Getting Security Remediation on the Boardroom Agenda

COMMENTARY

Security remediation, such as patching and configuration changes, is an important task. It is the difference between a threat actor penetrating a network or being stopped in their tracks. But it is not on the boardroom agenda. No CEO would say, "Profit and loss look great, but I am really losing sleep on how we are approaching CVE-2021-44228." For CEOs, a single issue like this is too specific.

But is it? Aside from this CVE for Apache Log4j remaining unpatched at many organizations and seeing at least 77 exploitations in 2023, security remediation is now on the agenda more broadly. Why? One chief information security officer (CISO) I spoke to had a mandate from their CEO to remediate all their outstanding issues within a three-month deadline. If the goal was not met, it would affect their business with a major client worth millions of dollars a year. 

This degree of support can be welcome, unblocking processes that are holding up performance and encouraging teams to work together. At the same time, just having this attention is not enough. 

What Holds Up Remediation Performance?

This CISO is not alone. More security leaders are getting asked to provide insight into how well they are managing risk from a business perspective, so that the board can understand what is being done. It will lead to tough questions, particularly around budgets and how they are being used. And it potentially will lead to some difficult discussions around what "good" or "great" security actually looks like.

In this situation, you can use information around your IT security — the number of issues stopped, updates deployed, critical issues fixed — but this is hard to put into context. Without comparison to other business risks and issues, it can be tough to keep attention and demonstrate that you are delivering. 

To overcome these issues, we have to use comparisons and context data to tell a story around risk. Providing base figures on the number of patches deployed does not describe the huge amounts of effort that went into fixing a critical issue that jeopardized a revenue-generating application. It also does not show how your team performs against others. Essentially, you want to demonstrate what good looks like to the board, and how you continue to deliver over time.

Along the way, you can use metrics to educate the board on some of the reasons why IT is not as simple as it might appear. Take asset management — every CISO will want to say, "We are secure." But without an accurate list of all IT assets and their status, you can't commit to this statement. At the same time, getting that accurate asset list and keeping it accurate is an onerous task. Being 100% accurate on all IT assets at all times is an almost impossible task for enterprise IT deployments, given the sheer scale of their networks, the variance in assets, and the increasing complexity and speed of change within modern applications.

Benchmarking Risk

The solution to this is ensuring the board knows that the answers to any questions cannot be summed up in binary responses. Looking at asset management, no CISO can say they have complete, 100% accuracy in their inventory lists. One security leader I interviewed said his organization thought they had around 8,000 servers, but they found they actually had 9,000 running. According to Gartner, 60% accuracy is the industry average. Equally, how many departments have signed up to software-as-a-service applications, or implemented more systems in the cloud outside of IT's purview? But that doesn't mean we shouldn't try.

However, improving accuracy to 85% or 90% visibility can be achieved fast with the right internal sponsorship and support. The challenge is keeping that visibility accurate, and then improving to 95% or 96% accuracy. Each percentage point improvement represents a huge amount of effort. Ensuring that the board understands that level of commitment depends on how you benchmark your security against others in your industry. 

Alongside this, getting a single view of risk across IT can make it easier to understand what issues are most important to deal with immediately, which ones are urgent, and which ones are lower priority. This can take place regardless of where those issues exist within IT, from data center to cloud deployment, and be used alongside other business risk information to provide a holistic view. By making it clear to the board what risks exist, what steps you are taking to fix them, and how you have a long-term vision in mind for risk in general, you can withstand the scrutiny.