www.cymulate.com

Four Cybersecurity Essentials that Your Board of

Directors Wants to KnowThe insights to help you deliver what

they need

3 Cymulate – Presenting your cybersecurity posture to the board - WhitePaper

01 | Explain Yourself. Here's How ........................................................................................................................................ 3

02 | Closing the Correlation Gap ......................................................................................................................................... 4

03 | Your Current Security Posture: Where the Company Stands ...................................................................................... 5

04 | Defensibility: Vulnerability to the Latest Threats ......................................................................................................... 7

05 | Top Data Security Priority: Address Highest Risks First ............................................................................................. 9

06 | Improving Performance Over Time ...........................................................................................................................11

07 | About Cymulate ........................................................................................................................................................... 12

Table of Content

Explaining your organization's security strategy and controlsto a nontechnical audience can be challenging. Aligning thatstrategy against ever-changing threats and cyberattacktechniques is even more challenging. Translating the strategy,threat landscape, and daily impact into meaningful riskmetrics has traditionally been nearly impossible.

Yet, executive teams and boards of directors are asking forexactly that. They increasingly demand data that describesthe potential impact of a security threat to operations, brandreputation, market position—even stock value. This documentprovides a context for understanding what kinds ofinformation a board needs, and why.

01 Explain Yourself. Here's How.

4 Cymulate – Four Cyber Security Essentials for the Board – White Paper

It will give you four insights based on quantifiablemetrics to help you explain your currentcybersecurity posture, defensibility, priorities, andROI in ways that are most meaningful to yourexecutive audience.

^ Back to Contents

Every executive team—regardless of company size—caresabout business risk. No one wants to make headlinesfor being the victim of a data breach. No longer "justan IT problem" or a minimum compliance requirement,cyberattacks have become a significant business risk.Leaders actively trying to manage risk have realizedthat cyber threats now represent the lion's share ofpotential harm, and they want timely risk metricsaligned with business priorities. In a 2019 survey bythe Enterprise Strategy Group1, executives anddirectors want the following:

39% wantsecuritystatusreports forcyber risk associated with end-to-end business processes

36% want to know the status and responses associated with IT audits

36% want correlated data for prioritizing mitigation activities

35% want better detail on the ROI of their security investments and planned purchases

For publicly traded companies, the stakes are especiallyhigh. In 2018, the US Securities and ExchangeCommission2 began requiring disclosure of data breachesand "material cybersecurity risks" in order to betterprotect investors. Part of effective disclosure is informingthe organization's directors, officers, and other keyindividuals about risks that the company faces or islikely to face3.

For the CISOs, IT, and security professionals who mustprepare and deliver reports to the board, this can be a bitnerve-wracking. How much data? Which data? What isimportant or truly material to the company's operations,finances, and reputation? And how can you put that datain a form that's meaningful to your audience?

It helps to remember that executive team and boardmembers care about the risk represented by cybersecurityvulnerabilities and attacks—not technical details. Theywant Key Performance Indicators (KPIs) and metrics,not reports detailing software patches across thousandsof systems. The following four insights can guide you topreparing an effective presentation.

02

1 Cyber risk management: There's a disconnect between business and security teams, CSO, February 27, 2019, https://www.csoonline.com/article/3338562/cyber-risk-management-theres-a-disconnect-between-business-and-security-teams.html2 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities and Exchange Commission, Feb. 26, 2018, https://www.sec.gov/rules/interp/2018/33-10459.pdf3 Five Things to Consider When Reporting to Your board on Cybersecurity, Forbes, May 10, 2019, https://www.forbes.com/sites/forbestechcouncil/2019/05/10/five-things-to-consider-when-reporting-to-your-board-on-cybersecurity/#70dc328e7995

Closing the Correlation Gap

5 Cymulate – Four Cyber Security Essentials for the Board – White Paper ^ Back to Contents

Risk is always present. You need to know which risks, andhow much risk, really matter to the company. Aligningyour cybersecurity risks with the overall business strategyand key assets is a good start. Some questions to ask are:

What are the business goals critical to the company's ability to survive and thrive?

Which processes and functions support those goals?

What are the most critical assets required to supportthese processes—customer data? Intellectual property?Proprietary processes? Specialty or customizedequipment? Consumer-facing applications?

Where do these assets reside in the organization?

Which IT systems, applications, policies, orother technologies store, transmit, and use dataand/orexecute actions based on these assets?

Knowing what is most critical to protect makes it easier toidentify coverage gaps. A review of external and internalcontrols provides current data on what is in place.Measuring their actual effectiveness gives youaccurate information for a real-time securityposture metric, also known as an exposure score.

By testing security controls and challenging theireffectiveness with simulations of cyber attacks,security teams can obtain quantifiable benchmarksfor an immediate, objective understanding ofvulnerabilities and risk levels.

Whether homegrown or outsourced, manual orautomated, attack simulations can challenge theeffectiveness of all your existing controls, acrossvectors, so you can test them from an attacker'sperspective and assess how well they wouldperform under a genuine cyber attack.

03

6 Cymulate – Four Cyber Security Essentials for the Board – White Paper

Your Current Security Posture:Where the Company Stands

Quantifiable benchmarks offer an immediate,

objective understanding of exposure levels across

your infrastructure.

^ Back to Contents

Figure 1 provides an example of benchmark data thatenables you to quickly and easily assess the organization'ssecurity posture, where a score of 100 represents highprobably of compromise, and the lower the score, thelower the risk and probability of compromise.

Attack simulation results provide the foundation forknowing where you stand today. You will also want toconsider other potential risk factors, based on yourspecific company. For example, experiencing a priorbreach is a material risk factor.

If you've been successfully breached once, you're muchmore likely to be targeted again4.

4 Mandiant M-Trends, 2019, https://content.fireeye.com/m-trends5 History Tends to Repeat Itself - Attackers Repurpose Tried and Tested Methods to Launch Attacks, Security Week March 21,2019,https://www.securityweek.com/how-three-2018s-critical-threats-used-email-execute-attacks

7 Cymulate – Four Cyber Security Essentials for the Board – White Paper ^ Back to Contents

Figure 1. Benchmark data for assessing current security posture. Source: Cymulate 2019

Risk is directly tied to your company's defensibility.“Are we vulnerable to that ransomware that hitBaltimore?” Reports of companies and cities fallingvictim to ransomware and other malware menaceshave become a daily occurrence. Understandably,CISOs get called up by their CEOs or otherexecutives seeking to know if they are vulnerable tothe latest threats that made the headlines. Bykeeping tabs on the latest threat intelligence, andspecifically, their indicators of compromise (IoCs)security managers can quickly answer that questionand convey to the board if the business is vulnerableor not.

04 Defensibility:Vulnerability to the Latest Threats

8 Cymulate – Four Cyber Security Essentials for the Board – White Paper

Of course, there are signature-less attacks and zero-days (known unknowns) that require behavioraldetection, but as far as knowing if you’re at risk froman already-known threat, this is easy to do to reassureyour board, or explain why you need to beef upresources for a particular area of security.

Checking that the latest threats’ IoCs have beenupdated in relevant controls, be they your endpointsecurity solution, email gateway or web gateway is afirst step to assessing defensibility against the latestthreats, including the latest strains of ransomware,worms, banking Trojans, phishing, cryptominers andother online threats. The process of verifying thatactive IoCs have in fact been updated in yourorganization’s solutions can be automated using attacksimulation tools.

Frequency MattersAs new threats are detected in the wild daily, the morefrequent and continuous you test your defensibility, thefaster you will be able to ramp up your securitycontrols. Attackers change their tactics depending ontheir goals, and they continually evolve techniques toincrease their functionality.

Figure 2: New Threats are detected in the wild daily, enabling organizations to assess their defensibility against them

^ Back to Contents

9 Cymulate – Four Cyber Security Essentials for the Board – White Paper

Other current threats include Ryuk ransomware,distributed through malicious spam attacks tailoredspecifically for the victim organization. Ryukattempts to encrypt network resources, after whichit removes shadow copies and backup file, anddestroys the victim machine’s copy of theencryption key to ensure victims won’t be able todecrypt the files themselves.

In summary, by integrating threat intel feeds, orautomated alternatives, into your securityframework, you can optimize your controls faster,and easily convey the organization’s resiliency tothe newest attacks in the wild.

For example, the Emotet threat started out as abanking Trojan, using spam emails that looked likeinvoices or requests for payment and includedmalware as an attachment file or embedded as a link.Emotet has become a modular platform, capable ofcarrying out a variety of attacks via email. It offerstools for stealing email credentials, stealing usernames and passwords stored in browsers, providingdistributed denial-of-service (DDoS) capabilities, anddistributing malware. Other attacker groups can usethe Emotet platform to deliver their own Trojans andransomware.

^ Back to Contents

Figure 3. Executive-level summary of exposure scores across all vectors of the kill chain

Quantifying your exposure level across any vector—email, phishing, web gateways, endpoints, lateralmovement, data exfiltration, etc. lets you conveysecurity priorities in an objective manner. Figure 2is an example of an executive-level report on emailsecurity exposure. It provides overall risk metrics,breaks them down by exposure to payloads thatpose high, medium, and low risk, and further drillsdown to specific simulated payloads that were sentto a mailbox in an attempt to assess whether theywould be blocked by the enterprise email gateway.

Preventive actions taking the email gateway as anexample, may include blocking specific file types,inspecting email attachments for multi-layer nestedfiles or considering integrating a sandbox or CDR tolower your exposure score.

Once you know where you are most vulnerable, you areable to deploy suggested preventive or detectivemeasures—such as adjusting policies or configurationsor even investing in additional technology.

05 Top Data Security Priority:Address Highest Risks First

10 Cymulate – Four Cyber Security Essentials for the Board – White Paper

With detailed information in hand, you can begin toprioritize risks and decide what needs immediateremediation. As shown in Figure 3, a high numbershows that the specific vector is more vulnerable toattack than a vector with a low exposure score.

However, results must be reviewed in light of specificbusiness assets and goals. For example, in Figure 3,the Lateral Movement score of 100 indicates that theorganization is extremely vulnerable to threats movinglaterally in its network. A score of 30 for WebApplication Firewall might be acceptable, unless theorganization is a completely web-based businesswhere its customer-facing web application isbusiness-critical. Retail, online banking, e-trading andwebmail sites would stand to lose a lot if theirconsumer-facing application were compromised. Forthat organization, reducing that score further couldrepresent more significant risk mitigation thanlowering the email score.

^ Back to Contents

6 What’s the financial cost of cyberattacks to business?, TechHQ, March 7,2019, https://techhq.com/2019/03/whats-the-financial-cost-of-cyberattacks-to-business/7 Decoding the global economy of cybercrime, The Economist, May 28,2019, https://eiuperspectives.economist.com/technology-innovation/decoding-global-economy-cybercrime8 Ninth Annual Cost of Cybercrime Study, March 6, 2019, https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

What's at Risk?Prioritizing remediation efforts also requiresknowing which assets are at most risk and theirrelative levels of importance. This relates to the SEC'sinterest in material risks. Which compromised assetsand processes wouldresult in serious operational, financial, or reputationdamage to the company? Using overall business goalsas a guideline, are external assets more critical thaninternal resources? If your customer-facing web portal isbreached, would that be more important than if DevOpssystems testing your next generation of software werecompromised?

How Likely are Specific Threats?Another aspect of determining material risk is thelikelihood of specific threats occurring. Who would wantto attack your company's assets and why? Keeping up withcybercrime trends can help answer this question. Maliciousinsiders continue to be among the top perpetrators. Inthe US, malicious insiders cost organizations an averageof US$1.6 million each6. Financial criminals havecreated virtual empires—cyber-criminal revenueworldwide is estimated conservatively to be US$1.5trillion—equal to Russia's entire GDP7. Data is a hugetarget for theft, according to a study by Accenture andPonemon8, simply copying and stealing data is givingway to destroying or changing data so that it cannot betrusted.

Increasingly core systems and industrial controls are attacked with the goal of disruption or destruction.

What is the Potential Impact?Finally, what would be the impact of different attack typesif they did occur? Impact includes operational, financial,and brand damage. Operational disruption, inability tomeet SLAs or other customer agreements, and resultinglost customer goodwill are examples of operationalimpact. Financial impact not only includes lost revenue,lost opportunity, recovery costs, and possible legal costs, italso includes the cost of investment needed to strengthendefenses and mitigate future risk.

Focus on the Material RisksIt's important to identify material risks. If potential lossis high but the likelihood of an incident is very low, it'sprobably not worth including in your presentation as asignificant risk.

Knowing where the organization's vulnerabilities liefrom a simulation will help you identify what is neededto remedy the gaps. Must current controls be updatedand subsequently validated via simulation? Do youneed additional or newer technology? Additional staffor expertise, either internal or outsourced?

If you need additional budget, you should be able tosupport specific investments based on the risks theymitigate. Simulation also enables you to quantify howmuch you can improve the security posture with additionalinvestments.

11 Cymulate – Four Cyber Security Essentials for the Board – White Paper ^ Back to Contents

Your board likely wants to know: What is the ROI onthe company’s security investments? Is the IT orsecurity team actually putting its money where itsrisk is? By sharing with your board where yourcompany is most and least vulnerable, you will bebetter positioned to prove that you are putting budgetand manpower where the company needs it most.

12 Cymulate – Four Cyber Security Essentials for the Board – White Paper

06 ROI on Security InvestmentsProving Effective Spending Over Time

A good place to start to prove effective spending tothe board would be to share where your team isseeing the most vulnerability or threat exposure. Andin light of that exposure, what resources are beingallocated to address it? Maybe the company is seeinghigh risk with regards to attempted attacks on itsconsumer-facing application? This may requireallocating some effort or budget to harden your WAF(web application firewall), or to compare itsperformance against an alternative one.

It could be that your controls are working impeccably,but too many employees are clicking on faux-phishingemails and it’s time to invest in additional training.Alternatively, there are concerns about access bythird parties to your network or cloud resources, andstronger access controls are required. In any event,the ROI on technical or human control improvementsshould be demonstrated.

To demonstrate the ROI on spending allocated todigital security, it is imperative to continually recordyour exposure score over time. This will enable youto demonstrate how your budget prioritization hasled to improvement in security effectiveness, oralternatively, help you explain dips in defensibilityarising from employee turnover or inadequateresources.

Over time, you can create a clear picture of how thecompany’s security investments (or lack thereof)have impacted your exposure levels and securityposture. If specific areas do not show improvement,you can demonstrate why—a lack of resources,outdated controls, or other factors.

To demonstrate the ROI on spending allocated to

digital security, it is imperative to continually

record your exposure score over time.

Figure 4. Executive-level risk summary for the email vector

^ Back to Contents

Valuable benchmarks to report on to your boardinclude changes to your predefined baseline of whatyou deem to be an acceptable level of exposure. Tofacilitate this from an operational perspective, anydeviation above an acceptable level of risk, can triggeran alert so you are notified of security posturechanges immediately. For example, an exposurescore of 20 out of 100, which presents low risk, maybe set as your baseline. Any deviation above thatscore could trigger a notification to you or your board.

No less important, an executive report can provideyour board with a comparison of how your companymeasures up against other companies in the sameindustry across the different vectors of the kill chain.

Valuable benchmarks to report on to your board include changes to your

predefined baseline of what you deem to be an acceptable

level of exposure.

^ Back to Contents

13 Cymulate – Four Cyber Security Essentials for the Board – White Paper

07

With a Research Lab that keeps abreast of the very latestthreats, Cymulate proactively challenges security controlsagainst the full attack kill chain, allowing hyper-connectedorganizations to avert damage and stay safe.

Cymulate’s SaaS-based breach and attack simulationplatform makes it simple to test, measure andoptimize the effectiveness of your security controls anytime, all the time.

About Cymulate

Learn MoreReceive a demo, read our blog, or visit us at

www.cymulate.com

By mimicking the myriad of strategies and toolsattackers deploy, businesses can assess their truepreparedness to handle cybersecurity threatseffectively.

Cymulate is trusted by companies worldwide, from smallbusinesses to large enterprises, including leading banksand financial services. They share our vision—to make iteasy for anyone to protect their company with the highestlevels of security. Because the easier cybersecurity is, themore secure your company—and every company—will be.

^ Back to Contents