The webinar focused on the critical role of executives in making informed cybersecurity decisions amidst increasing regulatory pressures. Key speakers Chris Cronin, Charity Otwell, and Phil Langlois discussed the importance of governance, risk management, and effective communication between technical teams and executives. They highlighted the need for executives to understand cybersecurity risks and the significance of using accessible language in reports to bridge communication gaps. The session emphasized the use of data-driven resources, such as the Verizon data breach investigations report, CIS RAM, and DoCRA to aid executives in assessing their organization’s risk posture. Overall, the discussion aimed to empower executives with the knowledge and tools necessary for effective cybersecurity governance.
TRANSCRIPT
Okay. Why don’t we get started? Hello, everyone. Thank you for joining.
As, as you see, our discussion is about, how executives can make informed cyber decisions.
This is a topic that’s become very hot as we’ve seen regulatory and standards, requirements starting to push this idea of governance, which is essentially making sure that executives are involved in the cybersecurity program. So with us today, we have, Phil Langlois, Charity Otwell, and myself. Phil, why don’t you introduce yourself real quick?
Yep. Absolutely. So as mentioned, my name is Phil Langlois. I’m the lead data scientist and author of the Verizon Data Breach Investigations Report (DBIR). I’ve had the distinguished pleasure of working with Chris Cronin over the last few years on a couple of different initiatives, from back on out at CIS. But, yeah, absolute pleasure to be here.
Thanks. And Charity?
Hey. Good afternoon, everybody. Charity Otwell, director of Critical Security Controls for the Center for Internet Security or CIS.
Been with the team for about eighteen months and have the pleasure of leading the controls team as well as, leading the controls ecosystem where the controls and all of our mappings and white papers and companion guides are housed, and happy to be here with you today.
Good. Thank you, Charity and Phil. And I’m Chris Cronin. I’m a partner at HALOCK Security Labs and Reasonable Risk. As you can see, We, we’ve been working with folks like Center for Internet Security and Phil, we’ve collaborated with you somewhat even in your current role.
And, I’ve been really pleased to see the level of involvement and engagement that we get with people, across the industry to help figure out how to answer some of these tough questions, on what risk analysis, risk management, and and governance are. So I’m very grateful that you could join us here to talk about this.
What we wanted to do is jump in and talk about it first, up first, what we, what we’re talking about when we mean governance and and risk management and why this is coming up. So, some of you are here because you’re interested in in what’s happening with the cybersecurity, discovery rule from the SEC. This is the first year that people have been required to add new, cybersecurity disclosures in their in their, 10-Ks. If you’re a public company, you know what those public filings are.
But we see it coming up in a lot of regulations. This the NYC or our part five hundred is an example of a state regulation where governance is being explicitly required, And this cybersecurity framework has, issued in 2.0 a new security function for governance. And they’re all trying to say in terms of governance that cybersecurity is not just the domain of the few technicians who are told what to do. It’s the responsibility of, the organization in whole and and and should be owned really by executive management.
There’s a Rorschach test we put in front of, people when we talk to them about new regulations. We say, is this regulator threatening you or handing you a tool? If you feel like you’re beat up from a regulator, you think, oh, no. She’s threatening me.
The requirements for governance coming up is definitely regulators and standards bodies handing you a tool.
It’s saying we’re going to help you articulate the role that executives have in owning risk management and cybersecurity.
In part, meaning, we need to be sure that they understand the risk components, the business risk components of what it is that you’re doing for cybersecurity, And they also need to be sure that you’ve got the right resources, prioritization, collaboration inside the organization. So it’s a tool that helps you get the support that you’ve needed. Okay? But there’s still this question of how. How do we actually do this? What this session will be focused on information, making sure that you’ve got the right information to, to get to your executives so they know how to make informed decisions even if they’re not cybersecurity experts, which most of them just won’t be.
Here’s a quick breakdown of what we mean. We’re gonna be seeing risk management and risk governance.
Risk management is looking at the likelihood and impact of foreseeable threats.
That’s different from a maturity assessment. It’s different from, say, a gap assessment or an audit. It means you thought through what could go wrong and you thought through how people could be hurt. You’ve prioritized the highest likelihood and impact of people getting hurt, to fix, but you’re putting controls in place that are not going to be greater than the risk that you’re trying to prevent. But you’re planning safeguards. You’re implementing those safeguards. You’re measuring those safeguards to make sure that they’re working and that you’re seeking resources when when they’re not working, when you need more support.
Governance, on the other hand, is typically an executive activity. It’s assigning ownership of risk reduction. It’s saying, hey. This one’s important to the business.
Make sure that the right people are reducing that risk, making sure that, we’ve got people implementing, operating, evaluating, and feeding back to us when you need more resources to get something done so we can get you those resources. That’s genuinely that is, that’s generally the, the requirement on the governance side. So the way we break this down, if you’re familiar with the plan, do, check, act, cycle of knowing that you’ve figured out what you need to do, you’ve implemented what you had to do, you’ve checked to see if it worked, and you’ve critically improved where you’re not working, That we think about as risk management.
The plan is your risk assessment.
The check-in the act is how you communicate up to governance where your where your executives are assigning responsibilities, providing resources, monitoring program effectiveness, correct program failures and reporting to interested parties. So, hey, regulators, clients, here’s what you need to know. We in governance at the executive level, we don’t expect to see executives to be able to articulate a specific cybersecurity risk. It’s not their job.
It’s to say to the people who are counting on a certain level of reliability, you can rely on us for this much or that much. Talk to the team who can help you figure out the details. The team who can help you figure out the details are typically in the risk management portion. Alright?
Okay. So why is governance rising as a cybersecurity issue? It isn’t just to give us more to do.
HALOCK and Philip, and you’re seeing this Charity too, organizations who are having cybersecurity breaches are regularly showing, we see it in the evidence of the cases we work on, that executives and not and and the technicians just don’t know how to communicate.
So they’re just not able to really say a technician isn’t able to say, hey, boss. Remember I told you about Telnet on an old server?
I know you don’t know what that means. It has to stay in place because of this business critical thing. We need your attention to change that business critical thing so we’re not vulnerable to attack. There’s a difficulty in having that communication and knowing why that kind of thing is important.
But we see it in evidence after evidence. How many remember this testimony, by, well, we had two SolarWinds CEOs, the previous and and the current, saying to congress, hey. Remember that big, incident that we had? Well, it was, it was an intern’s fault.
They handled passwords incorrectly.
That was exactly the opposite of governance.
That’s someone saying cybersecurity, even though I’m the CEO of this place, that’s not on me. That’s someone else. And, of course, everyone who heard that thought, why is your system so vulnerable that an intern can flip it on its head? Right? That’s the flaw of governance.
It it now who felt bad that day? First, the intern.
Oh, no. I’m not gonna pass my course. They required me to do well in my job at SolarWinds.
It was a terrible day for that intern who felt bad, CEO Ramakrishna did. And he said later, that was not my best day. I should not have done that. It was it was an institutional problem.
Moments like that catch people’s advice, and regulators and standards bodies have been saying, we need to tell executives that you own this. Operationally, you have to do better.
HALOCK did 10-K study. We looked at the first set of 10-Ks that came out that require describing what, governance and risk management programs are like. We found that people publicly were very confident saying our risk management is doing great.
Privately, we’re showing they’re saying risk management is not doing great. We’re not estimating risk. We’re not communicating well to executives.
And they were not actually demonstrating a knowledge of what risk management and governance even were.
What they’re saying in public is we have formal risk management programs. In private, which you’ll see in the report, we do not plan based on foreseeable risks. In public, we report to executives who make informed cybersecurity decisions. In private, we’re not comfortable being honest with executives about our cyber risks.
Right? Some of these things might be familiar to the people, attending. The board oversees cybersecurity on our and our CISO owns it. This is what’s being said.
CISOs have been saying privately, our executives and board don’t know what I do for a living. Now to many of us, that right side of the column here, what they say in private, is what we hear regularly among our peers in the industry is a challenge there. We don’t think people are writing 10-Ks are lying. We don’t think they’re doing this on purpose.
We think they’re struggling with understanding what this means yet, and they’re bluffing toward everything’s fine.
Alright. So here are the things we’re gonna be talking about today. We wanna be sure that we’re helping make, making governance something that can be adopted and succeed first starting through communication.
Over the next several quarters, we’re gonna be having other separate conversations about other aspects of governance. Today, we’re focusing on communication.
So we’re gonna be talking about these questions that executives tend to want to make decisions from. How do we compare to our peers? Are we protected? And does our investment correlate with our risk? These are the questions we see boards struggling to ask and struggling to get answers for. The way we’re gonna answer these is to talk about the, Verizon, information both through your data breach investigations report, Philip, and your Veris Community Database (VCDB).
On the questions about are we protected, Charity’s gonna take over, and she’s going to let us know how we know we’ve got good standards for cybersecurity safeguards, from the Center for Internet Security freely available, and then how you actually use those in a method for building a program that can be described so that nontechnical executives understand it. And then I’ll wrap it up talking about how our risk assessment method pulls these facts together so we can have a business conversation about priorities.
First, onto the Veris, and and Verizon data, most people when they hear how do we compare to our peers, they go to maturity scores, which is answering, how do I get to where this consultant says my peers are? Our going theory is that your peers are getting breached, so we don’t want you to get to where your peers are. We want you to think about where the risks are. And what Verizon has been doing is saying, here’s what’s here’s what’s causing problems among your peers. So if we can use that to compare, that’ll be really helpful. So, Philip, why don’t you jump right in?
As we just real quick, If you could give us an introduction about the difference between the investigations report and the Veris data, that’ll be great. And then just let me know when you need me to advance and I’ll advance.
Yeah. Absolutely. So the data breach investigation report is the DBIR, as we like to call it, has been around for, seventeen years. So we’re coming up on the eighteenth year we’ve been doing this.
However, when we first started the report seventeen years ago, which, I think predates the iPhone, just to pull a little context, There wasn’t really a consistent way in which we could describe incidents. Right? There was kind of, like, some general bits and bobs. You can say, like, okay.
This was an accident or this was a malicious attacker. But as the report grew over the years, and especially as we started getting more contributors, we became an increased importance of being able to standardize the data we use. Alright. So that’s what Veris is.
So Veris is an open source framework for standardizing how we describe a breach, and it contains what we consider to be the most important parts of a breach. It has the who was impacted, what was impact in terms of the asset, how was it impacted, what was the action that led to the breach, and what was the impact. So we’ve been maintaining the standards, I think, for about, fifteen years now, and it’s like I said, it’s publicly available on GitHub.
We have all the fields and all the descriptions available, and it’s what we use as part of the the breach investigation report. So all the datasets we collect from our our forty or eighty different partners will be standardized based on this. And this really kind of helps us answer the question is, you know, for each of the industries, what are the types of attacks that we’re seeing? How can I defend my organization against those attacks? What is being targeted?
So that’s why we think it’s important to have some standard language when it comes down to talking about incidents because it really helps us to make that translation to, you know, what are the actions that we can go.
And I think that’s ultimately really reason why we do this. Right? We wanna be able to inform our users. We wanna be able to inform, whoever reads the report that these are the actionable things you can do to prevent the breaches that we’re seeing.
So let’s dive a little to kind of some of the high level statistics.
Why is it important? Right? So we covered ninety four different countries just in this year’s report.
We have thirty thousand incidents, and ten thousand of those are breaches. So if we put a little ISSP hats on, a incident is anything that impacts, availability, integrity, or confidentiality of an asset. So it includes a lot of things like denial of service attacks. And then when it comes to breaches, it’s anything that impacts the confidentiality of information.
So we’re a little bit different than what you would typically see in some other re not reports, but other types of analysis because we don’t just consider malicious actors. We also consider accidents. Because from a, you know, breach perspective, a user sending out a email to the wrong individual is just as much a breach as a hacker breaking into the system. So I think that’s important when you’re looking in terms of the impact, you know, the incidents or the impact of, you know, an event to your organization. It’s not just malicious actors, and we always have a tendency of saying, oh, okay. Let’s think about ransomware, or let’s think about nation states.
There’s more than just that. Right? There’s there’s a large, different types of varieties of breaches, and we cover pretty much all of them in our report in some fashion. So there’s some major trends.
So if you were to go to the next slide and this is just, oh, okay. Yeah. The Veri slide. So you can I think probably click through it?
It’s all animated.
But as I mentioned, right, it covers the main pieces. I wanna make sure everyone has a link here so that they can go and access it. So it’s freely available on GitHub.
We also have some tooling to both code incidents, available on a website, but then also to analyze. Right? So the majority of the tools that we use to write the report in terms of doing the analysis, on Veris is also available. So if you were keen, you can leverage this, you know, this framework, either to analyze your own data or to, you know, analyze the public data, which I’ll discuss a little bit later.
Next slide.
So within the report so this is just an example.
You know, I pulled out at random one of the industries we look at. As Chris mentioned, this is one of the areas in which executives are interested in is how do I compare two other organizations? And this is something that we’ve done pretty consistently over the years and we continue to do is do these industry slices. So the number of slices we do is is limited by a couple different factors depending how much data we have. We always wanna make sure our analysis is, robust enough based on the number of breaches.
So that’s why some years we cover some industries, some years we don’t. But we really try to provide, you know, the high level view in terms of, you know, what are the actions, what was the impacts, right, what type of data was compromised, what type of actors.
So organizations can really kinda start diving into, you know, their own posture. You know, this is the things that are impacting organizations like myself, you know, in this case, educational services.
How am I protecting myself against errors? Right? We know errors is a big part of it.
We know in this case, MoveIt was also a very big part. So how am I managing vulnerabilities?
This case, that’s a very complex one because it’s a zero day. How am I managing my data retention policy?
So, you know, we provide, once again, all this information, just as part of the report so that as a baseline, you can go and look at it and get an understanding as to your current posture and relationship to, what your peers are getting impacted with.
And, like, you know, I just wanna make sure. Is it once again, it’s another freely available resource. We try to make sure the report is written in a easy and accessible language. We try not to throw down too much jargon because we really want this report to be accessible, by everyone. Right? Because this is ultimately I don’t need to tell cybersecurity professionals the importance of multifactor authentication (MFA).
I don’t need to tell them the importance of patching.
Right? So that simple language and, you know, I think having some concrete numbers helps people with their advocacy, and and their risk management process.
If you go to the next slide, this is kind of the, the last resource I’ll touch on. And I’m sure this is kind of an eye seeing chart.
The reason why is I just wanna overwhelm you guys with data and just be like, this is just a glimpse. Just imagine what you’d be able to see if you could zoom in.
But this is actually a spreadsheet from our Veris Community Database.
So as I mentioned, we have ten thousand breaches, thirty thousand incidents. We collect this information from a variety of different sources and partners and contributors and collaborators.
One of the sources we pull from is the Veris community database. So this is a publicly available resource on GitHub, that contains known publicly disclosed breaches.
So we go through and we create incidents for I want can’t say all the breaches, but for good chunk of the breaches, at least in the English speaking world, that we can kind of capture with our Google filters. And then we’ll assign them, you know, using some random sampling and some other ways so so that they’re then coded by us. So the data is in it is very well vetted. Right? This is data that represents our knowledge in terms of the DBI authors, and then we put it, and it’s available in terms of JSON, CSV.
Right, and then there’s also a dot date a d a t file DAT file, for if you’re an r user or like your data set a little more robust. But what it has is information in terms of, like, the patterns and the breaches and the industries. So it’s really just a subset of the overall DBIR data, and we provide it back to the industry, because we won’t be able to leverage it. Right? We can’t provide all the DBIR data. This is a subset that we can. So this is where you know, it’s really exciting to see some of the work that Chris has done and some other partners in terms of leveraging it and helping organizations identify what are their priorities based in terms of the risks they see that exists, you know, from the cases we’ve coded.
Yeah. That that’s perfect. Thank you, Phil. And so something I wanna point out here that’s really interesting too, just about the usefulness of this Veris data, which is available to the public. It’s more than ten thousand records, right, of incidents.
And you can drill down super deep. Like, you’ve got industry name here. You can go super deep into the into the subset of industry. So where you have finance, you can distinguish between banking and unbanking finance and find really interesting patterns.
So if you’re into data, it’s a tremendously valuable resource. But something I wanna point out here too, you talked about the veracity of the Veris database.
Then, when you look at the DBIR that comes out and you see those trends in the Veris community database as well. So misdelivery, this is such an interesting point for people to understand and why you want data to talk to your executives.
Misdelivery, can you think of, the number of audits you’ve been through where people have said, what is the risk of someone sending sensitive information to the wrong people? Right? It’s typically not found. But when you’ve when you’re working with data, you can easily look at, say, CIS controls and say, what can we monitor that detects this error that we can foresee happening is happening.
Right? There are ways that you can use a standard, control standard to answer questions like this. Just when you have the data, it helps you, it helps you think about your situational risk that your controls can help. So that’s extremely, extremely interesting.
We’re about to jump over to Charity. I wanted to just take a moment to talk about this one really interesting thing that we found as we did the 10-K survey.
So we did a large statistical analysis of all of the filings up to up through July twenty twenty four, and the qualitative assessment of the first set of, 10-K. So, we could look at qualitative and quantitative.
What we found was even though the new 10-K requirements in the SEC is a risk management based rule, When people were answering questions about what their programs were, out of the, four thousand or so organizations, two thousand forty of them said, here is our control standard that we use.
And twenty four, which is half percent, twenty four of them said, here’s what our risk analysis standard is. And what we’re saying is, this is good evidence that people haven’t quite figured out what risk management is in cybersecurity.
They’re used to, doing the audits and the maturity assessments.
They’re now being asked to look at risk, and this is something that that people need to now learn. They’re being they’re being required to to learn that. So that having been said, the next question that we see coming up is, are we protected? Now our executives want to know, are we doing what is expected of us? One of the things that I’ve really loved about working with CIS beyond the fact that they’re just very collaborative is that they’re very practical, and they they provide a lot of practical information about proven, about proven control methods. Right? So, Charity, I’m really, really pleased to have you now describe what CIS has been doing, in regard to the security controls and the community defense model to help people plan their defenses and then describe them in a very credible way to their executives.
Yeah. Absolutely.
Thanks, Chris. And if you’re not familiar with CIS, we are a global nonprofit focused on serving the cyber underserved. And I say that because CIS has so many different resources. As Chris mentioned, we’re very, very collaborative, and we have an entire controls ecosystem, that has multiple resources from mappings to companion guides to control frameworks to assessment tools. But I wanna speak to you about two specific tools that are available, today. One of those is, the CIS Critical Security Controls, which we’re about to jump right into, which is our globally downloaded and utilized control framework as well as the community defense model, which is very exciting because it answers the question, how effective are controls against the most prevalent attacks, which is pretty powerful information. Right?
Yeah. Yeah. How we’re doing against ransomware. Right?
Yeah. Exactly. Exactly.
Yeah.
So the intention of both of these tools is to ensure that you have the resources to have those data driven conversations around cybersecurity hygiene, threats, and how to mitigate those attacks. And I think that it fits perfectly with the with the goal of this webinar being communication around those items.
Right.
So let’s jump right in to the benefits. If you’ll go back one, Chris.
Oops. Sorry.
Yep. No worries.
Having fun.
That’s right. You’re gonna you’re so excited to see the next one.
So what are the controls? Right? So the controls are your foundation for a, you know, a comprehensive cybersecurity program. So many times at CIS, we’re asked, where do I start?
So the controls are designed to, you know, not only give you that starting point, but also it’s a security road map to improve your maturity over time. So the controls themselves are tactical in nature. So if you’re familiar with other frameworks, in general, a lot of times, they can be hard to understand, not only, step one, but the actual how to of the intended best practice. So as a former practitioner myself, I’ve been tasked with implement implementing regulatory frameworks, and it’s no it’s no easy task, and it can be a bit daunting.
I didn’t go into, my background, but, I spent twenty years in the financial services industry, so very heavily regulated environment.
And I certainly understand, how value how valuable it is to have something, as as prescriptive as the controls.
So they’re also a compliance bridge to other frameworks. They’re mapped to major industry standards such as ISO, NIST, and and FFIEC, just to name a few. And, there’s also tools available for assessment that I’ll I’ll get into later. But, essentially, the controls are designed to defend against the most common threats, which Phil went into earlier.
Right? So one of the top patterns that Verizon identified is, system intrusion, which is no surprise. Right? One great example of this is end of life hardware with direct Internet exposure.
So, in your risk assessment, right, the likelihood of the threat should be high with that and the impact also being high. But then you’re left with the question of what compensating controls do I have around that vulnerability.
So those exposed assets should really be part of your identified cybersecurity risk and continuously evaluated. Right? So in my past experience, this would be called out as potential material risks since it could have business impact to the organization share shareholders upon compromise.
Alright. Now you can go to the next slide.
Hooray.
Okay. So in the example I just gave, as you can see here, controls one and two are directly related to your asset inventory. After all, you can’t you can’t protect what assets you don’t know you have.
Have. Right? So you heard Chris, kick us off with, you know, the the regulator question. Are you handing me a tool?
Right? This is most definitely a tool. So here you’re looking at the overarching view of the controls in version 8.1. So there are eighteen controls.
They’re made up of safeguards, supported within each control, and they’re organized by priority. I will talk a ton about that and and how we’re able to stand behind that. But just in looking at at the over a year, within the new rule, within item 1C, it it it’s heavily peppered with the word process. Right?
So the rule is intended to provide transparency and a reasonable understanding of the processes that support it. So within the newest release of this document that you see in front of you, we’ve identified for you the safeguards design the safeguards designed for demonstrating governance. Governance is is a huge topic today too. Right?
So I’ll give you an example. So here you see control three is around data protection. The objective of that control is to develop the processes to identify, classify, handle, retain, and dispose of data. So essentially your data management life cycle.
Right? But that probably sounds like a lot of tasks. So each of the safeguards supporting that control is an itemized list of how to do that, how to accomplish it. And for the governance piece of that function, it’s the very first recommendation, which is to establish and maintain a documented data management process, which addresses each of those those, those items.
But the process documentation around it is what’s so critically important. Right?
Each of those subsequent safeguards are your prescriptive steps to follow and actually execute the process. So, hopefully, that gives you a little bit of an understanding of of how they are organized, and how using this version of the controls can help you to identify your governance activities, which can also be a little bit daunting if you’re not used to having, conversations with leadership around governance and what the difference, of that is.
Next slide.
Well, I’ll tell you why I like this slide so much, why I was so excited about this.
One of the things that CIS does so beautifully well, is make sure that the controls are and the safeguards are as useful for a small organization as it is for a large. So when you see these implementation groups one, two, and three, this you can look at it in a number of ways. One, if you’re just getting disciplined around cybersecurity, regardless of whether you can get to three or not, start with one. These are core hygiene controls that you wanna have in place, And you can very easily tell executives the reason why we’re looking at, say, the four the two out of five if you’re at implementation group one for control one, we’re looking at these two out of five and not these three or others, is that the community, that that CIS works for have said that this is a basic cyber hygiene requirement on which you first, you need this in place to build the rest of the programs on.
That’s why we’re looking at these two out of five now. One day when we get able to do the next implementation group, we’re gonna do two more for four out of five. But it but this can be read as a road map to the maturing of your program too.
Your design team was definitely, on task when they did this and did a great job. It’s a great way to communicate both the idea of a road map and capability of the organization.
So that couldn’t wait. Okay. Go right ahead.
That’s okay. Hey. I mean, you you you set me up nicely for the next slide. Right?
So, as as mentioned, the controls are made up of one hundred and fifty three safeguards, and those are your sub controls that provide you that prescriptive implementation list. So it’s exactly that. Right? It’s your guide to implementation based upon your risk profile, as it pertains to critical assets and resources available.
So as Chris stated, we we we recommend every organization begin here, in IG one. This is considered essential cyber hygiene, and and it really represents that emerging minimum standard for information security. So to put that into perspective, you know, an IT shop with, say, one designated person that, you know, runs all of, you know, network, server, and cyber, you know, versus, a fully staffed IT shop with a cybersecurity team. The IGs are designed to accommodate for even the smallest of resources.
So we’re really saying here that IG one should be implemented by by any organization, of any size. And, as you move through the implementation groups, you can really demonstrate your improvement, you know, your improved posture, and, and your maturity.
So, just when discussing risk management, like we said, the first part is likelihood and impact. Right? But that next question is what mitigations you have in place, and this is it. So this is where you can really identify that, in the list of safeguards designed to defend against those those real world attacks.
Yeah. Yeah. And the what’s super helpful we find for, for organizations we work with, is that the the the technicians will know the one hundred fifty three safeguards. Right?
We don’t expect executives to know, but so much of the material that you’re providing at CIS allows the technicians to tell a story to executives. Think about how beautiful this slide is when you’re telling your executives, here’s why we’re starting with I g one, and we’re gonna we’re gonna, we’re gonna we’re gonna attempt fifty six safeguards because that’s cyber hygiene. And when we’re solid with that, we’ll go on to the next set. Executives can comprehend that. You’re talking about a a road map of continuous improvement.
So that’s think of CIS both as your provider of tools, but also your provider of ways to communicate what your tools mean to the organization. So, you can tell I’ve been very excited about getting through these slides.
I think is right.
Magically good. Okay. Go right ahead. Alright.
So the goals.
Right?
As I mentioned before, the safeguards are prescriptive, which is extremely key. It’s one ask for safeguard. We really pride ourselves on that because it’s easy to understand and to execute. You know? Like we said, the you know, your practitioners and your technicians are gonna understand that, and and and and and you’ll be able to to execute it. But then, you know, giving you the right data in your hands to be able to talk about it is so critically important.
They’re also measurable. We’ve done all the heavy lifting for you, in providing, the list of best practice recommendations.
And I say that because the list is backed by data. You know, we engage our partners at, you know, at HALOCK, at Verizon each year, but our communities of practitioners, just like, you all in the audience, are are a big part of it, a big part of the collaboration as well.
We can go to the next slide.
Okay. Oops. There you go.
There we go.
So how are these backed by data? So the next two slides are are super, super powerful. If you liked the one before, Chris, these are even better. Right? So, how are these backed by data, you asked?
So let’s take a look at the best practice workflow. So as you can see here, there’s several components that go into this. Right? Like, what do we know through the attack data?
We take our threat intel from multiple reputable resources, one being Verizon data breach investigations report and other intelligence summaries that we have, as well as several information sharing analysis centers here at CIS, which is that MS ISAC and EI ISAC, which is multistate, and then EI is elections infrastructure, and also our communities again. And then we take that information and and and what did we learn through the through the analyses. Right? We learned about attack types.
We learned about attack trends. We learned about control options for mitigations, and we learned about the vulnerabilities.
So all of that to say, what are we gonna do about it? How does this translate into actionable items? Yep.
Go ahead, Chris.
Yeah. No. Charity, yeah, I’m just cheerleading. I’m with you.
This is just a rah rah.
I got it. I love it. This is great.
So this helps to shape our controls themselves, the prioritized list that we provide to our communities, as well as the benchmark data, which is really control number four, which is secure configurations, and then we have hardened images as well. Neither of those we’re gonna go into today, but that information is available, as well as the community defense model, which gives you the data needed to have those critical conversations around attacks and mitigation efforts.
Yeah.
And while we transition to the next slide, FYI, audience, Robin has put several, several links in the chat, helpful documents. So thank you so much, Robin, and these are available for download, and, you know, any questions, let me know. But okay. So now that we know what the controls are and that we need to identify one of those implementation groups, I g one, preferably, to start with, what does this mean?
What does this mean for my defense posture? You know, what does this mean for, what does it mean to implement the CIS controls? What does it actually get me when when discussing attacks and risk mitigation? So, the model itself provides, a data driven, rigorous, and transparent process to create those best practices starting with the CIS controls.
We primarily make use of of two, publicly available industry resources, the Verizon Data Breach Investigations Report (DBIR) is one, and then also the MITRE adversarial tactics, techniques, and common knowledge framework for ATT&CK. So in today’s threat landscape, you know, many wanna know, how do I defend against a specific threat? Not just threats in general, but a specific threat. Right?
That makes sense to to our boardroom as far as, you know, they hear ransomware, malware, hacking, etcetera.
In the secure security community in general, we do come up with a list of good things to do or best practices, but how can we validate that they actually provide data against attacks? Right? So while compliant with cybersecurity standards, you can’t show that you’ve defended against specific threats. So, so the CIS controls help address some of this, where multiple experts gather, right, like we talked about. But while valuable, some of that can be subjective at times, especially in conversations. Right? So with CDM, which is what you’re looking at, we’re able to demonstrate a more data driven process using this model to drive that development and prioritization.
So this process is continuous.
So what you’re looking at is published is a published version of CDM, which is version two. So using the workflow I showed you previously, we’re able to provide enterprises a data driven approach. And as you can see here, with malware, right, starting at the top, using IG one, so those first fifty six essential cyber hygiene safeguards can defend against seventy seven percent of attack techniques and subtechniques.
And when implementing all one hundred fifty three, you’re at a ninety four percent. That already is such powerful data. And then you can go down through the rest of the list, you know, malware using I g one. You’re able to defend against seventy seven percent of attack techniques and sub techniques.
And then while implementing all one hundred and fifty three, it’s at ninety four percent. So, you know, so the model itself and the research is continuous. Right? So like everything else, we research it and we prioritize it for our end users and adopters, and then we take this data and we provide it in a white paper or companion guide, which is available for download as well. So, you know, like I said, and I’m wrapping up, before I give it back to you, Chris, but, you know, this is extremely powerful data. The model is designed to be able to enable you to say, hey. This data shows what the controls and safeguards implementation actually gets me when defending against real world attacks and, hopefully, can aid you in those important conversations and communications with your leadership, to justify those efforts.
Yeah. That’s that’s so perfect. And the layout of this is really important too because think about what you’re able to do. You’re able to take very technical stories, malware, ransomware, web application attack, etcetera.
You’re able to say, look. MITRE tells us this very detailed stuff about an attack path from beginning to end of attacks typically. And here’s how those things happen, and here are mitigations that you can use. And you step in and say, let’s talk about how CIS controls the safeguards specifically address those mitigations.
No executive would understand any of that. Right? But what do they wanna know? How are we doing against ransomware?
Right? Exactly. And if you say, look. We’ve implemented the implementation group one safeguards.
Surface.
If we wanna do better with a threat surface, we’re going to, need to go through all of the safeguards. That’s just how this works.
Executives can understand this picture beautifully. Right? This looks like a story that you could tell a nontechnical executive. Here’s why we need to graduate to I g two now that we’ve gotten this far in I g one.
So just beautiful. So now the question comes. We’ve heard about threats and really, like, the Phil, I think the best data in the industry. Right? Is there another data source that provides this much wealth of information? I no.
Both in a fun read for the DBIR, the data breach investigations report, and in excruciating detail in the Veris community database. When I say excruciating, it’s like twenty five hundred columns in ten thousand rows. Am I wrong in my estimate?
No. That that’s exactly right. There’s there’s a large amount large component of things that we can look at. But that’s why it’s useful having guidance, right, adding direction to this is what’s important to look at.
Yeah. So so what we’re trying to do now is say, look. We’ve got this really good technical threat data, and we got these really good technical safeguards that do come with really nice ways to explain to executives why we’ve got the road map we do, why we’re taking this chunk based on what we’re trying to do, why we need to go further once we’ve finished our I g one? But now let’s talk about this really important part that we’re seeing people struggle with, with governance.
One of the most important aspects of governance, and the one that we’re talking about in today’s panel, is this concept of being able to communicate to a nontechnical executives.
And the way we break this down is to say, a nontechnical executive is typically you thinking about data like risk to corporate interests, what enterprise budget should be to take care of opportunities, and priorities, what enterprise performance questions come up, what liabilities come up that they have to address.
Tactical managers are aware of those things, but they’re operating within a scope that they’re allowed to operate in. So they’ve got budgets, plans, strategy, status on plans. They’ll be they’ll have incidents escalated to them on a more regular basis. The technicians are the ones who know a lot of the detailed data that we’ve been talking about.
How does a safeguard work? How does a threat work? Have there been threats? Have there been alerts?
What safeguards do we use against those threats?
The people who are operating at certain levels can digest certain levels of information this way.
But what we’re seeing people do is confuse that. When executives say to the technicians, you better tell me something about the cyber stuff. I’m nervous. We’re seeing people tell the nontechnical executives, here are the vulnerabilities on systems.
We’re having trouble applying these controls. Here’s a catalog of controls to apply. These are the threats. Here are the alerts.
The executives cannot make cyber decisions this way. They can’t make informed decisions this way because they’re not the technical people. They’re here to run the enterprise, not to fix the vulnerability on the server. But this is the information we keep seeing people provide executives.
It’s hard for governance to work if we don’t get the right level of information to the right people.
So one question that we had come up is from, from Howard and Howard basically could be the emcee here because this is exactly what we wanna talk about now, is this concept of written risk assessments and why regulators are asking for them and how they help.
What we remember what we’re trying to do is make sure that these cybersecurity people and executives can communicate better.
So here’s a picture. We’re gonna start with an end picture.
Imagine being able to have a conversation with executives where you’re able to say, our goal for we’ve got risk scores that go from one to twenty five. And we have an acceptable level of risk that’s at nine. Anything below nine, we can accept.
And there’s a construct for the business that we’re gonna show you in a moment that explains why nine is the right number. Got it. We are currently at an aggregated risk, let’s say, of September twenty twenty three all the way to the left, currently at an exact an aggregated risk of a little over sixteen.
We want to get to an acceptable level of risk by August of twenty twenty four, and let’s say these these vertical bars are are current status all the way to May twenty twenty four.
And we’re saying we have a plan to a baseline plan in yellow to get to acceptable. We get there by implementing the safeguards that you just saw.
And we know those safeguards are important due to risk in part because we got good data from Veris that tells us how commonly threats are happening. Now imagine you’re able to say to executives, our plan is to get to this level of of risk, the acceptable level of risk, and below it by August of twenty twenty four, But our actual performance is at Purple.
We’re not reducing risk. Now executives can say, why aren’t you reducing risk? And you can say all the reasons why you know, you live with. Right? We don’t have enough resources. We were pulled off this project for the special projects that were going on.
Remember that hire I asked for? We never got that hire, so we don’t have someone to actually do the implementation. So we’re never able to actually operate to plan. If we’re gonna get back on plan, we need you to make a decision at the executive level about resources, collaboration, coordination, prioritization so that we can get back on plan.
That’s a decision that an executive can make. But they but they need to get a level of information that allows them to see what the problem is so they can make that decision. Okay? If executives say, hey.
Nothing we can do here. You’re gonna need to figure out another plan with the resources that you’ve got. You’ll have to find a risk based way to do that. But executives can make a decision when they see that you’re off plan, especially when they know what the, what the, that the risk is based on what the business is trying to do. So the question that Howard is asking is, how do we deal with, these new regulatory well, regulatory requirements that are increasingly getting more scrutinized about your risk assessments being written?
So, CIS, and, Phil, you were there at the time when we started this, and HALOCK said, let’s create a risk assessment method that’s so simple for people to follow that if they follow a set of instructions and plug in the numbers that answer the questions that are after the instructions, they’ve created their first risk assessment.
We’re at version two of CIS RAM now. But there are these other questions that have come up, like, how do you now manage risk after that so that you can get the charts like what we just showed so that there’s a life past the risk assessment? So we’ll look at how both of those come together.
So when we’re talking about risk, keep in mind, we’re talking about risk equals impact times likelihood. We’re not talking about maturity scores.
Why is this important? Well, like Howard’s mentioning in his question, we’ve got this, regulatory push for risk analysis.
Why do regulators care? They want to know that we’re looking at the potential of harm that we could cause the public when we’re doing our stuff.
That’s why cybersecurity matters both to the organization, but we also are responsible for not hurting the public. That’s where the regulator step in. Make sure what you’re doing is not gonna hurt the public. You can only know that if you’re thinking about the risk of harm to others, likelihood and impact. Okay? So when we talk about risk, that’s what we’re talking about.
We hear people say about risk analysis, you’re asking me to read the future. I can’t. You’re exactly right. You can’t.
But the purpose of prediction, many of you heard many different ways of saying this, is not to know the future but to change it. We want to know the information that Phil’s team is bringing us to say, in our type of business, these things keep happening. Well, if I don’t want those things to happen to me, what can I do to prevent them? I put controls in place that charity was showing us that CIS can bring us because they’re aligned to each other.
So I’m not going to just do my risk analysis to think I did a good job predicting the future. I’m trying to change my future away from the one that my peers have suffered. So when someone says, how am I doing against my peers? We wanna say, great.
Let’s so we’re gonna try to think about how we forecast the threats given the information that we, just saw from from Charity and Phil. Right? What we’re going to ask is what kinds of incidents tend to happen to organizations like mine, and what control should I use to block those incidents? When you bring those things together, you’re doing risk analysis. Okay.
So if you’re looking at CIS RAM, if you’re familiar with it, it’s wider than we’re showing you here just like the various community database. We’re only gonna show you enough. But what we’re pulling together here are things that you’ve already seen us talk about.
So the safeguards and the community defense model are the green columns to your left. This is saying the CIS controls are a standard of practice.
They apply to your implementation groups one, two, and three depending on where you are. The community defense model tells you which of those safeguards are aligned with which kinds of, attacks.
Is it a ransomware attack, a malware attack, an insider threat? These controls are able to tell us, if I’m doing really well in a control against ransomware, that’s great. If I’m doing really well for a control that that that doesn’t apply to, say, privilege misuse, doesn’t matter so much for for privilege misuse. But I’m able to now answer these, these governance type, nontechnical executive type questions. How am I doing against ransomware, how am I doing against insider threats, we can say, hey. Here’s where by filtering out the risks of controls that are aligned with those scenarios.
Okay. So that’s how this, the CIS RAM addresses the, the powerful stuff we’re getting from CIS. Now, we’ll get to what the purple stuff is next in a moment. On the right, you see two more green areas that what we call the VCDB index, Veris Community Database index, and the expectancy score.
Just to the left of VCDB index, you see something called safeguard maturity score. What’s that doing? That is asking a question about the maturity of a control. And we ask mature we ask about maturity in terms of how reliable do we think this control would be.
Do we think it’s reliable because we’ve implemented it on all assets or some assets?
If we’ve implemented it on all assets, are we testing the control to see if it’s working and fixing it where it’s broken? Is it continuously automatically operating and correcting? These are the things that help us figure out the reliability or the maturity of a control.
If a control is not very mature and the Veris database says, hey. The threat that the control protects against happens a lot, then your expectancy score of this being a problem for you goes up.
So the less prepared you are for a common threat, the more your expectancy goes up.
Your, then we talk about the impact levels, which which we’ll be discussing in just a moment. But this is how we bring together these the the data and, you know, infield proven CIS controls the things you need to care about, aligned with what MITRE and CIS had found to be these attack types, and then the data that we get from Veris. You don’t have to figure out how how to pull these things together. They already exist. We pulled it together for you with these free resources. Alright?
So now the question comes up about impact. We’ll we’ll go through this very, very lightly, but we’re used to seeing things like high, medium, low for impact or a dollar based impact. What we’re doing with CIS RAM, and this comes from Duty of Care Risk Analysis, DoCRA, that’s being used with other standards as well.
What we’re doing is we’re saying we want the impacts to reflect both the business impacts of of the objectives of the company. What are we trying to do in terms of profitability or growth?
What is our mission? What are we here to do for the public and the marketplace? And our obligations, what do we owe others?
And we wanna be able to say what these high, medium, low ranges actually mean, and we wanna be sure that once we cross a line over acceptability, it’s hard to see between two and three. We go from a green shade to sort of a red shade. But we wanna talk about what’s acceptable and unacceptable, so that we think of a score. If I see a three, someone somewhere is hurt in a way that needs to be fixed.
If I see a four, someone somewhere has been hurt in a way that, that, is serious, and we need to invest a lot to make sure that they get better or they get they they are made whole. Anything below that, a two or a one, is something where we’d say, something happened, but no one needs any kind of correction.
We multiply that against the likelihood score, and we get a sense of where we would start to invest, at what level of impact and and and likelihood would we start to invest or we can accept a risk for. That’s how we created that line at nine of acceptable risk. Every organization has their own.
The way we’re doing this with likelihood in the in the CIS RAM and the Reasonable Risk application, I’ll be showing you a couple snapshots of that in a moment. Reasonable Risk application is what helps you do risk management after you’re done with your risk assessment. How do you demonstrate that you’re reducing your risk? How do you show that to executives without any kind of, you know, calculation?
You click a button and you can tell an executive, here’s what’s happening. Here’s where we are. Here’s where we’re off. Here’s where we need your help.
So both, both CIS RAM and the Reasonable Risk application are doing the same thing. They’re taking the Verizon database, and they’re comparing it to the maturity of a CIS control saying the higher the threat commonality, the higher the maturity needs to be to give us an expectancy score. If something is not happening often and we’ve got a measured and controlled, safeguard, our expectancy is gonna be low. Our our expectancy is gonna be higher if our threat commonality is high and our control maturity is low. It’s just a slide rule that helps you figure out whether or not something is going to be a more or less likely problem for you.
Then really quickly, what you’re able to do is have a plan. This is the right side of that risk register in CIS RAM. Again, this is a picture of what you see in Reasonable Risk. But what we’re saying is, I’ve got a plan for addressing my unacceptably high risks, and my plan is gonna have a date.
It’s gonna have a budget. I’m going to and then I’m gonna be able to drive an annual plan based on that, which is what you see on the right. That plan can even be determined as to being reasonable or not. Is the budget greater than the risk in in in aggregation that I’m trying to reduce, or is the budget greater than what I can possibly spend for my size of an organization?
So why do we pull all this together? Because we wanna be able to say, eventually, I’ve got a plan that has costs and timelines associated with it. This is exactly how your executives are thinking. You told me the risk was high. What are you doing about it? These things.
If I’m doing a change control program operation implementation by the end of the year twenty twenty three and it’s closed, I’ve been able to reduce my risk after these costs. But I’ve got other projects, and two of them are stalled.
The access control and the application log are stalled. I can pull all of this information out of the CIS RAM risk register.
I can also work work it within an application if if I’m saying, okay. The spreadsheets are fine, but this is, you know, this is gonna be this is gonna take more automation for an organization that’s as complex as I am or I’ve got multiple people on the project. Please someone send me an application. Reasonable risk will do this for you as well. But what you wanna be able to do is take the data out and say, I I need you to know what’s on plan and whether the plan is on or not and what the reduction of risk should have been. What does that get you when you pull it together? This chart.
This is how this chart comes together. It’s taking the results of the risk assessment, putting a plan together, and then saying, here’s how we’re doing against that plan. Alright? So what have we done?
We’ve taken these very technical resources from, from Verizon, which are really entertaining to read. Phil, your team does such a good job writing. It’s so entertaining. The the subject can be so dismal, but it’s so readable, which is so important.
And then Charity, what CIS has done with giving us very practical data, and and and advisory from that data and then a nice way to present it to executives, but someone’s gotta be able to pull it together. We hope the people on the call feel empowered to do that with CIS RAM, and if if there are other things that you need in order to get done, there there are applications out there, and there’s, messaging here to help you find the Reasonable Risk team if you need.
I won’t have time to go into this, but the other thing is that that reasonableness that we’re talking about is being accepted by more and more state and federal regulators as a definition for reasonable. Here’s a partial list of of those that we know happening at this point. I’ve asked the one question that we had, and I know we’re at the very end. Charity and Phil, are there things that you wanted to let our audience know before they get back to their busy working days?
Not specifically. We have listed out several resources in the chat, and, hopefully, those will be of benefit. And we have, given you some some tools to have have some good communications.
Yeah. I mean, absolutely kind of, echoing everyone here. This is a, a collaborative effort. You know, there’s a lot of different organizations that are facing very similar issues, right, and very similar types of problems. And the more we can leverage each other’s resources and knowledge, whether it’s from Verizon or CIS or from HALOCK, you know, the the goal is to really hopefully raise all ships. So, you know, it’s always a pleasure to be on calls and be on webinars with folks that share that similar value.
Great. Thank you all for joining. Again, if there’s anything you need, you’ve got you know exactly where to get the Verizon material. You have the links to get to the CIS material.
It’s tremendously valuable. And, you’ve got links to get to Reasonable Risk. If there’s anything you need in terms of automating what you’ve just seen, it’s not very easy to pull together. It’s possible, with with help.
So thank you both for joining. Thank you all in the audience for joining. It’s been great having you all.
Take care.