As organizations around the world raced to develop strategies to respond to the COVID-19 pandemic, an independent business risk study shows cybersecurity leaders were largely left out.
The way in which organizations plan for and manage business risk is among the many profound changes taking place as a result of the global COVID-19 pandemic. Yet, many cybersecurity leaders are still struggling to get a seat at the table.
In fact, a study conducted by Forrester Consulting on behalf of Tenable reveals an alarming disconnect between business and cybersecurity leaders. Although nearly all respondents (96%) say their organizations have developed COVID-19 response strategies, 75% say that business and security efforts are only “somewhat” aligned, at best.
This is deeply concerning at a time when the sudden, widespread embrace of work-from-home models in response to the pandemic is unleashing a plethora of end-user devices upon corporate networks. Remote desktops, once a nice-to-have offering for a select group of workers, are now essential tools used by scores of employees to keep organizations running. Employees are suddenly connecting to core business systems and applications using their own previously untested — and potentially vulnerable — consumer routers and home networks. The popularity of internet-of-things (IoT) devices makes them potential threat vectors. The average home network could include an Amazon Alexa or other voice-activated tool, internet-connected TVs and video game devices, and assorted laptops, tablets and phones belonging to spouses, children or others in the household.
The Brookings Institute estimates that, as of April 9, 2020, up to half of American workers were working from home, which it calls “a massive shift.” Indeed, a Pew Research study shows that, prior to the pandemic, only 7% of civilian workers in the United States — roughly 9.8 million of the nation’s approximately 140 million civilian workers — had access to a “flexible workplace” benefit or telework option.
And cybercriminals are swooping in to take advantage of the exponentially expanding attack surface. According to the Forrester study, as of mid-April 2020, four in 10 organizations (41%) had already experienced at least one business-impacting* cyberattack as a result of a COVID-19-related phishing or malware scheme. The data, based on an online survey of more than 800 business and cybersecurity leaders in 10 countries, is drawn from the study, The Rise of the Business-Aligned Security Executive.
COVID-related scams were the No. 1 source of all business-impacting cyberattacks reported in the study. Although the World Health Organization had only declared COVID-19 a pandemic a few weeks earlier, by the time the survey was conducted COVID-related attacks had already outpaced other business-impacting attacks such as fraud (40%), data breach (37%), ransomware (36%) and software vulnerability (34%).
On a personal level, I find the survey results oddly validating: They confirm I’m not the only security leader worried about these trends. Two out of three respondents to the Forrester survey (67%) say they are very or extremely concerned that the workforce changes necessitated by COVID-19 will increase their organization’s level of risk.
Making matters worse, roughly half of the cybersecurity leaders (48%) surveyed say they have only moderate to no visibility into their remote, work-from-home employees.
One of the key ways to bridge this disconnect is for organizations to bring cybersecurity into the fold when developing risk management strategies.
How risk management can help you become a business-aligned cybersecurity leader
CISOs, CSOs and other cybersecurity leaders are uniquely suited to taking on a bigger role in risk management and the related disciplines of business continuity, disaster recovery and crisis management. Our work puts us squarely at the intersection of technology and business. We have visibility into all of the systems, data and processes required to deliver on a business continuity and disaster recovery plan. Being involved in risk management can also make your job a little more manageable: If you can understand all of your critical processes and assets from a broad enterprise risk perspective, it will only make you stronger in cybersecurity as well.
There’s also a clear operational benefit to be gained from performing risk management exercises which can serve as a bridge between the business and the infosec sides of the organization. What is revealed in the process will help the entire organization understand how to best prioritize resources — both human and financial — to keep the business running even during a crisis.
Sentara Healthcare: a case study in effective alignment
Sentara Healthcare offers a case study in effective alignment. In an interview with Tenable, Dan Bowden, CISO at Sentara Healthcare, noted that at the start of the pandemic, the organization’s IT and security teams found themselves charged with two crucial tasks: enabling a large number of employees to work from home; and helping to convert regular hospital rooms to serve as intensive care unit (ICU) rooms by switching out the operational technology (OT) and internet of things (IoT) systems needed to care for a sudden influx of critically ill patients.
“In March and April, I would say over 50% of our total work effort was dedicated to building ICU room capacity, and figuring out how [we can] use technology to reduce personal protective equipment (PPE) burn,” said Bowden.
While the transitions were ultimately successful, the organization’s patching process was thrown into a two-month disarray as a result.
“I'm a very aggressive vulnerability scanning CISO, and my team is [as well],” said Bowden. “We have a demand-based policy of what happens when we find a new vulnerability. And we had to tweak our vulnerability scanning timing and our patching policy a little bit because our IT teams were changing the beds in hospitals. A regular [hospital] room is configured a certain way from a technology perspective. And when you change that to an ICU room, there's a cascading change across a bunch of technology systems and applications that accompany that. Our infrastructure and application teams were very busy changing our surface of beds that we offered from a small number of ICU beds to a very large number of ICU beds. So we had to figure out how to continue complying with our patching schedule in a way that we could manage risk efficiently and effectively. We relied on Tenable's Vulnerability Priority Rating a lot for that. We probably used it much more aggressively this spring and summer than we have in the past.”
By June, the patching process was back on track. Now, as the fourth quarter approaches, Bowden is faced with significant budget decisions — as are so many industry sectors that experienced the economic impact of COVID-19. “We're trying to reduce [operating expenditures] and get back on budget. How do we make 2020 a break even year? We are very focused on basic lights on, doors open operations as well as any new requests that arise due to variations in COVID-19 spread.”
Bowden adds: “We have a very progressive leadership team that is saying to all of us ‘be creative, help us figure out how we grow in the midst of all this.’ So we've got a few big projects to tackle relative to that as well.”
Showing return on cybersecurity investments
At a time when organizations worldwide are facing a potentially lengthy period of economic uncertainty, it becomes more critical than ever to prioritize investments based on risk. The Forrester study shows that when security and the business are aligned, they deliver notable results. For example, 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just a quarter (25%) of their more reactive and siloed peers. The business-aligned security leader is also eight times as likely as their more siloed peers to be highly confident in their ability to report on their organization’s level of security or risk. And the vast majority (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement, compared with just 32% of their more reactive and siloed peers.
Getting involved in the development of your organization's Enterprise Risk Management (ERM) strategy will put you on the path to becoming a business-aligned cybersecurity leader.
These six steps will help with your initial enterprise risk identification and assessment:
- Develop and distribute a risk assessment survey to key stakeholders. These are typically fielded to the senior director level and above and should include representatives from all of the major departments in your organization, including finance, legal, human resources, information technology, information security, sales, operations, marketing and R&D. Once your survey is complete, you’ll want to organize the responses into risk categories so you can compile an inventory of enterprise risks.
- Conduct research and analysis to compare your organization’s enterprise risks to industry risk surveys.
- Develop a risk assessment methodology, including probability and impact, to get a total risk rating.
- Identify key leaders in your organization and devote time to interviewing them to get their feedback on risks and prioritization as well as risk probability and impact.
- Present your risk assessment results to executives to finalize the top risks and assign executive risk owners.
- Work with executive risk owners to identify mitigation activities for the top risks.
Performing the above steps is a painstaking exercise that yields a high degree of benefit by giving you a clear set of priorities. You’ll have an agreed-upon list of enterprise risks. While cybersecurity is likely to be its own standalone enterprise risk, it will certainly impact many, if not all of the enterprise risks in some form.
Couple the enterprise risk assessment with a business impact analysis — essential to business continuity and disaster recovery to determine which critical systems and business processes your organization can least afford to live without — and the two serve as the foundation for developing a business-aligned cybersecurity strategy. You’ll emerge with a list of your most critical enterprise risks and processes, making it equally possible to clearly prioritize responses in a time of crisis — regardless of whether the crisis results from a cyberattack, a natural disaster or a global pandemic — and when normal business operations resume.
In stable times, it’s all too easy for organizations to treat enterprise risk management as a mere check-box exercise best left to a segregated team of risk professionals. With COVID-19, business and technology leaders have found themselves enrolled in a crisis management crash course. It’s up to each of us to take this as an opportunity to rethink our approach to enterprise risk so we’re better prepared for the down times and well positioned to benefit when things are going well.
Previous blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question “how secure, or at risk, are we?” Over the next several weeks, we’ll continue to explore findings from the Forrester study and provide guidance on how you can become a business-aligned leader. In our next installment, we’ll explore the technology, process, data and people challenges that are standing in your way.
- See additional study highlights here
- Download the full study, The Rise of the Business-Aligned Security Executive
- Read the blogs, Aligning Cybersecurity and the Business: Nobody Said It Was Easy and Why Cybersecurity Leaders Struggle to Answer the Question ‘How Secure Are We?’
- Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader
- Read the eBook, How to Become a Business-Aligned Security Leader
- Listen to the Cyber Exposure Podcast series, "Interview with Tenable CSO Bob Huber"
*For the purpose of this survey, “business-impacting” relates to a cyberattack or compromise that resulted in one or more of the following: a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.