Hidden C/S: Oversight
This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers.
This post is about the cybersecurity aspects of oversight by leadership, specifically oversight of cybersecurity.
What does cybersecurity have to do with oversight? To answer that question, let us go down the cybersecurity chain from start to finish.
(1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF.
(2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective.
(3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF.
(4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which their performance is judged.
(5) Summaries of that evidence joins all the other management reporting used to keep senior management in the loop.
Oversight into play in item (5) above. In order to do their jobs, leadership has to oversee major functions of the organization. In order to oversee these functions, leadership has to understand the inputs, the process and outputs. Specifically, leadership has to be able to comprehend the evidence that the CSP generates, at least at the summary level.
This ability to comprehend does not come from training your leadership as engineers, or teaching them how to read logs, or any other kind of technical expertise. This ability comes from item (2) above: agreeing beforehand on how to present the evidence in ways that are both accurate and legible to leadership.
Oversight is the mirror image of management reporting. To achieve oversight means that your CSP assumes and requires that your front line people can effectively describe and convey the evidence they use to prove that they are not only complying with their job requirements, but actually protecting the organization's assets from threats and vulnerabilities. And that leadership, all the way up to the top, is comfortable interpreting that evidence.
Don't assume that your leadship team knows how to effectively consume technical information. Make sure that they can understand what you are telling them and adapt to them if they cannot. Evidence-based security only exists where the evidence is gathered, correctly analyzed and effectively communicated.
Pythia Cyber can help you on both ends: producing evidence that makes sense and making sense of the evidence you produce.
Comments
Post a Comment