ISO certificates do not protect | Pentest7

top cybersecurity companies

ISO certificates are important for compliance audits and cyber insurance. However, companies should not lull themselves into a false sense of security, because the threat situation is constantly changing.

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continuously improving an information security management system within the organization. It also includes information security risk assessment and treatment requirements tailored to the needs of the organization.

It has been seen countless times. A chief information security officer (CISO) walks into a board meeting and pored over statistics showing the company’s compliance status. The company is 75 percent compliant with ISO 27001 requirements, but what does that say about the level of risk? The truth is, CISOs can spend years implementing all 114 of ISO 27001’s controls, and a determined attacker could bypass the protections in a matter of hours. With attackers constantly updating their TTPs (Tactics, Techniques, and Procedures) and tricking gullible employees, no amount of compliance can cover the entire base. Vectra AI therefore asks: So why do CISOs cling to compliance numbers?

Boards tend to react to clear signs of progress, which are notoriously difficult to measure in the security space. It is therefore necessary to change the discussion. In the classic risk management equation of risk = threat x vulnerability, there is no control over the attacker’s motivation, skills, or resources. A CISO could put all of their resources into a comprehensive compliance strategy and still not be successful.

What does threat-oriented mean?

Instead, the approaches must be “threat led”, i.e. threat-oriented, says Vectra AI. This means first identifying the most valuable assets and the adversaries likely to target the company, and prioritizing them to mitigate identified risks. CISOs should measure security by their ability to detect network intrusions, using meaningful metrics such as mean time to intrusion or mean time to detect threats during security testing. Then the CISOs can work to bring those numbers down to an agreed level.

According to Vectra AI’s experience, comprehensive Red Team exercises are essential to obtain this data. Red teams test technology, people and processes. They look for blind spots and find unorthodox ways to break into the company. This is exactly what a skilled attacker would do. This provides valuable data on what fell through the cracks, allowing CISOs to prioritize accordingly and reduce the mean time to detection of a breach. However, only a few companies are currently conducting Red Team exercises because they do not feel mature enough to do so. This is music to attackers’ ears, and they won’t give CISOs the time they need to gather these insights before they strike. Red Team exercises should be conducted when the level of maturity does not allow for better prioritization of mitigating real threats.

There is no other industry that invests so much without objectively measuring the result. Car owners wouldn’t drive a car that wasn’t crash tested, so why employ a safety strategy without seeing if it can be circumvented? Even regulators are aware of this fact – with programs like TIBER-EU requiring banks to conduct red team testing to ensure they go beyond simple basic compliance.

Raise awareness at the next board meeting

At the next board meeting, the compliance numbers should only be a footnote. Instead, encourage stakeholders to think about the business impact of a security breach and the likelihood of attackers targeting the organization. It’s also a good idea to address the likelihood of a successful attack. The CEO will be interested to know if they make the front page of the daily press when their company is hit by ransomware. Ditto for the CFO when unable to transact business while the systems are down.

Rather than attempting to demonstrate compliance and that projects are on track, Vectra AI believes CISOs should hold meetings to discuss weaknesses. They should present options to the board to mitigate these vulnerabilities – and demand the necessary budget. In today’s dynamic threat environment, mid-year plans may need to be changed. As such, it is critical that the board understands the risks they are taking if they choose not to invest.

Leave a Reply

Your email address will not be published.