Security Professionals Win When They Can Master Risk Communications

Demonstrating Effective Communication is a Foundation for Effective Security Operations

A lot of people are talking about security risk right now. A quick Google search reveals articles on risks associated with the Slack collaboration tool, out of date Windows software, 5G network equipment from Huawei, iPhone apps that have been communicating with a malicious server and organizations’ employees. And that’s just the first page! Of course, when these topics make the headlines, security teams inevitably get calls from management, but the nature of these calls is evolving.

Recent analysis by Forrester finds that Boards are maturing in their understanding of cybersecurity and are asking more detailed questions. They don’t just want to know if the latest threat matters to the organization, but how you know that. For Chief Information Security Officers (CISOs) and other security leaders, this means that your ability to communicate effectively about cybersecurity is just as important as your work doing cybersecurity, if not more important. Communication has become a critical component of security operations. 

Speaking about risk using terms like “red, yellow, green” based on factors from outside your organization simply isn’t going to cut it. You must be able to provide greater detail, while communicating in ways that resonate with management and are relevant to the organization. Your ability to do this begins with contextual awareness. In security operations, context comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.

Now you can prioritize threats based on relevance to your environment which allows you to answer the first question: Is this threat important to our organization? But what is relevant to one company may not be relevant to another. Lots of threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. Because these scores are not specific to an organization or even an industry, you can’t take them at face value. This easy-button approach generates a “red, yellow, green” or “high, medium, low” score, but it does so in a “black box”, making communications and understanding difficult. In fact, you can’t answer the first question with confidence, and you lack visibility to adequately address the next question: How do you know this? 

You need transparency into how scores are derived, and that comes with the ability to customize scores based on your own set of scoring parameters. These parameters are driven by multiple factors, including: indicator source, type and attributes or context, as well as adversary attributes.

The ability to customize threat intelligence scores allows you to prioritize threats to your organization and reevaluate and reprioritize as new data and context becomes available. It also provides the transparency you need to answer more detailed questions in a simple, clear and relevant way. For example: 

• “Internal data and events indicate some evidence of potential malicious activity. We have taken steps to contain it and are now remediating the affected systems.”  

• “This report will provide you with an overview of an adversary campaign that may be targeting our organization and the type of activity we are currently looking for.”

• “Multiple sources indicate that this particular threat is not currently targeting our industry, but we are continuing to monitor it and have patched the vulnerability it is taking advantage of to infiltrate networks.” 

• “This threat targets systems we have not deployed in our environments, so this isn’t a threat to be concerned about.”   

With a construct for effective communication, you can build trust and engage in a dialogue that offers ample opportunity to showcase the value you and your teams provide. What’s more, when it comes time for budget discussions, you’ll find those conversations go more smoothly as well, demonstrating that effective communication truly is a foundation for effective security operations. 

Original author: Marc Solomon