Kip Boyle is the CEO of Cyber Risk Opportunities, whose mission is to help executives become better cyber risk managers. He has over 24 years of cybersecurity experience serving in such roles as Chief Information Security Officer (CISO) for PEMCO Insurance and Director of Wide Area Network Security for the F-22 Raptor. In addition to his work with many large, global organizations at the Stanford Research Institute, Kip has also held other cyber risk management roles for organizations in the financial services, technology, telecom, military, civil engineering, and logistics industries.
You’re a chief information security officer (CISO) who’s managing the security requirements for your organization’s value chain. As a former CISO (and current virtual CISO to several companies), I know that’s one of the core functions of our role.
How do you know you’re doing a good job? How would you evaluate your performance?
A CISO has to be fluent in business terminology. So, let’s level set by defining a value chain as the full range of activities that organizations go through to bring a product or service to their customers.
To put it in technical terms, an organizations’ value chain follows the input/process/output model. Customers submit orders, the organization produces a product or service, and then fulfills the orders. (Sometimes a manufacturer sends more product than a retailer can easily sell, but that’s another story.)
Looking at all the public data breaches that we’ve seen over the past few years, it’s clear you need good security through every step of the value chain:1
Security is so important there are many legal and regulatory compliance obligations that govern it:
More regulations are on the way, like General Data Protection Regulation (GDPR) and the National Association of Insurance Commissioners (NAIC) Data Security Law.
Not surprisingly, CISOs are spending a lot of money on external compliance. According to the F5 and Ponemon research report, “The Evolving Role of CISOs and their Important to the Business,” 24 percent of the respondents’ IT security budget is dedicated to compliance and audit activities.
Your board of directors and senior executives typically express their cybersecurity needs via the corporate information security policy—even though you probably wrote it and spend more time talking about it than they do.
Interestingly, the same research report revealed that nearly 40 percent of respondents said they’re not monitoring their IT security policies for compliance.
This is distressing! Why aren’t they?
Ignoring your own policies can result in a determination of negligence in the event of legal action by a regulator or a court. For example, the Federal Trade Commission (FTC) has imposed severe penalties on organizations for unfair trade practices that were the result of making promises to buyers that weren’t kept.
Which now brings us to your customer’s cybersecurity requirements: They’re probably increasing. Have you noticed? This supply chain pressure is designed to encourage you to up your cybersecurity game or lose new business and renewals.
In the same research report, 23 percent of respondents said new or emerging compliance requirements marked a change in their organization’s attitude about its security program.
To give you a sense for what I’m seeing, here’s an excerpt of some language in a Master Services Agreement (MSA) I recently saw around data security requirements:
(ii) Vendor agrees to maintain effective information security policies and procedures that include administrative, technical and physical safeguards designed to a) ensure the security of nonpublic personal information (“NPI”), b) protect against anticipated threats or hazards to the security or integrity of NPI, c) protect against unauthorized access or use of NPI, and d) provide all NPI to Company, upon its request, or ensure the proper disposal of NPI. Vendor further agrees to immediately notify Company of any actual or potential data breach involving NPI and to appropriately document any and all corrective actions taken by Vendor. Vendor represents and warrants that it will contractually require its subcontractors to comply with Privacy & Data Laws and to maintain Security Procedures.
(iii) Vendor agrees to indemnify and hold Company, its directors, officers, employees and representatives harmless against any and all loss, damage and expenses, including reasonable attorney's fees, cost of investigation and defense, for any data breach resulting from an act or omission of Vendor or of Vendor’s subcontractors.
What would you do if a prospective customer sent you this clause? Sign it and hope for the best?
When you put all these requirements together, it’s a lot to deal with. And I mean that in terms of quantity, quality, duplications, and gaps.
Everyone seems to want the same things from you. But, they often use very different language when they ask for it. And rarely will an outsider check to make sure that you secured your payroll data, trade secrets, or other sensitive information that belongs only to you.
So, how do you know you’re meeting everyone’s security requirements?
A closely related question is, how many of your controls are in place and working the way they’re supposed to?
Here’s how I answer those questions.
We use a requirements traceability matrix as part of a single, integrated approach to knowing and satisfying all our compliance obligations.
There are many good examples of these matrices on the Internet. Although not all the examples focus on cybersecurity, the core concepts are directly applicable.
Using this tool, you can more effectively manage all your security requirements and measure how well you are doing. This kind of matrix helps you:
I start with a four-column matrix and then add more columns, as needed, to fully describe the environment:
|A.1.1||Conduct risk assessment every 12 months.
Source: HIPAA; Corporate Policy; Soylent Corp; Cyberdyne Systems
|CISO submits the current project plan and status for the next risk assessment to security steering committee for review.||Quarterly|
|B.1.33||Review security policies every 12 months.
Source: HIPAA; Corporate Policy; Stark Industries
|CISO submits the current project plan and status for the next risk assessment to the CEO.||Annual (3Q)|
|C.2.6.1||All third-party service providers must sign non-disclosure agreements.
Source: Corporate Policy; Soylent Corp; Stark Industries; Initech
|CISO compare current inventory of NDAs with list of current service providers on file with the contracts manager.||Quarterly|
Once you have the matrix set up and working, you can evaluate new compliance requirements much faster and more effectively. Here’s the basic process:
To effectively close the loop on managing the security requirements of your value chain, regularly report what you’re seeing (for instance, trends and examples) to your boss and the board of directors (see How to Talk Cyber Risk with Executives).
Most CISOs who don’t do well managing compliance issues with the value chain are either overwhelmed by the daily interruptions of work or just don’t know how to organize a repeatable process for themselves.
By aligning your compliance requirements with your other business requirements, you can distinguish what has to be done from what would be nice to do and then prioritize accordingly. It also provides the momentum for business value to drive your compliance needs.