With the relentless flow of high-profile security breaches, there is no doubt that boardrooms around the world have woken up to the threat that cyberattacks pose to their businesses. Boards know that they are now accountable and will be judged by their ability to protect their organisations against financial and reputation loss as a result of cybersecurity failures, writes Ian Glover, president, CREST.
Boards are pivotal in improving the levels of corporate-wide cybersecurity and are responsible for managing cybersecurity resilience and providing confidence to stakeholders in the business that levels of control are commensurate and appropriate.
However, according to the National Cyber Security Centre (NCSC), one of the most frequently asked questions by Board members is, “how do we know what ‘good’ looks like for cybersecurity?”
The simple answer is that good cybersecurity is whatever protects the things you care about and ‘good’ cybersecurity for one organisation may not be good for another. So, Boards need to draw on the knowledge and expertise of others to make the right judgements.
The Board is responsible for many other risk-related activities where qualitative analysis and professional opinion are used to support its decisions. The cybersecurity industry must find a way of replicating the mandatory formal risk Board reports. To do this we must have standards in place and establish suitably qualified individuals capable of providing structured defendable opinions.
You would not just employ a company to provide formal risk reports on financial risk management; you would expect suitably qualified individuals to provide an opinion to the Board and to other stakeholders as part of the regulatory audit and review process. Those signing off these Board reports carry an obligation and would have to stand up and be accountable should it be proved that they had not identified bad or illegal practices. The cybersecurity industry must move in this direction if is to be viewed as a parallel profession.
The role of pen testing
The best way to discover where vulnerabilities lie and how they can be exploited is to simulate malicious attacks, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets. This is the art of penetration testing that provides an indication of the level of resilience that the organisation has against technical cybersecurity attacks.
Of course, it is recognised that no organisation can 100% secure against attack and there is a significant difference between the capability of an individual downloading a basic attack tool from the internet to the capability of serious organised crime or hostile intelligence services. Therefore, the level of technical control that is appropriate will also vary, which means that the recommendations from a penetration test must be placed in context to the capability of the potential attacker. This is essential if the results of the penetration test are to be used to form an opinion to be formally put forward to the Board and other stakeholders.
Cybersecurity and the Board: The technical cyber resilience opinion
It may be the case in the future that senior penetration testers will be formally asked for their opinion on the appropriateness of the technical controls, which is likely to form a core part of the overall Board Cyber Resilience report. As an industry, those responsible for technology often like to be in a position to set formal targets or key performance indicators (KPIs), often backed by ‘the maths’. This is not often the case with other opinion-based Board reports. It is not the case that a KPI would be measured against the number of unsuccessful attempts at fraud or money. This is why the opinion is so important. Therefore, indicators based on statistics such as the number of successful or prevented attacks and breaches are interesting from a headline perspective but are often not very useful as a demonstration that the organisation has in place appropriate and commensurate cybersecurity controls.
The purpose of a Cybersecurity Resilience Opinion would be to produce cybersecurity statements that provide information about an organisation’s cybersecurity resilience position for stakeholders and decision-makers. Unlike some other aspects of the business, resilience against attack is often a very technical issue and therefore we must find a way of describing the technical cybersecurity controls to a wide range of stakeholders. Whilst the stakeholders range from the Board to investors, suppliers and customers, the question about resilience against attack balanced against corporate spend is almost the same.
To provide the same degree of confidence as financial or legal opinions, the cybersecurity resilience opinion must be provided by qualified external experts with a detailed understanding of technology with the ability to contextualise this in terms of supporting security activities and business needs. They need to be engaged to examine the technical cybersecurity position and to give their professional view on whether management have taken appropriate and justified steps to protect the information systems they are responsible for over given periods.
Penetration testing is essential to prove that the controls in place are providing an appropriate level of protection, while cyber threat intelligence will help to contextualise the controls in relation to the type of attackers and their capability. The security operations centres (SOCs) are on the front line of defence and their ability to identify and triage attacks is essential. The ability to act on information about potential or actual attacks is really important and will often require the support of trusted third parties. All of these aspects will be essential parts of the overall Cybersecurity Resilience Opinion. The business needs to be confident and very clear who they are dealing with and have trust in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity.
CREST – the not-for-profit body that accredits companies and certifies individuals providing penetration testing, cyber incident response, threat intelligence and SOC services – already provides this level of trust and confidence for the Board and wider buying community.
The cybersecurity industry has also been working with business and governments to further professionalise the industry. CREST is working with all the other major industry bodies that support the cybersecurity industry and the NCSC and DCMS to set up a Cybersecurity Council, which when established will provide chartered status for professionals working in cybersecurity to be aligned with other professions such as accountancy, law and engineering. It is the view of CREST that this professional chartered status should be the benchmark for individuals providing opinions on Cybersecurity Resilience.
Meanwhile, specific industries such as banking and financial services, aviation, telecommunications, and energy are setting up their own schemes. The first of these was CBEST, developed by the Bank of England and supported by CREST. This is a framework to deliver controlled, bespoke, intelligence-led cybersecurity tests that replicate behaviours of those threat actors, assessed by government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. The inclusion of specific cyber threat intelligence ensures that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.
Most recently, the Civil Aviation Authority (CAA) has introduced its new ASSURE scheme, developed in partnership with CREST, to play a key role in the CAA’s Cybersecurity Oversight strategy. It enables the aviation industry – including airlines, airports and air navigation service providers – to manage their cybersecurity risks without compromising aviation safety, security or resilience and to support the UK Government’s National Cybersecurity Strategy. Questionnaires completed by the regulated organisations are validated by accredited penetration testers who provide a report to the CAA as the regulator and then the CAA provides an opinion. This is only one step away from delivering a Technical Cybersecurity Resilience Opinion.
A company’s annual report is typically made up of audited financial statements and a narrative containing management’s description of the company’s performance and activities. Whilst there are moves to include cybersecurity as part of the annual report, this is not currently a requirement. However, given that the report should provide confidence to shareholders and other stakeholders in the resilience of the organisation, the inclusion of a Cybersecurity Resilience Opinion would be a good starting point for this type of assurance.