Five Cybersecurity Questions for Boards or Investors

By Anonymous -



Five Cybersecurity Questions for Boards or Investors

Boards of Directors and investors do not need to be technical experts to oversee or discover cybersecurity risk in organizations. They do, however, need to ask probing questions to ascertain the maturity level of, and fundamental challenges within, the way organizations understand and manage cybersecurity risk.
In our interactions with Executive Board of Directors, Venture Capital Investors, and M&A due diligence analysts, a common question routinely surfaces when executives seek to understand a company’s cybersecurity risk: What do I need to ask to gain a true sense of how a particular organization understands and manages cybersecurity risk?
Our answer to this question is relatively straightforward and not always obvious: Probe into the organizational understanding and operational structure around addressing cybersecurity risk, and seek evidence of measurable facts in support of that thinking and structure. This may sound fundamental and non-technical. That’s because it is fundamental and non-technical.
The impact of a cyber incident can vary by organization, and that impact variation directly correlates to the relative cybersecurity risk*. Operational impacts, reputational impacts, legal impacts, and other business impacts are typically different between organizations, as they are highly dependent on the type of business, data/systems affected, and severity of a cybersecurity “incident”.
To address this risk, many organizations speak about controls, technical fixes, expertise, and cybersecurity tools. While tremendously important, many of these are tactical solutions – they solve for particular risk management problems like blocking, monitoring, detection, remediation. These solutions, however, do not solve the oversight problem that concerns directors or potential investors.
The problem for directors and investors is to broadly determine the overall organizational cybersecurity maturity, relative to the risk. This means determining “What is that level of maturity, and has the enterprise identified their risk of a cyber incident?” The board (especially) and investors (more generally) have an oversight problem to solve when it comes to cybersecurity, not a management problem to solve.
With the management issues set aside for the moment, we can address the oversight challenge facing executives: What questions do I need to ask to gain a sense for the real cybersecurity risk within an organization? Or, more simply, “Where do I start?”.
One way to address this inquiry for proper oversight is to examine the organizational understanding and fundamental management structure in cybersecurity. In an effort to quickly examine these areas, or to get the discussions going**, here are five questions one may ask as part of oversight or any investment due diligence.
1. What is your cybersecurity risk?
This question probes for a direct answer to an intentionally broad and open-ended question. As a board member or potential investor, you don’t need to know, or even judge, the merit of an immediate answer. But you do need to judge the organization’s ability to provide a sufficient and thoughtful answer, as it will provide an immediate view into how the organization thinks about cybersecurity risk. A sufficient answer should provide insights into the depth of thinking behind the organizational understanding of the risk they face, for example:
  • Is there an understanding of both the probability and potential impact of a cybersecurity incident (e.g., fines related to the loss of specific types of data, potential cost of a particular type of cybercrime, potential revenue loss related to a reputational impact)?
  • How likely is a breach to occur (e.g., what threats are most concerning or most likely to be successful, what vulnerabilities related to these threats are known and not properly addressed)?
  • What happens to the organization when specific risks are realized (e.g., what are the legal duties, who leads the response, what are the recovery plans)?
2. How are you managing cybersecurity risk?
This question takes a deeper look into cybersecurity risk, as it relates to the overall risk management process – probing into the structural alignment supporting cyber risk mitigation. Knowing what an enterprise cybersecurity risk management program should look like (e.g., frameworks, risk-mitigating controls, roles and responsibilities, training) is not as important from an oversight perspective as obtaining evidence that a program is in place. The exact framework***, approach, or structure taken by an organization is less important at this stage as the simple fact that a thoughtful risk management approach exists. For example, signs of a thoughtful program may be:
  • A clear and structured way to address cyber risk management that aids in the understanding of, and decision-making around, the actual overall cybersecurity risk
  • Evidence of cybersecurity risk management nested within a larger enterprise risk management framework (e.g., cybersecurity incident response plans referenced in global business continuity planning)
  • The use of an applicable cybersecurity risk management framework to help communicate cybersecurity risk management to others (e.g., NIST Cybersecurity Framework, Open Web Application Security Project (OWASP), Factor Analysis of Information Risk (FAIR) framework, ISO/IEC 2700x, the NIST 800 Series, MITRE ATT&CK™, Auditscips Critical Security Controls)
3. How are you measuring cybersecurity risk reduction?
Brace yourself. This question pokes right into the widely contested and heavily debated subject of measuring cybersecurity risk; so tread lightly, but look for areas ripe for oversight and guidance – where answers to this question fall short of sufficient.
The concept and relative meaningfulness of “cyber risk metrics” introduces its own deep investigation into sufficient measures. However, from an oversight or potential investment perspective, what is being measured is not as important as the meaningfulness (to you, the examiner of broad risk indicators) of the organizational action that may be taken from the measurement’s result. Overall, you are looking for the organizational ability to identify, address, and adapt to the appropriate level of risk governance – that is, the organizational cyber risk policy and overall risk appetite****.
What an organization measures in cybersecurity indicates the level at which they view the security problem; one cannot manage what one cannot measure. Since feedback is critical to managing, the type of feedback management is receiving is telling of how deep the problem is understood. (Conversely, a lack of measures is also telling, except for organizations with near-zero information security risk). As this topic leads to a much wider discussion on the use and value of KRI’s, KPI’s, and metrics, consider listening for organizational evidence in two areas:
  • Does the organization quantify/qualify uncertainty in a way that provides decision-makers the appropriate level of risk-mitigation? If so, is the uncertainty measured and managed in some way?
  • Do organizational leaders believe that meaningful measures mature over time, as the organization better understands and equips itself to address cybersecurity (i.e., no measurement is perfect at its onset)?
4. Who owns cybersecurity risk within the organization?
This is the cybersecurity roles-and-responsibilities question. Here, you are asking a very specific question: When it comes to cybersecurity, who has the lead?
You are investigating clear organizational alignment to the cybersecurity risk problem and discovering how cybersecurity risk responsibilities have been structured within the organization to manage risk-reduction – that is, how cyber risk management may roll up from IT controls to you, the overseer/investor. But first, one word of caution: “everyone [owns cyber risk]” is not an answer. From an oversight perspective, “everyone” is the equivalent of “no one” – a clear role must be provided. Answers to this question should provide clarity on who owns what, for example:
  • Is there a clear information security risk owner in the organization (e.g., CISO, CRO, Information Security Manager)?
  • Where are the organizational incentives to maintain risk-mitigation solutions in place? In other words, does the owner have a strategic direction for operational control over “critical” assets like data or systems considered critical to keep safe/undisturbed to avoid costly organizational impact?
  • Are crisis-driven roles assigned or do pre-assigned roles and responsibilities exist? (The answer to this leads right to the fifth and final question.)
5. How are you prepared to respond to a cybersecurity incident?
Arguably, this question represents the main takeaway, and the previous four questions have led here. At this point, you are clearly asking: When an incident happens, is the organization ready to respond?
An organization’s ability to respond to an incident may be the predominant issue a board, a director, or an investor needs to know. How an organization responds to a cybersecurity incident (or issue) can increase or decrease the severity of that incident (or issue), and thus the immediate impact to the organization. Having a plan is not as important as testing the plan; therefore, there are a number of areas in organizational response readiness on which to probe. For example:
  • Are pre-assigned roles and responsibilities established by title for incident response (i.e., do the people that need to act know who they are and what to do)?
  • Is there strategic alignment in management and communications in the event of any cybersecurity incident?
  • Does an identification (ideally classification) of critical assets exist within the organization? If not, how does the organization clarify the impact and know whom to contact during an incident (e.g., legal authorities, executives, partners, third-parties, customers)?
  • Is there one point-of-contact for command and control over the response effort?
For any board member, director, or capital investor, asking the above five, non-technical questions should – if nothing else – provide a reasonable place to start for gaining a sense of the organizational thinking around cybersecurity risk. (Ideally, measurable facts in support of this risk management are provided for gaining a quantifiable sense.)
For the cyber-mature organization, these types of questions may seem overly simple for addressing complexities within the cybersecurity risk problem. The answers, however, still provide a structured starting point (or baseline) from which overseers and managers together hold deeper, more insightful discussions around the particular organizational cybersecurity risk processes management has employed within the enterprise.
For the cyber-maturing organizations, these types of questions may appear relatively straightforward but also frustrating, should sufficient answers not be readily or practically available. As with any structured inquiry, areas where answers may not be obvious or available may become categories for further inquiry and follow-up.
For all organizations, providing a simple way to understand how the organization is thinking about the impact of cybersecurity risk is a meaningful problem to solve for any board of directors or potential investor.
* Calculating cybersecurity risk is a topic for a broader discussion. A simple primer on the relationship between threats, vulnerabilities, impact, and likelihood is published in the NISTIR 7621 (Revision 1) Small Business Information Security: The Fundamentals.
** This is a starting point. Mature organizations will have detailed and well-defined answers to these simple questions. When that is the case, things are off to a good start, and you have enough to frame a point of view on the overall organizational cybersecurity.
*** Any one/single framework does not match any one/single organization. From an oversight point of view, which framework chosen by an organization is less important than the fact that a framework was chosen.
**** Risk appetite may be thought of as the level of known risk organizational directors are collectively willing to accept.


Popular posts from this blog

New Old Bugs in the Linux Kernel

By Anonymous -
Image
  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially
Read more

Automated Struct Identification with Ghidra

By Anonymous -
Image
At GRIMM, we do a lot of vulnerability and binary analysis research. As such, we often seek to automate some of the analysis steps and ease the burden on the individual researcher. One task which can be very mundane and time consuming for certain types of programs (C++, firmware, etc), is identifying structures' fields and applying the structure types to the corresponding functions within the decompiler. Thus, this summer we gave one of our interns,  Alex Lin , the task of developing a Ghidra plugin to automatically identify a binary's structs and mark up the decompilation accordingly. Alex's writeup below describes the results of the project, GEARSHIFT, which automates struct identification of function parameters by symbolically interpreting Ghidra's P-Code to determine how each parameter is accessed. The Ghidra plugin described in this blog can be found in our GEARSHIFT repository . Background Ghidra is a binary reverse engineering tool developed by the National Sec
Read more

SOHO Device Exploitation

By Anonymous -
Image
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router , analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 1.0.9.88 firmware used in this blog post can be downloaded from this web
Read more