An Executive Brief from CiscoCybersecurity:A View fromthe BoardroomIn the modern economy, every company runs on IT. That makes security thebusiness of every person in the organization, from the chief executive to thenewest hire, and not just personnel with “security” in their title or job description.Everyone should be accountable and learn how not to be a victim.– Cisco 2015 Annual Security Report
This is not an org chart of your company:It's a diagram of your security risks.CxOCISOs 59%VPVPVPSecOps46%ManagementConfidence level towardsecurity processesCompanyEmployee #20134AttackersSecurity breaches are in the headlinesand on your board members’ minds.Cybercriminals are no longer fringe.They are an organized industry.High-profile breaches at well-knownand respected government institutionsand companies are becoming almostcommonplace.Commonplace and highly damaging.Beyond the theft of customerinformation, cybercriminals are creatinglegal issues, inciting fraud, and makingoff with intellectual property. And withthe rise of social media, news ofa breach can be difficult to contain.It carries inevitable damage to acompany and its reputation.A Security Breach:Not If But When.Although the tactics and methods ofcybercriminals constantly morph, our2015 Annual Security Report providesinsights that will help you prepare yourorganization, speak to the nature of thethreats more intelligently, and understandhow senior stakeholders in your ownorganization might comprehend andprioritize threats differently.Included in this executive brief:• Page 2: How to prepare yourself forgreater boardroom engagement• Page 3: How leadership withinyour organization—chief informationsecurity officers (CISOs) and securityoperations managers (SecOps) —might disagree on the threat leveland what to do about it• Page 4: How users have becomeunwitting accomplices ofcybercriminals2 ©2015 Cisco and/or its affiliates. All rights reserved.
Your board of directors: thinking about security like never before andcoming with questions.55%TheInformation Systems Audit and ControlAssociation (ISACA) revealed that 55 percent ofcorporate directors now must personally understandand manage cybersecurity as a risk area.– Cisco 2015 Annual Security ReportCxOWhat’s Going On?Recent data breaches of well-knowncompanies, data security regulation,and shareholder expectations areall bringing cybersecurity into theboardroom. Yet for many companies,this hasn’t yet translated into action.How do you get out in front of yourboard’s questions, invigorate thedialogue with correct information,and address its concerns?Why Should It Matter to Me?Ultimately every board has a fiduciaryresponsibility to its shareholders.Security concerns that once seemedperipheral have now come into starkfocus. Cybercrime is affecting:• IP theft: From patents to tradesecrets to entertainment properties,IP is at risk.• Reputational damage: Breaches notonly scare customers but also arecostly to repair.• Fraud: Breaches frequently have thetwin effect of diminishing trust andcausing monetary loss.• Legal exposure: Breaches createopportunities for lawsuits and theirensuing damages.• Financial losses: Cybercrime’s rippleeffects damage a company’s bottomline for years into the future.What Should I Do Now?1. Bring security into the boardroomas an ongoing agenda item and makean executive responsible for it.Corporate boards of directors mustknow the cybersecurity risks to theirbusiness. To truly understand the scopeof cybersecurity issues, boards shouldadd members with technology andcybersecurity expertise.2. Create a cyber-risk profile aspart of the organization’s overallrisk assessment.Cybersecurity is now directly tiedto the health of an organization,affecting stock price. The board shoulddetermine avenues of cyber-risk,gather data, and evaluate probabilities.The resultant cyber-risk profile caninform the larger organizationalrisk assessment.3. Get in front of questions from anewly engaged board by asking yoursecurity team the following questions:• What controls do we have in place?• How well have they been tested?• Do we have a reporting process?• How quickly can we detect andremediate the inevitable compromise?• What else should we know?Be prepared to answer questionsfrom the board in terms that aremeaningful and that also outlinebusiness implications.Is Your Industry aHigh-Risk Vertical?To determine an industry’s risk formalware encounters, Cisco SecurityResearch examined eight types ofattack methods. It found a perfectstorm: the combination of targetedattack methods and careless userbehavior online, with each having animpact on the level of risk.Review Cisco’s list of high-risksecurity verticals in Cisco 2015Annual Security Report.3 ©2015 Cisco and/or its affiliates. All rights reserved.
CISOs and SecOps: disconnected opinionsCISOs59 %SecOps46 %Confidence level towardsecurity processesFifty-nine percent of chief informationsecurity officers (CISOs) view their securityprocesses as optimized, compared to46 percent of security operations(SecOps) managers.– Cisco 2015 Annual Security ReportWhat’s Going On?Today’s cybercriminals don’t standstill. They constantly change tactics,probing the efficacy of each stratagem.Amid this constant barrage, alignmentacross security leadership is crucial.However, CISOs are more optimisticthan SecOps: 59 percent of CISOsstrongly agree that their securityprocesses are clear and well understood,but only 46 percent of SecOps agree.Standard security tools are not alwaysused. While 75 percent of CISOs seetheir security tools as being very orextremely effective, fewer than 50percent of the respondents use thefollowing basic methods:• Identity administration oruser provisioning• Patching and configuration• Penetration testing• Endpoint forensics• Vulnerability scanningWhy Should It Matter to Me?Trusting your security doesn’t changethe numbers. Even if your organizationblocks 99.999 percent of attacks,some will inevitably succeed. Focus onpreparedness and put procedures inplace to quickly respond when they do.You might think your security iseffective now, but it can soon be outof date. Attackers constantly changetheir strategies by:• Disappearing from a network beforethey can be stopped• Quickly choosing a different methodto gain entry• Using spam campaigns withhundreds of IP addresses• Designing malware that relies on toolsthat users trust or view as benign• Creating a hidden presence to blendin with your organization, sometimestaking weeks or months to establishmultiple footholdsThe disconnect between CISOsand SecOps in their opinions ofthreat levels and preparedness hasconsequences. For example, it canrestrict resources to SecOps for whatthey believe is an urgent issue. If thatissue becomes a confirmed crisis, it’smore costly to contain, exposing yourcompany, customers, and partners.Vigilance must be relentless. Your teamshould understand that it’s a constantlychanging field of battle. The securitypractitioners you’ve hired should be heldaccountable to close the gaps.What Should I Do Now?Align your team on the nature andstrength of the threat landscape soresources are brought to bear wherethey’re most needed.Here are practical ways to evaluatethe disparity of opinion withinyour organization:1. Align business initiatives andsecurity realities.2. Implement policies that are inkeeping with business objectives.3. At a minimum, follow baselinesecurity practices and raise yourlevel of security maturity.4. Realistically evaluate theeffectiveness of the processesyou’re putting in place.5. Revisit and optimize former andcurrent processes.Cisco 2015 Annual Security Reportcan inspire a candid discussion aroundour insights on threat intelligence andhelp close any disconnect within yoursecurity team.4 ©2015 Cisco and/or its affiliates. All rights reserved.
Your users: unwitting enablers or empowered assets?CxOCompanyEmployee #20134VPVPVPManagementAttackersExposed UserPersonal DevicesWhat’s Going On?Users are now unwitting enablers ofattacks. While enterprises are busyblocking known threats, cybercriminalsmight send a fake request for apassword — and a new breach begins.Security challenges affect severalaspects of user behavior:• Failing to update browsers: Thiserror of omission enables moremalicious attacks than would occurwith automatic updates.• Clicking on spam: Seemingly benignemails might contain a dangerous linkor download of a malicious attachment.• Downloading from untrustworthysites: Users install PDF tools orvideo players downloaded fromuntrusted sources.• Trusting malvertising: Usersinteract with seemingly legitimateadvertising that leads them todownload malicious software.• Using exploitable software:Unpatched or outdated softwareprovides adversaries with an easypath to attack users.Why Should It Matter to Me?The IoT is growing and creating agreater surface area to defend.Today there are 10 billion connecteddevices, a number that’s expectedto grow to 50 billion by 2020. The IoTenables business data to be passed backand forth in the cloud, creating a potentialthreat vector as users access companyresources through personal devices.Rogue applications are creatingpotential entry points for cybercrime.Malicious actors are using Web browseradd-ons as a medium for distributingmalware. This approach is provingsuccessful because many users trustadd-ons or view them as benign. Insummary, increasing levels of access andresource demands on the network arethe new reality — with ever-rising stakes.What Should I Do Now?With users increasingly becoming weaklinks in the security chain, you havechoices to make:• As software becomes easier touse, do you open new accesspolicyloopholes, only to havecybercriminals exploit them?• Should you assume users cannotbe trusted, and install strictersecurity controls?• Or do you take the time to educateyour staff and clearly explain how theyplay a vital role in achieving dynamicsafeguards that support the business?The Cisco Security Manifesto suggeststhe last option. Forcing users to workaround new protocols that get in theway of their workday only leaves thebusiness less protected. Creating yourown security manifesto can help yourusers own the big picture.The following are some pragmaticsteps to implement with yoursecurity staff:1. Understand the limitations of aporous network.2. Segment the network and prioritizesensitive assets.3. Train users on security policies andbest practices.5 ©2015 Cisco and/or its affiliates. All rights reserved.