How to assess security risks using the bow tie method

Bow tie risk diagrams are used in safety critical environments, like aviation, chemicals and oil and gas. They visualise potential causes and consequences of hazardous events and allow for preventative and recovery controls to be highlighted.

You don’t have to be a gas engineer or work for a rail operator to benefit from this tool, however. Cyber security professionals can use simplified bow tie diagrams to communicate security risks to non-technical audiences as they succinctly capture business consequences and their precursors on a single slide.

If you work for one of the safety critical industries already, using this technique to represent cyber risks has an added benefit of aligning to the risk assessment patterns your engineers likely already use, increasing the adoption and harmonising the terminology.

There are templates available online and, depending on the purpose of the exercise, they can vary in complexity. However, if you are new to the technique and want to focus on improving your business communication when talking about cyber risk, I suggest starting with a simple PowerPoint slide

Feel free to refer to my example diagram above where I walk through a sensitive data exposure scenario. For example, it can occur through either a phishing attempt or a credential stuffing attack (supply chain and web application/infrastructure exposure being another vector) leading to a variety of business consequences ranging from a loss of funds to reputational damage. The figure also incorporates potential preventative barriers and recovery controls that are applicable before and after the incident respectively. 

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

More

The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

More

How to select cyber insurance

I wrote previously about how cyber insurance can be a useful addition to your risk management program.

Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.

You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording. 

While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.

To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.

If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly. 

It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction. 

Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.

The foundation of the Zero Trust architecture

Zero Trust is a relatively new term for a concept that’s been around for a while. The shift to remote working and wider adoption of cloud services has accelerated the transition away from the traditional well understood and controlled network perimeter.

Security professionals should help organisations balance the productivity of their employees with appropriate security measures to manage cyber security risks arising from the new ways of working.

When people talk about Zero Trust, however, they might refer to new technologies marketed by security vendors. But in my opinion, it is as much (if not more) about the communication and foundational IT controls. Effective implementation of the Zero Trust model depends on close cross departmental collaboration between IT, Security, Risk, HR and Procurement when it comes to access control, joiner-mover-leaver process, managing identities, detecting threats and more.

Device management is the foundation of an effective Zero Trust implementation. Asset inventory in this model is no longer just a compliance requirement but a prerequisite for managing access to corporate applications. Security professionals should work closely with procurement and IT teams to keep this inventory up-to-date. Controlling the lifecycle of the device from procuring and uniquely identifying it through tracking and managing changes, to decommissioning should be closely linked with user identities.

People change roles within the company, new employees join and some leave. Collaborating with HR to establish processes for maintaining the connection between device management and employee identities, roles and associated permissions is key to success.

As an example, check out Google’s implementation of the Zero Trust model in their BeyondCorp initiative.

Webinar: A CISO panel on weaving security into the business strategy

I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.

In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.

As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.

You can watch the recording on BrightTalk.

Software and Security Engineering

Cambridge

The Software and Security Engineering course taught at the University of Cambridge is available for free online. It includes video lectures, slide decks, reading materials and more.

Whether you are new to information security or a seasoned professional, this course will help you build solid foundations.

Lecture 9 covering critical systems is my favourite. It bring together previous discussions on psychology, usability and software engineering in the context of safety. It adds to the array of the case studies from Lecture 6, focusing on software failures and what we can learn from them. It also offers a fascinating analysis of the Therac-25 accidents and Boeing 737 Max crashes.

Securing GSuite: a guide for startups

GSuite

GSuite is an excellent choice for any startup, especially early in the process of establishing your business. Its flexible cost structure allows you to pay per user while benefiting from range of services, including email (with a custom domain name), calendar, document collaboration and storage, videoconferencing and much more.

GSuite, being a Software-as-a-Service (SaaS), relieves you from the underlying infrastructure management in line with the shared responsibility model. This can be especially powerful for smaller companies trying out an idea, as it doesn’t require intensive capital expenditure to set up a datacentre or staff to maintain it. Startups, however, are still responsible for the data, permissions and overall configuration of GSuite if they want to keep their information secure.

Thankfully, Google made available a short checklist for small businesses, describing the necessary steps to safeguard company data. Similar guidance is available for larger (100+ users) organisations.

Settings 2

The plan you select will determine how many security features are available to you. Depending on the criticality of your data and the amount of control you require, it can be a good idea to upgrade to the Enterprise plan.

Hint: if you ask customer support to put you in touch with a sales representative and request a discount, it might just be given to you. Provided you are willing to commit to the subscription for a couple of years.

Security professionals will feel at home with the advanced features available after the upgrade. It includes encryption, data leakage prevention (DLP), granular access control and much more. Managing it is also going to become easier, as various reports and healthcheck dashboards are now at your fingertips.

Settings

Regardless of the plan you use, it won’t hurt to enable multi-factor authentication on all accounts, as it dramatically reduces the risk of account takeover. It might also be a good idea to backup your critical business data somewhere off GSuite for extra resiliency.

How to secure a tech startup

scrum_boardIf you work for or (even better) co-founded a tech startup, you are already busy. Hopefully not too busy to completely ignore security, but definitely busy enough to implement one of the industrial security frameworks, like the NIST Cybersecurity Framework (CSF). Although the CSF and other standards are useful, implementing them in a small company might be resource intensive.

I previously wrote about security for startups. In this blog, I would like to share some ideas for activities you might consider (in no particular order) instead of implementing a security standard straight away. The individual elements and priorities will, of course, vary depending on your business type and needs and this list is not exhaustive.

Product security

Information security underpins all products and services to offer customers an innovative and frictionless experience.

  • Improve product security, robustness and stability through secure software development process
  • Automate security tests and prevent secrets in code
  • Upgrade vulnerable dependencies
  • Secure the delivery pipeline

Cloud infrastructure security

To deliver resilient and secure service to build customer trust.

  • Harden cloud infrastructure configuration
  • Improve identity and access management practices
  • Develop logging and monitoring capability
  • Reduce attack surface and costs by decommissioning unused resources in the cloud
  • Secure communications and encrypt sensitive data at rest and in transit

Operations security

To prevent regulatory fines, potential litigation and loss of customer trust due to accidental mishandling, external system compromise or insider threat leading to exposure of customer personal data.

  • Enable device (phone and laptop) encryption and automatic software updates
  • Make a password manager available to your staff (and enforce a password policy)
  • Improve email security (including anti-phishing protections)
  • Implement mobile device management to enforce security policies
  • Invest in malware prevention capability
  • Segregate access and restrict permissions to critical assets
  • Conduct security awareness and training

Cyber resilience

To prepare for, respond to and recover from cyber attacks while delivering a consistent level of service to customers.

  • Identify and focus on protecting most important assets
  • Develop (and test) an incident response plan
  • Collect and analyse logs for fraud and attacks
  • Develop anomaly detection capability
  • Regular backups of critical data
  • Disaster recovery and business continuity planning

Compliance and data protection

To demonstrate to business partners, regulators, suppliers and customers the commitment to security and privacy and act as a brand differentiator. To prevent revenue loss and reputational damage due to fines and unwanted media attention as a result of GDPR non compliance.

  • Ensure lawfulness, fairness, transparency, data minimisation, security, accountability, purpose and storage limitation when processing personal data
  • Optimise subject access request process
  • Maintain data inventory and mapping
  • Conduct privacy impact assessments on new projects
  • Data classification and retention
  • Vendor risk management
  • Improve governance and risk management practices

Image by Lennon Shimokawa.