Three Tips on Measuring and Communicating Risk in a Changing Threat Landscape

Amid the current economic and operational volatility, the need for properly measuring and communicating risk has increased. Security leaders are finding themselves in the spotlight more now than ever before, faced with questions and concerns about risk and the security of their organization.

What new security metrics can be used to demonstrate an organization is protected against the evolving risks – and how should these be communicated throughout the organization? In the final webinar in our series on securing remote workforces, ReliaQuest COO, Colin O’Connor, moderates a panel of security experts who share their experiences and success in measuring and communicating risk. The panel, consisting of Joe Burkard, Chief Security Officer at Alight Solutions; John Childers, Director of Information Security at Aqua America; and Mike Ortlieb, Director of IT Security & Privacy at Protiviti, offer the following tips:

1. Proactively prepare to answer these top-of-mind board questions.

While most security professionals are no stranger to facing challenging questions in board meetings, the priorities and concerns of business leaders have shifted over the past few weeks – and they’re asking questions to determine what is being done to keep their business operating at an optimal level and secure:

“How do we do more with maximum efficiency?”

Security leaders in organizations that been adversely impacted financially by the current climate, such as hospitality and retail, may be faced with the challenge of keeping their business secure with new resource constraints.  As priorities shift to ways to maintain business continuity, it’s important to proactively communicate what measures you’ve taken to both enable and secure your newly remote workforce – perhaps new collaboration tools, automation, or added technical infrastructure around endpoints or VPNs.

“How are we detecting and protecting against common attacks?”  “What’s different than normal in our environment?”

The security industry has reported recent increases in attacks such as authentication attacks, insider threats, and phishing attacks related to COVID-19.  As a result, boards want to know if your organization is also experiencing abnormal activity, and what is being done to protect against potential attacks.

By anticipating this question, you can be prepared with metrics around network and endpoint activity, user behavior, and suspicious or confirmed phishing emails to show you are aware of the uptick in these attacks and have solid controls in place to detect and protect against them.  Note that to measure increases in some attacks, such as malicious insider threats, you will likely need to reestablish your baselines to account for changing employee locations and login times to properly detect this.

2. Review and update your security metrics to account for what matters most to your business today.

For many organizations, an urgency to operate remotely has shifted business priorities. For example, many businesses have cut over to online-only business models and the new logistical considerations that accompany them, such as secure pickup and delivery. It’s therefore important to reassess your metrics in order to communicate what the greatest risks are to those new priorities, and what you’re doing to protect against those new risks.

For some, this could mean focusing on key operational metrics like VPN usage, to ensure the remote population is supported.  Your new daily security metrics may also focus on the monitoring and tracking of phishing attacks, user behavior, and home network risks.  It’s important to communicate that you’re treating home networks at the same level you would any other unknown networks.

3. Increase the frequency of your communications – to both your executive team and end users.

During times when your business is transitioning operating models and threats are evolving rapidly, occasional email updates or monthly meetings are no longer enough to communicate the state of your security posture back to your business. Security leaders should consider anything up to daily standups as a group and participation in ongoing business continuity discussions at the executive level to proactively manage the state of the business. Communications could even include preparing your executive team for the possibility that a cyber threat does occur – tabletop exercises are one way to test your incident response processes and ready your team.

Not only does a remote workforce result in increased risk from outside threat actors, but also from a user base that is unaware of threats and best practices to stay secure. That’s why it’s critical to first empower your user base with technology, instructions, and security awareness training – then, engage with your team and executive stakeholders early and often, on a regular basis.

For more on measuring and communicating risk, get the CISO’s Guide to Metrics that Matter.