Security decisions directly affect employees, customers, shareholders, and business continuity. As the role of the Chief Information Security Officer (CISO) evolves from tech leader to business leader, they must increasingly bridge the gap between business objectives and security risks, and translate security into measurable outcomes. In this article, we will examine this issue from the perspective of identity security.
The CISO Paradox: Sometimes Cybersecurity is More Business than Cybersecurity
As with any business decision, cybersecurity is a matter of risk management: the potential risk reduction you get from investing in cybersecurity vs. the costs entailed in making these investments. Similar to allocating resources to any other organizational need, investing in cybersecurity goes beyond purchasing the right tools. It impacts business continuity, employees, customers, shareholders, and many others.
Problem is, business leaders do not typically view cybersecurity as a business decision, largely because the role of the CISO has evolved, and organizations are still adjusting. CISOs are now more business leaders than tech leaders, but this concept has not yet been fully understood and implemented.
This creates a complex task for the CISO. Their information security architects speak in terms of solutions, while their executives speak in terms of business outcomes. Balancing these two and translating one to the other requires great effort and greater authority. To make a calculated business decision, it is helpful to apply the following formula:
- Current Risk: Assessment of the organization’s attack surface, financial losses in the event of a breach, impact of downtime on each division, likelihood of being breached, published statistics on the cost of a breach, etc.
- Expected Reduced Risk: Estimate of the risk following the implementation of the suggested security plan, including reducing the attack surface, decrease in insurance premiums, etc.
- Investment Cost: The total cost of implementing the suggested security plan, including the purchase of tools and training.
Price is What You Pay, Value is What You Get: What is The Real Cost of Identity Security?
So how does the equation above translate identity security into a business-driven decision?
According to The State of the Identity Attack Surface report, 83% of organizations have experienced a security breach that involved compromised credentials. The vast majority of ransomware attacks rely on lateral movement to spread throughout a network. Typically, the initial point of entry is through a compromised regular user account or service account.
Let’s explore the cost of protecting these key parts of the identity attack surface in more detail. We will begin by discussing MFA as an example, and then we will discuss service accounts as well.
MFA… but at what cost?
In the case of MFA, organizations may have the following two options:
- Only enforcing MFA for admins: less expensive than MFA for all users but does not prevent lateral movement that involves regular users.
- Enforcing MFA for all users: more expensive but provides protection against lateral movement that involves regular users.
In each case, the current risk is the same. The CISO can illustrate the outcomes of each option by putting actual numbers into the equation and start a business-driven discussion:
The decision could be either option, as long as it is communicated to executives and the board and demonstrated through measurable outcomes.
Service Accounts: What’s the cost of being invisible?
With service accounts, it is easier to translate risk into visibility:
- Purchase of a service account security solution: enables the discovery, monitoring, and control of all service accounts. It can provide full visibility, but may be costly.
- Do it manually, at least partially: it is difficult to keep track of all service accounts. While it is somewhat achievable in smaller organizations, it is an almost impossible task for larger organizations. Costs vary, but are usually much less expensive than investing in a security solution.
- Do nothing at all: visibility remains the same, current risk remains the same.
The number of organizations with full visibility into their service accounts is only 5.7%. Yet many high-profile data breaches in recent years involved the use and compromise of these non-human identities, including SolarWinds, the US Office of Personnel Management, and Marriott.
Organizations should review their history to see if past incidents have occurred, service accounts have been misused or compromised, and how ransomware attacks have affected other organizations in their industry.
There are advantages and disadvantages to each option, and no one option is suitable for all organizations. Illustrating the outcomes:
Final Thoughts: Bridging the Gap
CISOs are becoming a key role in translating security solutions into business decisions. But with great power comes great responsibility, as measurable security outcomes not only facilitate a better understanding of the discussion, but are also crucial to making the right choices.
What are the right choices? As shown above, there is no single answer to this question. The key is to treat cybersecurity like any other business investment: cautiously, armed with all the facts, and based on actual numbers.