The penetration test at the power station was an eye-opener. Testers found administrative passwords printed out and taped onto equipment, among many other security weaknesses. A hacker could easily bring the power station down, or even cause it to blow up. With the pen test report in hand, the utility’s CISO briefed senior management, requesting resources to remediate the security problems with improved Privileged Access Management (PAM). They turned him down.
Why? Why would the senior leadership of a power utility decline the opportunity to support greater control and accountability over administrative access? Instead of accepting the rejection, though, the CISO asked for feedback on why they had not been interested in his proposal.
What the CISO heard surprised him, but also motivated him to try again. The issue was one of communication. In this case, he had not been able to convey the seriousness of the problem to his leadership team. According to Joseph Carson, Chief Security Scientist at Thycotic, who related this story to me, the problem was that the CISO’s presentation had made no particular impression on the C-suite. They’d seen the problem as largely internal and not much of a threat to the business. Passwords were publicly known internally. So what? In their view, the power plant control systems were air-gapped, so what was the big deal?
The CISO asked to present a second time. The revised presentation pointed out the depth of vulnerability the company had to external threats. It offered hard dollar estimates of financial exposure, combined with the likelihood of attack. The CISO laid out indirect costs, brand impacts of an attack, loss of productivity negative effects on personnel and so forth. This time, the management said yes. They approved a project to move ahead with more advanced PAM to protect the power station.
This kind of anecdote has informed Thycotic’s approach to PAM. Their assumption is that cybersecurity solutions have to help the CISO in his or her dialogues with the board and C-suite. Several requirements emerge from this insight. One is that CISOs need to establish quantitative business and financial parameters for defining cybersecurity success. Those will form the basis for any meaningful discussion of security with senior leadership.
The role of the CISO itself is part of the formula for successful communication with the C-suite. “Is the CISO an enabler of success or an enforcer?” Carson asked. “It’s okay to be an enforcer, but then that’s your role and you’ll have to live with the consequences. An enabler of success is usually more welcome in a business leadership conversation.”
Then, the solution has to be simple enough to generate the desired quantitative success metrics. “No one has time for complexity,” Carson explained. “This is an idea we all pay lip service to, but unfortunately there is still a great deal of complexity in the security field.”
The solution must empower the CISO to communicate clearly with leadership about the business issues that arise in cyber risk mitigation—and follow through with a solution that’s simple enough to avoid the business impact of complexity. “With anything we create, we always ask ourselves, ‘Will it enable the CISO to quantify value to the business?’ We ask, ‘will the solution create a negative or positive impact on employees who are trying to do their jobs and deal with alert fatigue?’”
For example, Carson added, if a company wants to comply with most NIST frameworks, they will need a PAM solution. Privileged account access controls are essential for NIST, both directly and indirectly. “You need PAM,” Carson explained. “But what kind of PAM? To get approved for an investment in PAM, you have to present a solution that allows the CISO to show the board how it will save time and money, driving ROI. Everything else is technical analysis and will likely not grab the board’s attention.”