What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — May 05, 2020

Cybersecurity Strategy IS Risk Management:
Cementing the Relationship Between the Board and the CISO

6 min read

Part 2 of 3 in a series on risk management. Click here to read Part 1 and here to read Part 3.

In our continuing blog series on risk management, part two explores the changing role of the chief security officer, the growing interest in cybersecurity at the board level and how cybersecurity must be a risk management factor.

Governing risk

It has long been said that the Chief Security Officer is the least interesting person to the board until they become the most interesting person—usually after a major security incident. The reality is that risk management has always been in the shadows when it comes to cybersecurity.

But given the increase in cyberattacks, massive data breaches and expensive penalties, the board of directors and officers of the company more than ever must pay attention because cyber risk now contributes to the overall mix of fiduciary responsibilities assigned to them, regardless of the company’s size.

In particular, cybersecurity ROI has become less about return on investment and more about risk of incarceration. Perhaps a stretch, but the sentiment sticks. Boards and senior executives are being held accountable for cyberattacks and damaging data breaches in terms of law suits, toppled stock values, financial losses and terminations.

Board members must familiarize themselves with the risks associated with growing cybercrime, emerging technologies and regulatory obligations, privacy laws in multiple jurisdictions and even levels of government. Once armed with at least enough knowledge to be dangerous, boards must afford their executive team with the budget, resources and people to protect the longevity of the business and its clients. And perhaps the most difficult issue is finding a common language by which they can communicate with their security teams to determine if resources are allocated appropriately and security initiatives are aligned to risk goals.

In our FutureWatch study of 1,250 global security and business leaders, CEOs, board members and technical executives unanimously predicted a major cyberattack in the next two to five years. Over 60 percent of respondents assume a major event will occur. Interestingly, 77 percent of CEO and board respondents consider their organization prepared for such an event. As expected, technical leaders are approximately 20 percent more likely to predict an attack and are 10 percent less optimistic than their business peers in their organization’s preparedness.

Frankly, business leaders now fear the consequences of a major cyberattack more so than regulatory retaliation. Operation disruption and reputational damage are of greater concern than potential financial losses and regulatory penalties. This trend reflects a shift from a compliance-centric security approach (avoiding punishment) to a more self-actualized mindset determined to reduce the risk of business-altering outcomes to protect the organization, its investors and clients.

It is also imperative that boards align business objectives and risk tolerances with security and information technology programs. A firm’s risk comes down to a finite set of factors including industry participation (think finance and healthcare), adoption of emerging technologies that bring competitive gain but introduce new and sometimes undetermined risk, and the maturity of their security programs designed to mitigate such risk. Not surprisingly, 64 percent of respondents in the same study predict a year-over-year increase in security budgets; while only five percent predict a reduction.

Recently, the National Association of Corporate Directors (NACD) and the UK National Cyber Security Centre published toolkits that boards can use to govern cyber risk. These resources provide differing levels of information, however there are five common pillars:

AWARENESS:

Understanding the impact of cyber risks and trends, experiencing the business impact of a breach and exposing personal risks

RISK:

Identifying non-public assets and protected data and documenting regulatory and contractual obligations

PROGRAM:

Establishing budget, staffing and programs that align to overall business risk priorities

REPORTING:

Annual planning, quarterly reporting, dashboards and peer/industry comparisons of performance

INCIDENTS:

Understanding incident response, board roles, critical business decisions and reporting to authorities and crisis communications

Perhaps the greatest challenge board’s face is communicating with the CISO and other technology leaders in the company. In the FutureWatch study respondents struggle to assign risk tolerance, understand resource requirements and measure and report security progress. Only a third of respondents are confident their security teams have access to the appropriate resources, and that the organization is spending adequately on security. Similar confidence rates are associated with an organization’s ability to monitor and report on cybersecurity programs (34 percent), confidence that cybersecurity programs align to business objectives (33 percent), and that high-profile assets are adequately secured (33 percent). In fact, a meager 29 percent of respondents indicated that their high-value or high-profile information is not adequately protected.

Risk in cybersecurity management

Let’s be really clear, cybersecurity professionals are in the business of managing risk. Firewalls and anti-virus are more than just intrinsically valuable and companies don’t buy them just for the sake of having them. They are used to avoid data breaches or business-disrupting cyberattacks.

Today, security leaders must align their security tech stack to risk tolerances and build out programs to mitigate unwanted risk. It means cybersecurity is part of the direct business equation and board and officer accountability. It is now a risk management issue that can be quantified and reported in the same way finance reports sales, costs and profit.

Our business mindset must shift from security as an IT problem to solve (and cost to minimize) to that of business risk management. It’s about building a communication chain that links the top of the organization with everyone participating in the ecosystem. This full stack alignment is critical to establishing a corporate culture that understands risk mitigation and doesn’t view cybersecurity as an inconvenience or necessary evil.

It’s not about unpatched VPNs, as in the case of Travelex or Apache servers like the Equifax breach. Let me repeat myself … it’s a business issue! And, even more than that, it’s a people issue. Creating a data recovery plan is only a first step in the process. We know that cybersecurity risks are highest when a lack of care is given to how people communicate, connect and process information. It is foolhardy to commit to changing the status quo on cybersecurity without taking a hard look at team members’ internal and external interactions at all levels. If your cybersecurity incident response plan is out-of-date, this helpful Pragmatic Security Event Management Playbook identify possible gaps and ensure crucial steps in the communications and damage control chain.

In part three of this blog series on risk management, we look beyond Covid-19 to consider whether we are experiencing a seasonal migration where we return to a cyber world that resembles a pre-quarantine world versus a climatic shift in the way we do business and view cybersecurity priorities going forward.

Mark Sangster
Mark Sangster Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.