Security leaders need better visibility of risk before the board asks

Kevin Cunningham, president and co-founder of SailPoint, steps up for a Security Slap Shot on why the board's needs for information demands better visibility of risk.

Security leaders need better visibility of risk before the board asks
Thinkstock

Is your environment more or less complex than it was last year? And what about the changing threat landscape?

When we blend them together, we get increasing complexity with evolving threats. And now that security is a top area of concern in the executive suite and boardroom, the pressure mounts.

If asked, can you quickly help visualize the risks for a member of the executive team? If they share a specific concern, how quickly can you identify the real risks that require attention?

It’s something Kevin Cunningham (LinkedIn), president and co-founder of SailPoint, is focused on.

In his role as president of SailPoint, Cunningham oversees product development, marketing, sales, operations and services. That means a lot of interaction with security leaders and working to help them prepare for the challenges they face.

Here’s Kevin’s Security Slap Shot:

Lack of visibility is so bad that if the CEO’s identity were compromised, many security leaders wouldn’t be able to immediately answer how and where they were at risk.

Cybersecurity is now a board-level concern. With widespread attacks such as WannaCry and NotPetya achieving new levels of destruction and disruption, we’re seeing material impact on corporate earnings. For example, pharmaceutical company Merck is still recovering from June’s NotPetya attack that halted production of some drugs. While the full magnitude of the impact of the disruption remains unclear, the company has cut its profit forecast for next year.

While many CEOs are beginning to understand the effects that cyberattacks can have on reputation and the bottom line, many are still struggling with a lack of visibility of the risk. They often look to the security leaders within their organization for answers. One statistic from our annual SailPoint Market Pulse Survey would likely shock many executives:

"Given the hypothetical situation of the CEO’s identity being compromised, the majority of respondents – 73 percent – admitted they wouldn’t immediately know how and where their data was at risk."

This lack of visibility is concerning. In our last conversation, we talked about the ever-growing complexity of today’s IT environments. New exposure points are emerging every day, due to the proliferation of applications, user types and unstructured data to trends such as Shadow IT and BYOD. And still, very few organizations have visibility into who their users are — employees, contractors and business partners — and what those users have access to (and more importantly, if that access is appropriate). In fact, our survey shows that only 33 percent of organizations could produce a company-wide report within 24 hours on who has access to what resources and what can be done with that access.

Identity governance is the key here and should be at the center of an organization’s security program. Having an identity governance program in place helps an organization take inventory, analyze and understand the access privileges granted to employees, contractors, and partners. It helps answer the question “Who has access to what?”

But, like we discussed last time, this goes well beyond just technology. True visibility and control can only be achieved with the right combination of people, process and technology. Gaining internal support, building governance frameworks and implementing automation all need to happen in tandem. With all of this in place, and with the ability to finally answer that question of “Who has access to what,” everyone within the organization will be able to breathe easier knowing that when the next WannaCry or NotPetya hits, they may be able to stop it — or at least catch it sooner and minimize the damage.

My Analysis (color commentary)

The key to success is matching your available resources to the top priorities in the organization. If you don’t know what matters, how can you protect it? This extends to having an accurate understanding of who has access to what and how your organization works. Without this insight, how can you create value?

Your turn – react

How are you working to create visibility into what matters in your organization?

Share your thoughts on our Facebook page or engage with me on Twitter (@catalyst).

What do you think? Ready, set, react!

NEW! Download the Winter 2018 issue of Security Smart