Governing the Organization

This blog was originally published by Coalfire here.

Written by Matt Klein, Field CISO, Coalfire.

Security is the biggest risk to business today. Managing security has become one of the hardest jobs in the enterprise, and failing to do so effectively can create opportunities for severe operational disruption. One of the keystone conclusions from Coalfire’s Cloud Advisory Board’s the Smartest Path to DevSecOps Transformation Securealities Report is that the discipline of program governance must be based upon a centralized accountability and shared responsibility model.

Security is not a series of problems to solve but should be treated instead as an essential discipline that touches every part of the business. Functional ownership of security program management has a seat at the CEO’s table and should be maintained within an ongoing partnership with the board of directors.

To mitigate risk in the application lifecycle and to launch secure products, software development methodologies should integrate a programmatic approach to security. A centralized, comprehensive DevSecOps strategy will identify cyclical processes of assessment, testing, and compliance disciplines. In creating a security-obsessed organization, checks and balances must coalesce at the highest levels of enterprise management:

• Insist on centralized accountability for security, starting at the board level.
• Incorporate qualitative (not just quantitative) metrics for comprehensive security dialogue.
• Commit leadership to the cause of governance through a shared responsibility model where each leader holds authority within their area of operations, and is held accountable by all adjacent departments and processes.
• Require a cultural shift away from the “move fast and break things” mentality and instead, prioritize quality and completeness.

“Move fast and break things’ is a disruptive statement from an earlier era. Racing to market with products and cleaning up the mess later goes against today’s best-practice risk management principles. Buyers, sellers, suppliers, and regulators won’t accept this anymore.”

– Nils Puhlmann
Coalfire Cloud Advisory Board
CRSO, MoonPay
Co-founder, Cloud Security Alliance

Asking the right questions

In the boardroom, the response to issues surrounding finance and operations is usually analytical and data driven. Similarly, when security comes up, the conversation is expected to be data driven. However, this approach nullifies the value of looking at security in a qualitative manner, the same way we look at customer experience and product development itself.

Critical questions to ask in every executive security conversation:

• Do employees embrace the concept of security and are they incentivized to do so?
• Do you feel that the company is taking security seriously?
• Do you have the resources you need to create a mature security program?
• How would our customers feel if they knew everything we are doing – or not doing – to keep them secure?

Integrating and balancing qualitative and quantitative metrics that can be viewed over time with indicators of security program health and maturity present a richer picture. Examples of this balanced method include:

• “Shift-left” effectiveness has as much to do with cultural improvements as it does with development discipline.
• Security awareness training is most often done for compliance purposes – it should also reflect how well employees feel they share responsibility in organizational resilience.
• Increasingly, engagement scores like NPS have become more important quality-of-service measures than pure technical functionality.

Skin in the game at the board level

Directors learned from the Enron debacle that they can be held liable for allowing malpractice, and that they have the duty to act in avoiding damaging outcomes. The board should be asking questions that uncover the full picture of the state of security in the company. These qualitative questions take the enterprise beyond quantitative metrics and filter a culture of security governance into every discipline.

To the CEO:

Can you articulate how the company is taking security seriously, and why?

To the CFO:

Is the investment in the security program sufficient to ensure the resiliency of the enterprise?

To the COO:

How long could the organization sustain an outage due to a cyber incident?

To Chief People and HR Officers:

How do employees embrace the concept of security, and are they incentivized to do so?

To the CMO:

When a cyber incident and its sensitive details are made public, how will you answer to our customer base and the media, and how will you rebuild trust?

To general counsel:

Can you fully articulate the legal risks and obligations after a cyber incident?

We must assume more responsibility with security policies and controls that put the customer first. More companies are hiring chief ethics officers to address corporate culture implications to brand equity; to create transparent “Trust Centers” that enhance the customer experience with clear program visibility and policy guidelines; and to always answer the question: What is our responsibility to the greater good?

CISOs and DevSecOps pros have always been valued for our technical expertise – but not for our governance, until now. By taking a top-line attitude, connecting the dots to KPIs, and with a mantle of ethical priority surrounding everything we do, the CISO can help the board and fellow officers cross the chasm to the secure cloud.