Top 3 Questions from the CISO’s Guide to Communicating Risk Webinar

We recently held a webinar called “A CISO’s Guide to Communicating Risk” based on our white paper of the same title. In it, I spoke with Exabeam Senior Product Marketing Manager, Mike Moreno, about the importance of CISOs being prepared for worst-case scenarios while driving the appropriate forms of communication with C-level executives.

Unfortunately, we didn’t have enough time to answer questions during the live session, so in this article, I’d like to take the opportunity to address the three most pressing questions we received.

1. How would you request funding in the situation where a technical lead or senior IT management doesn’t support the need to mitigate the cyber risk you are addressing?

Focus on the metrics and translate those metrics to tell your “cyber risk story.” You should tie this story to the major root causes of breaches:

• Software vulnerabilities
• Malware
• Inadvertent employee mistakes
• Third-party compromise or abuse
• Unencrypted data
• Phishing

Come prepared to discuss your plan of action to remediate the risk (thus reducing the probability of breach) and requested funding amount. Be able to provide KPIs (your metrics!) that will show positive effects of risk reduction due to the implementation of your plan of action.

What happens when you still cannot receive funding?

• Are there mitigating controls that can be put in place to reduce the risk to a tolerable level, e.g., network containment?
• Gain formal risk acceptance. More traction is gained when providing written correspondence previously vetted by your GRC team/Security Champions, i.e., you have done your homework/there is data and people to back it up. Request acceptance of the risk in writing by appropriate senior management, now assigned as the Risk Owner.

2. Is it considered an insider threat if an employee isn’t offboarded properly?

The key here is intent:

• Intentional insiders — Targeted data is usually high-value and highly sensitive. They typically take data before moving to a new company. They work to intentionally mask their actions to avoid detection.
• Unintentional insiders — “Accidental insiders” are often unaware that they have done anything wrong, e.g., Shadow IT exposes large amounts of corporate data to public cloud storage.

Exabeam classifies insider threats into three key areas:

1. Compromised insider — Victim of an external actor who has gained access to their device and/or user credentials via phishing, malware, or other common threats.
2. Negligent insider — An individual who does not follow proper IT procedures.
3. Malicious/deliberate insider — An individual who knowingly looks to steal information or disrupt operations.

To answer the question: There is an unsanctioned active account on your network. Whether intentional or not, I would consider this an insider threat.

Next, classify the insider threat:

1. Is the account compromised?
2. Or, is the individual being negligent or malicious/deliberate in nature?

This will enable you to classify the insider threat and take appropriate risk remediation actions.

3. Can you discuss your approach for a third-party security review program, i.e., scoping risk assessments, critical vendors versus non-critical, risk attestation, and getting comfortable with their risk posture?

Exabeam executes its third-party risk program across three key areas:

1. Vendor risk assessments
2. Security questionnaires
3. Contractual terms & conditions

All Exabeam third parties and vendors are inventoried and cataloged based on criticality/priority to the business. At a high level, this prioritization exercise consists of several different risk calibration techniques, including input from the business owner, data classification, how data will be handled, etc., all analyzed against Exabeam’s Adverse Impact Table and enterprise risk calibration.

Exabeam executes a risk-based, data-centric approach to third-party risk management. Higher criticality/priority third parties and vendors go through deeper risk assessments, robust security questionnaires, and contracts may be negotiated with tighter terms and conditions.

Should a team member within Exabeam GRC not feel comfortable with the third party’s risk posture following completion of the three key areas mentioned above, there is an opportunity to escalate this risk through the Exabeam Cyber Risk Management Program. The risk is then calibrated across Exabeam Information Security, the business owner, and the business owner’s functional area Security Champion. Should the calibrated risk fall outside of established company risk tolerance, appropriate/applicable Exabeam leadership will make a risk handling determination, e.g., accept the risk in writing and proceed with contract execution.