Unacceptable Information Security Incidents: A Positive Technologies Case Study
Positive Technologies developed and built its defense strategy through the joint efforts of the Chief Information Security Officer and top management representatives. As the business evolved, the company successfully moved from a large number of abstract cyber risks to three key unacceptable information security incidents:
1. Introducing malicious code into the product. Supply chain attacks are a potential danger to all software developers. Attackers can gain access to customers' infrastructure after injecting malicious code into IT company's products. This will negatively affect the company's reputation.
2. Theft of current account funds. Losing any amount of money due to a cyber attack is an unpleasant event. The very fact that it was stolen suggests that the attackers now have access to checking accounts, which means they can steal larger amounts of funds in the future that could have been used to launch new products, etc. Also, if business-critical amounts are withdrawn, it will not be possible to conduct business. Last year, Positive Technologies achieved an unacceptable event via a bug bounty — transferring funds from a company account.
3. Leakage of sensitive information. Each company independently determines which data is considered sensitive. For Positive Technologies, protecting customer audit results was a priority.
Ideally, company management can formulate unacceptable events at any time. At the same time, the role of information security services is limited to providing technical knowledge, and by no means means to determine what is unacceptable to the enterprise.
How to Establish the Right Communication with a CISO
On the road to building effective cybersecurity, Positive Technologies has prepared some advice in the form of a question and answer. Deputy CEOs can use these suggestions to better understand what questions to ask the CISO, and you can rest assured if the CISO answers are similar to the ones in this article.
1. What are the CISO's responsibilities to the business?
The CISO's responsibility lies not in incident response reports and SLA metric results, but in having an inventory of unacceptable incidents across the company, including possible attack vectors, calculated losses, and an action plan to harden the protection of targets and critical systems.
2. How does the information security service check that the company is protected from unacceptable incidents?
Certified information systems, compliance with regulatory requirements and international standards do not guarantee a high level of security. Information Security employs market experts to assess security in the form of cyber drills or bug bounties. These experts look for ways to bring about unacceptable events. If experts can't find these ways again and again, managers can be sure that unacceptable things cannot happen.
3. Can information security keep the company safe now? What will change in a year?
Today, any company can be hacked, and unacceptable incidents can happen (rapid digitalization and increasing connections with other organizations means that attacks through partners are also possible). To change this, we need to develop information security goals to prevent unacceptable incidents and conduct independent security assessments on a regular basis. The CISO develops a cybersecurity process development plan that is implemented to ensure that no unacceptable incidents occur within a year (or other specified time period).
4. How does the security of a company depend on financial investment? How effective is our team's investment in cybersecurity?
An organization's level of security does not always depend on information security investments. Ubiquitous automation and the growing capabilities of attackers ensure that more cyber incidents will occur in the future. While there is no direct relationship between investing and establishing effective cybersecurity, from a business perspective, you should be focusing on what matters most, preventing unacceptable incidents from happening. In this case, the effectiveness of the investment depends on the ability to prevent the company's operational and strategic activities.
Successful communication between information security and senior management is an important component of effective cybersecurity, but it is not the only one. In an aggressive digital environment, you must also engage with the information security community. The cybercriminals can only be stopped if we work together, so it is important to use peer-reviewed checklists, best practices and current methodologies, and to be part of the community.