Following is the first in a series of excerpts from an extended interview with John Sapp, CISO of Texas Mutual Insurance, on his approach to cyber risk governance and how he built a platform with AppSOC to streamline processes, create greater visibility, and prioritize risks based on business context.
How has the role of the CISO changed recently?
When I think about the CISO position today, and how it’s changed over the last 15 to 20 years, we have transitioned from being mostly technical practitioners to becoming more business focused and understanding how technology decisions and strategies impact the business strategically.
We got here by being technical experts, capable of understanding architecture, strategy, engineering, and how security works in protecting and detecting. But today, we must be more business-minded and understand that now, we're more of a risk management function.
This requires transitioning from just understanding the technical side of information security, to being able to translate that into business risk context so that we can be on the same page and communicate to the C-suite and the board of directors.
When we are making our pitch for security budgets from a technical perspective, we’ve got to put that in a language that is relevant to those executives. They need to understand why we need to do these things. Today, it's about framing a story about the value of cybersecurity to the business and how it aligns to the business strategic goals and objectives.
Do you feel like you have enough visibility into your real business risk so you can then report it up properly?
This is a question that we've been trying to answer for more than a dozen years. If we look back to the GRC era – around 2007, when everybody was trying to establish enterprise governance, a whole domain in the security industry was born and it seemed like everybody had a product. There's still a place for those solutions, but they don't do everything I need today because they're really focused on a broader, more qualitative approach to GRC.
What we're trying to achieve today is cyber risk governance. We must deliver a different message to business stakeholders, executives and the Board, and provide supporting information that shows that we have effective cyber risk governance in place.
To do this we have to fully understand all the different ways that a cyberattack could impact the business, and what types of risks they pose to the business. For example, a denial-of-service attack on my revenue generating web portal, could prevent customers from placing orders. After a couple tries, they’ll probably go to a competitor.
So now, a technical cyber risk becomes an operational business risk and a financial risk, because you can't service existing customers, or take on new customers. Now there is direct financial impact because if the business isn’t growing, it’s shrinking, because customers won’t stick around when they can't get service from their current provider. This also presents strategic risk because the first rule of growth is you must prevent shrink. So, if I'm shrinking by losing customers, now I'm also impacting my corporate strategy for growth.
Now, let's say we have a ransomware attack - an intrusion and someone has exfiltrated data and now they're holding it for ransom. In addition to all the other risks, now you add legal and compliance risk. You can see that cyber risk is the one type of risk that can spawn and impact the business in every other risk category.
With all the available security tools, and noise they produce, how do you get the business context you need to understand the business risk?
I remember building an application security risk management program back in 2008 or 2009 with a large healthcare organization and trying to understand the risk as it related to vulnerabilities in applications. The challenge was to collect, aggregate, correlate, deduplicate, normalize, prioritize, and then visualize that data in a risk-based approach. We needed to look across all the vulnerabilities that came into our environment and understand if they were coming through an application, infrastructure, or any of the other layers. This goes beyond application security posture management, because we need to understand the security posture of applications, data, cloud infrastructure, and SaaS services.
There are often different security technologies for each part of our environments, and they all generate data, which all needs to be aggregated, correlated, deduplicated, normalized, and then finally prioritized. And I need to prioritize based on vulnerabilities that affect my environment, not what the industry is experiencing on a larger scale. Because frankly, what my executives and board want to know is how are we responding to what's happening in our environment. While there may be a new zero-day vulnerability that's making headline news and everybody is running scared of it, but should we care?
So today, I've built a security risk management approach that takes all that data, brings it together and puts it in a visual representation that allows me to focus on what has the most significant potential impact to my environment. For example, with Log4j the question isn’t about global risks – it’s about how this will potentially impact our systems. I need to be able to provide a real-time and accurate answer in short order, and not say “oh, well let me do some analysis and I'll get back to you.” You’ve got to have a platform in place that gives you those answers in as near real time as possible.
How do you prioritize these needles in haystacks? The status quo has been to drop all this data in a spreadsheet or hire someone else to figure it all out.
I do have a different, and I think better approach than the spreadsheets. It does not involve accessing databases or any of that kind of stuff. I've seen solutions evolve in the industry that try to aggregate and correlate some of this data. But what I've done over the last few years is develop the concept of a cyber risk governance ecosystem. And I've coined and trademarked this term - turning the letters of GRC around to CRG - cyber risk governance.
It's a concept, methodology, and approach built around a threat and vulnerability management orchestration platform. I use the AppSOC platform to ingests all this data from any source, whether it's from my endpoint protection solution, my cloud security posture management solution, my SaaS security posture management solution - anything that has an API that allows me to collect the data to add to this funnel. Then I can run it through the algorithms and all the processes within that engine that prioritize the findings based on risk.
The platform can also bring in data from my application scanning tools, and my infrastructure scanning tools - pretty much every category of tool that I have in my environment. Now, instead of jumping from one dashboard to the next trying to figure out what to do, I have one dashboard where I can visualize and truly identify where the most risk exists. I can also take that data that's been aggregated for me and feed it into my risk quantification platform. That is powerful, having that engine in the middle that does all the heavy lifting and allows me to get the insights I need.
Stay tuned for further excerpts from our interview with John Sapp as well as viewpoints from other AppSOC customers and partners.