You’re a chief information security officer (CISO) who’s managing the security requirements for your organization’s value chain. As a former CISO (and current virtual CISO to several companies), I know that’s one of the core functions of our role.
How do you know you’re doing a good job? How would you evaluate your performance?
The Value Chain Explained
A CISO has to be fluent in business terminology. So, let’s level set by defining a value chain as the full range of activities that organizations go through to bring a product or service to their customers.
To put it in technical terms, an organizations’ value chain follows the input/process/output model. Customers submit orders, the organization produces a product or service, and then fulfills the orders. (Sometimes a manufacturer sends more product than a retailer can easily sell, but that’s another story.)
Looking at all the public data breaches that we’ve seen over the past few years, it’s clear you need good security through every step of the value chain:1
- Customers have cybersecurity expectations. They trust you from the moment they hand over their personally identifiable information, and they’ll be angry if that trust is broken.
- You (and your vendors) need to handle all confidential information in a responsible way when producing and delivering your product or service.
- Fulfilling orders has to be done just right to avoid cybersecurity failures.
Security is so important there are many legal and regulatory compliance obligations that govern it:
- Some of the big ones include Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Defense Federal Acquisition Regulation Supplement (DFARS), and Federal Information Security Management Act (FISMA)
- New requirements like New York’s Cybersecurity Regulation (23 NYCRR Part 500)
More regulations are on the way, like General Data Protection Regulation (GDPR) and the National Association of Insurance Commissioners (NAIC) Data Security Law.
Not surprisingly, CISOs are spending a lot of money on external compliance. According to the F5 and Ponemon research report, “The Evolving Role of CISOs and their Important to the Business,” 24 percent of the respondents’ IT security budget is dedicated to compliance and audit activities.
What About Internal Security Requirements?
Your board of directors and senior executives typically express their cybersecurity needs via the corporate information security policy—even though you probably wrote it and spend more time talking about it than they do.
Interestingly, the same research report revealed that nearly 40 percent of respondents said they’re not monitoring their IT security policies for compliance.
This is distressing! Why aren’t they?
Ignoring your own policies can result in a determination of negligence in the event of legal action by a regulator or a court. For example, the Federal Trade Commission (FTC) has imposed severe penalties on organizations for unfair trade practices that were the result of making promises to buyers that weren’t kept.
What Do You Owe Your Customers?
Which now brings us to your customer’s cybersecurity requirements: They’re probably increasing. Have you noticed? This supply chain pressure is designed to encourage you to up your cybersecurity game or lose new business and renewals.
In the same research report, 23 percent of respondents said new or emerging compliance requirements marked a change in their organization’s attitude about its security program.
To give you a sense for what I’m seeing, here’s an excerpt of some language in a Master Services Agreement (MSA) I recently saw around data security requirements:
(ii) Vendor agrees to maintain effective information security policies and procedures that include administrative, technical and physical safeguards designed to a) ensure the security of nonpublic personal information (“NPI”), b) protect against anticipated threats or hazards to the security or integrity of NPI, c) protect against unauthorized access or use of NPI, and d) provide all NPI to Company, upon its request, or ensure the proper disposal of NPI. Vendor further agrees to immediately notify Company of any actual or potential data breach involving NPI and to appropriately document any and all corrective actions taken by Vendor. Vendor represents and warrants that it will contractually require its subcontractors to comply with Privacy & Data Laws and to maintain Security Procedures.
(iii) Vendor agrees to indemnify and hold Company, its directors, officers, employees and representatives harmless against any and all loss, damage and expenses, including reasonable attorney's fees, cost of investigation and defense, for any data breach resulting from an act or omission of Vendor or of Vendor’s subcontractors.
What would you do if a prospective customer sent you this clause? Sign it and hope for the best?
How Do You Know You’re Meeting the Requirements?
When you put all these requirements together, it’s a lot to deal with. And I mean that in terms of quantity, quality, duplications, and gaps.
Everyone seems to want the same things from you. But, they often use very different language when they ask for it. And rarely will an outsider check to make sure that you secured your payroll data, trade secrets, or other sensitive information that belongs only to you.
So, how do you know you’re meeting everyone’s security requirements?
A closely related question is, how many of your controls are in place and working the way they’re supposed to?
Here’s how I answer those questions.
Track What’s Required of You: The Requirements Traceability Matrix
We use a requirements traceability matrix as part of a single, integrated approach to knowing and satisfying all our compliance obligations.
There are many good examples of these matrices on the Internet. Although not all the examples focus on cybersecurity, the core concepts are directly applicable.
Using this tool, you can more effectively manage all your security requirements and measure how well you are doing. This kind of matrix helps you:
- Collect all your compliance requirements in one place.
- Eliminate duplicates while preserving sources.
- Describe your actual controls.
- Schedule testing of your controls (for example, penetration testing, automated scanning, inspections).
- Record the test results.
- Plan for control changes and upgrades.
I start with a four-column matrix and then add more columns, as needed, to fully describe the environment:
- Name, unique ID, and description of the requirement, including source
- List of existing controls that satisfy the requirement
- List of the tests that prove the controls are effective
- Frequency of testing
Example: Requirements Traceability Matrix
|A.1.1||Conduct risk assessment every 12 months.
Source: HIPAA; Corporate Policy; Soylent Corp; Cyberdyne Systems
|CISO submits the current project plan and status for the next risk assessment to security steering committee for review.||Quarterly|
|B.1.33||Review security policies every 12 months.
Source: HIPAA; Corporate Policy; Stark Industries
|CISO submits the current project plan and status for the next risk assessment to the CEO.||Annual (3Q)|
|C.2.6.1||All third-party service providers must sign non-disclosure agreements.
Source: Corporate Policy; Soylent Corp; Stark Industries; Initech
|CISO compare current inventory of NDAs with list of current service providers on file with the contracts manager.||Quarterly|
Once you have the matrix set up and working, you can evaluate new compliance requirements much faster and more effectively. Here’s the basic process:
- Check your inventory of controls to see if you already satisfy the new requirements.
- If you already do something that’s very similar, negotiate so you don’t have to change anything.
- Alternatively, adjust your existing controls so they satisfy the new requirements.
- Negotiate with the requestor if the new requirement will cost substantially more to control than what you’re already spending.
- Offer to purchase additional insurance to transfer the risk.
- If none of the above work, maybe the business isn’t worth the effort.
To effectively close the loop on managing the security requirements of your value chain, regularly report what you’re seeing (for instance, trends and examples) to your boss and the board of directors (see How to Talk Cyber Risk with Executives).
Use the Value Chain to Win the Compliance Game
Most CISOs who don’t do well managing compliance issues with the value chain are either overwhelmed by the daily interruptions of work or just don’t know how to organize a repeatable process for themselves.
By aligning your compliance requirements with your other business requirements, you can distinguish what has to be done from what would be nice to do and then prioritize accordingly. It also provides the momentum for business value to drive your compliance needs.