Healthcare IT News
A tip sheet to help CISOs talk to the board about security needs
By: Bill Siwicki
Healthcare chief information security officers know that the cost of a data breach is higher for them than in any other industry.
When attacks make headlines, panicked board members have one question for CISOs: How can we be sure that won't happen to us? CISOs must be prepared to lead board-level conversations about risk management.
Lead with resilience, manage fear
One big question: How do CISOs lead with resilience and manage fear when talking to the board about cybersecurity?
Jeff Costlow, deputy CISO at ExtraHop in Seattle, offers two scenarios.
"Scenario 1: Imagine yourself walking down the street," he said. "You look up and see that a building is on fire, you go closer to investigate. At the front of the building is a person, they're running around in panic. It looks as if they're going to run inside the burning building. Not a wise idea, you think.
"Scenario 2: You're walking down the street and see the burning building," he continued. "This time, that same person is talking to the crowd. 'I've called the fire department, they're two blocks away,' they say. 'Everyone safely evacuated the building when the fire alarms went off. There are fire doors in place and a sprinkler system. The building will be okay.'"
Which scenario would a CISO prefer their board to see? Scenario 2, of course. Scenario 2 is an example of a leader that leads with resilience. This is how a CISO should communicate to the board and to their team, Costlow said.
Incident response frameworks
"Resilience is gained in a number of ways," he said. "Above all else, it's built by following industry best practices and incident response frameworks. CISOs who don't skip the basics are better prepared to respond in an emergency. Each time there is an incident, it is essential to learn from the gaps that led to the incident, fix them and build a stronger practice.
"By undergoing this process, you will become more familiar with the risk that you hold and the measures that are in place to defend against those risks," he continued. "When you know this information, you are able to respond more calmly and confidently when the board comes to you panicking about the latest threat with an attention-grabbing headline. By managing the fear, CISOs can build trust with the board."
Costlow offers an example of how a CISO finds and manages a gap in their security posture.
"The best first step to knowing the gaps in your security posture is to map against frameworks like MITRE ATT&CK, CIS Controls and NIST," he advised. "These frameworks provide a programmatic, logical and standardized way to evaluate the completeness of a security program against industry benchmarks. They can provide a contextual overview of the technologies you have in place – such as network detection and response, firewall, SIEM, and endpoint protection."
Understand the gaps in frameworks
He issues a word of caution, though: It is critical that one understand the gaps and areas of focus of each framework. Not every framework covers each step across the identify, detect, protect, respond and recover workflow.
"For instance, while MITRE provides a lot of detail in the identify and detect areas, its focus is not to provide guidance on how to protect, respond or recover," he noted. "The best way to understand your gaps is to leverage several frameworks in tandem when reviewing your environment.
"This is easier said than done," he continued. "These frameworks are often hundreds or even thousands of pages to read through, and finding the gaps is often not an automated process. There are a few first steps that you can take to start making process improvements."
For example, take a look at one's existing tooling, he suggested.
"What areas does it cover?" he asked. "Are you more focused on defense on the outside – of the perimeter – or on the inside – the network? It is important to have a balance between prevention-and-protection and detection-and-response capabilities. With remote work, the surge in cloud adoption, aging systems and expansion to the edge, the attack surface is expanding every day and the perimeter becomes harder to define, much less defend.
"As such, it's a well-accepted and unfortunate truth that attackers have the advantage," he noted. "Try as you might, they will get in. And when they do, you need to have a plan for detection and response. Unfortunately, few organizations have coverage in this area. It is a good place to start when filling gaps."
A checklist for success
Costlow offers CISOs a checklist for success when talking to the board. The checklist starts with the basics. It's important not to lose sight of the everyday block-and-tackle that is the foundation of CISO efforts, he advised. The first step when taking over any security practice is to ensure one has the proper tooling, staffing, incident playbooks and emergency-response communication plans in place, he said.
After that work is done, a CISO is ready to speak to the board, he stated. Below are some tips that Costlow would give any CISO to prepare them for a successful board meeting:
- Know your audience. Talking to the board is not like talking to your team. They need to understand your team's work from the perspective of the business, so be sure to focus on things like trust and reputation, customer satisfaction and driving efficiencies.
- Put risk in perspective. Don't chase the threat du jour or the unattainable ideal. Focus on real challenges facing your business, not just the ones getting headlines.
- Know the gaps. As noted, there are ways to know your gaps. Know them and continuously mitigate them.
- Lead with resilience. A resilient plan is much better than brittle silos that break under pressure. If you align to industry-standard security frameworks and continually improve your security practice with every incident, you will understand your risk much better and will be prepared to respond appropriately to questions from the board and future potential threats.
- Focus on organizational objectives. The organization has needs and CISOs need to meet them. Threat models that don't account for the organization's goals miss the point.
- Advocate for resources. Threats are not going away. As your business grows, so does its attack surface. Building your team as the enterprise grows is table stakes. You will have an easier time getting buy-in for resources if you're able to make security visible, while removing friction for users. By integrating practices like single-sign-on or password managers, your team's efforts will be put on display, while simultaneously making the day-to-days of employees easier.
- Build a road map to success. Security controls that don't operate well are often bypassed. Work with stakeholders in the business to build controls that help them achieve their objectives, rather than hinder them.
