bear the analysis required to make strategic decisions on investment in controls. If we can’t make it simple for non-experts to understand cyber-risk, it is very difficult for them to properly engage with that risk.

Start by baselining your cyber-resilience

Board members understand clear metrics that can be stress-tested. They need an easy way to understand the severity of the cyber-risk, know whether existing controls are working and areas where further improvement is needed. Or legitimately decide to just accept the risk.

A compelling way to secure board-level engagement is to baseline your organisation’s cyber-resilience and demonstrate how that changes over time with improved controls. This can be achieved through:

–       developing a Red Team programme – a systematic programme of unannounced ethical hacking

–       measuring key metrics on cyber resilience, over time

–       analysing findings in the context of how it impacts key assets across the value chain of critical business processes

Here are four key measures that are worth capturing:

Mean Time To Breach (MTTB) is the time taken from commencing the Red Teaming activity to achieving a sustainable undetected foothold within the organisation. This gives you a measure of the severity of your vulnerabilities and how easily this can be exploited. The goal is to make MTTB as long as commercially sensible for the business-critical assets in your infrastructure.

Mean Time To Detect (MTTD) is the key metric for the security operations centre. How early in the process were they able to detect activity, did they detect the reconnaissance scans, payload dropping, lateral movement, asset compromise, data extraction – or anything else compromising?  You quickly learn where your blindspots are.

Mean Time To Respond (MTTRes) is different to detection. It is about actionability. The activity may have been detected in the platform and an alert raised, but it doesn’t mean it was picked up and actioned. How quickly did the security ops centre respond to the incident and what if any processes can be improved to be faster in future e.g. to speed up investigation and decision-making?

Mean Time To Recover (MTTRec) relates to how quickly the security operations team, working alongside their IT counterparts, can restore normal business operations following an incident.  The goal is to ensure MTTRec is as quick as possible for business-critical assets.

These steps will give a clear baseline of how your organisation’s Blue Team – dedicated security operations – or other functions with security responsibility perform before, during and after being threatened. Tracked over time and reported with regular cadence, CISOs are finding more meaningful interactions with their leadership teams.

Cyber risk, resilience and collaboration

CyberOwl’s founder Daniel Ng has been working with the global defence, security and intelligence consultancy QinetiQ to develop technologies that help evolve strategies for cyber-resilience. Here’s Daniel in conversation with QinetiQ CTO Bryan Lillie on risk, resilience and collaboration in cyber.

Daniel Ng   Bryan, let’s start at the top. Are boardrooms struggling to understand their cyber risk and exposure? 

Bryan Lillie  From our experience you could probably say most are. I would say that’s partly down to the fact cyber risk is still largely being sold on the basis of fear, uncertainty and doubt. I think that’s simply too reductive. We need to see a move away from cyber presented as a spot risk, with a particular solution.  It needs to be treated as part of a broader approach aimed at building business resilience.

DN  Security has been too binary for too long – either something is secure or it’s not. It is often relegated to a single, limited technical function or attack vector. A broader approach towards cyber resilience is more sustainable. It shifts the questions and goal posts. Which of our assets needs particular visibility because, if compromised, could seriously damage the business? How do we live with the myriad cyber threats and improve the organisation’s ability to withstand these? How long would it take, given our controls and vulnerabilities, to pick up an evidence trail of attack? How easily is it for us to make the right decisions to respond, at the right time? How quickly can the business recover and continue to thrive? How quickly do we actually need it to?

 Are companies ready for a message like that? 

BL   Many are, and there’s some momentum, too. I would say it depends on the maturity of the organisation in relation to risks, physical and digital.  Cyber-risk isn’t something a company can isolate, because it relates to everything a company is and does for its customers. Think about an e-commerce retailer, say – it cannot treat the resilience of its website as a nice-to-have aim, or just a cyber problem. It needs to ensure the site’s resilience on all terms at all times, and make its delivery a core business function. We’re now seeing organisations start to think in this way.

DN   OK, so what’s the first step for those who want to embrace the bigger picture? Here’s my take. I would say the conversation needs to move from one about technology and process to one focused on the impact of cyber risks. Take the time to review your organisation’s assets and weigh them for how critical they are to the business. Some risks you might be able to live with, because they affect assets that have limited impact on the business and can be easily contained. Others you just cannot ignore because they could stop your organisation in its tracks. Knowing that difference is crucial.

BL   Agreed. The key then is being able to understand when and how quickly the risks start to escalate. That’s why the work you are doing at CyberOwl on Medulla is so important. It is a good fit for any business that knows what matters and how to measure it. Given all the stealthy threat, ambiguity and noise out there, you need that clarity. Once a business starts to learn about trends and how threats manifest and so on, Medulla is invaluable because it helps to visualise and measure those threats. If you look at how conventional security technologies operate, they do not prioritise in the same way, but that’s exactly what Medulla offers.

DN  Medulla is only one part of the solution. It’s really important for us to invest in working with organisations like QinetiQ that have deep expertise across the cyber resilience value chain. There is a worrying trend and temptation in cyber startups to create another “stand-alone box with hard edges”. But we have a responsibility to collaborate to deliver “defence in depth” and offer organisations a joint solution that improves their overall cyber resilience, rather than just single-point security.

QinetiQ and CyberOwl can help you become cyber-resilient. Join the journey 

 ●      QinetiQ is a leading science and engineering company operating primarily in the defence, security and critical infrastructure markets. QinetiQ is challenging boards on thinking in relation to cyber risk. Our work gives a view, often for the first time, of a company’s risk appetite. What does business success rely on? Where are the criticalities? Boardrooms generally apply themselves to business outcomes, so work around cyber risks must now be understood on those terms.

●      QinetiQ’s capabilities, technologies and expertise are helping companies to measure, improve and sustain their cyber resilience. Our Advanced Intrusion Testing team is a world-class service simulating sophisticated, persistent, multi-dimensional and pervasive threats to give a true measure of a customer’s real-world, exploitable risk, both digital and physical. Our Cyber Experts advise and support customers develop a proactive and agile approach to managing cyber risk.

●      CyberOwl builds on cutting-edge research that started its life at the Defence Academy of the United Kingdom and completed at Coventry University. We are on a mission to leverage data and analytics to shift organisations towards an active cyber posture.

●      CyberOwl’s Medulla, is a platform for prioritising cyber risk. The system quantifies the cyber risk associated with each asset, in real time, by analysing small, fragmented clues observed from network and asset behaviour. It’s designed to offer an intuitive, clear and prioritised way of understanding which assets are under the highest cyber risk. For security operations, this provides a clear way of prioritising early intervention. For management, this provides a simple way to understand how security events impact business and operations.