ISO certificate does not protect against a security breach
It has been observed countless times. A CISO goes into a board meeting and broods over statistics that show the compliance status of the company. The company meets the requirements of ISO 27001 by 75 percent, but what does this say about the risk level? The truth is that CISOs can spend years implementing all 114 controls of ISO 27001, and a determined attacker could bypass the protective measures in a matter of hours. Since the attackers are constantly updating their TTPs (Tactics, Techniques, and Procedures) and tricking gullible employees, no amount of compliance can cover the entire base. Vectra AI therefore asks: So why do CISOs cling to compliance figures?
Boards tend to respond to clear signs of progress that are notoriously difficult to measure in the safety field. Therefore, it is necessary to change the discussion. In the classic risk management equation Risk = threat x vulnerability, there is no control over the motivation, skills or resources of the attacker. A CISO could put all his resources into a comprehensive compliance strategy and still not be successful.
What does threat-oriented mean?
Instead, the approaches must be “threat led”, i.e. threat-oriented, says Vectra AI. This means first identifying the most valuable assets and the opponents who are likely to be targeting the company, and setting priorities to mitigate the identified risks. CISOs should measure security by whether they are able to detect an intrusion into the network by using meaningful metrics such as the average time to penetration or the average time to detection of threats in security tests. Then the CISOs can work to reduce these figures to an agreed level.
According to Vectra AI’s experience, comprehensive red team exercises are essential to obtain this data. Red Teams test technology, people and processes. They are looking for blind spots and find unorthodox ways to break into the company. This is exactly how an experienced attacker would proceed. This provides valuable data on what has fallen through the cracks, so that CISOs can set appropriate priorities and reduce the average time to detect a violation. However, only a few companies are currently conducting Red Team exercises because they do not see themselves as mature enough to do so. This is music to the attackers’ ears, and they will not give CISOs the necessary time to gain these insights before they strike. Red team exercises should be performed when the level of maturity does not allow for better prioritization in containing real threats.
There is no other industry that invests so much without objectively measuring the result. Car owners would not drive a car that has not undergone a crash test, so why use a safety strategy without checking whether it can be bypassed? Even regulators are aware of this fact – with programs like TIBER-EU requiring banks to run Red Team tests to ensure they go beyond simple basic compliance.
Raising awareness at the next board meeting
At the next board meeting, the compliance figures should only be a footnote. Instead, it is important to encourage those involved to think about the business impact of a security breach and the likelihood that attackers will target the company. It is also advisable to address the probability of a successful attack. The CEO will be interested in whether he appears on the front page of the daily press if his company is affected by ransomware. The same applies to the CFO if he is not able to do business while the systems have failed.
Instead of trying to show that the regulations are being complied with and that projects are being carried out on schedule, CISOs should discuss the weak points in meetings, according to Vectra AI. They should present options to the Board to mitigate these vulnerabilities – and demand the necessary budget. In today’s dynamic threat situation, it may happen that plans have to be changed in the middle of the year. Therefore, it is crucial that the Board understands the risks it is taking if it decides not to invest.