It's 2021, and there's good news: security leaders have finally gotten through to CEOs about the importance of cybersecurity.
In PwC's annual CEO survey, 95% of Australian CEOs cited cybersecurity as their top threat to growth, and 77% said they “had factored cyber-threats into strategic risk management activities.” Australian CEOs scored considerably higher than their global peers on both counts, which is incredibly promising.
However, it's unclear if company boards understand the cyber-risks as well as the CEO.
There's no shortage of guidance for boards on the questions that they could or should be asking their organisation's security team to understand the threats.
Yet, the evidence is that most security leaders still struggle to get an audience with the board.
A 2019 study by the Ponemon Institute found that 40% of security leaders do not report to the board at all, 20% make a once-a-year cameo, and 14% only get to speak to the board following a security incident.
That attention deficit reflects in the board's buy-in to cyber-related risks; “only 28% of respondents say their board and CEO determines and/or approves the acceptable level of cyber-risk for the organisation,” the study found.
In Australia, at least, that could soon change. The Australian government is considering new standards that would make directors personally liable for cyber-attacks against their organisation.
The prospect alone is likely to spur more frequent conversations between security and Australian boards and drive directors to understand cyber-risks more deeply since they'll be signing off on those risk thresholds.
On the flip side, if security leaders must suddenly appear before the board at more regular intervals, they will need to find ways to communicate some of the more obscure risks in the security portfolio.
Ponemon's recommendation in that regard is to come up with some “easily understood metrics that provide a comprehensive view of the threats facing the organisation.
Identifying the right metrics can be a challenge for CISOs. For example, when talking to a company board, they often feel compelled to focus on metrics like intrusion attempts, incident rates, response times, and other numbers, which, while important, do not tell the whole story.
Additional metrics like excess privilege exposures may help CISOs contextualise common threat scenarios to the organisation's Active Directory (AD) and the network. These metrics may take some further explaining, but they provide a more comprehensive picture of network health and security.
Explaining Active Directory
As security professionals, we know AD plays a critical role in today's IT infrastructure. More than 90% of Global Fortune 1000 organisations use AD for authentication, identity management, and access control.
Boards need to understand that AD is a ‘master key' that manages permissions across the organisation — and access control is not simple.
Unfortunately, AD configurations become increasingly complex over time, resulting in overprovisioning and errors. The addition of temporary workers, mergers and acquisitions, and third-party vendors compounds the situation. In addition, the number of users, devices, and applications that access company networks is growing every day.
Directors should also be aware of how often attackers hit up AD. One often-cited (albeit 2015) number is that 95 million AD accounts are under daily attack. From a more up-to-date perspective, Microsoft says, “there are over 300 million fraudulent sign-in attempts to [its] cloud services every day.”
As a cloud-based version of AD grants cloud access, this should illustrate to the board just how popular a target AD is, therefore highlighting the internal need to manage and secure it appropriately.
Speaking the language
If the board needs further convincing, they should know that privileged access abuse is a factor in 80% of known security breaches, including the recent highly damaging SolarWinds and Microsoft breaches.
If attackers compromise AD, they can use stolen credentials — or escalate privileges for credentials they already possess — to move around inside the organisation's network. If the attacker can gain administrative control of AD, the attack becomes highly difficult to stop and can require extreme measures to revert to a non-compromised status.
Given its role in maintaining operations and allowing employees to do their work efficiently, losing control of AD can cause everything from a small to complete disruption of service.
There may be economic and reputational costs to consider. The financial impact of a data breach in Australia is now $3.35 million on average. All of which is a language the board understands.
With the prospect of regular face-time with the board, CISOs have a chance to explain cyber-risks in a way that promotes a genuine understanding of the threats.