How to translate threats and risk to C-suite

The technical breakdown of the origin of a cyberthreat is noxious with detail, outlining maneuvers in technical jargon the C-suite does not need to know. Executives don't want to hear what they can't understand.

It's tempting for CISOs to present a detailed cyberthreat intelligence (CTI) report to their non-technical counterparts, but that's no longer the role of the CISO. When communicating with the C-suite or shareholders, CISOs have to speak equal parts security and bottom line.

If CISOs are going to break down a threat, they have to be prepared to show that it's deeper targeting, like the SolarWinds hack, said Colin Connor, analyst for global threat intelligence at IBM, during the SANS Institute Cyber Threat Intelligence Summit in January. At that point, stakeholders have a grasp of ongoing remediation and costs.

By 2025, Gartner expects 40% of boards to have a dedicated cybersecurity committee with oversight from a "qualified board member." Fewer than 10% of boards have a cyber-specific committee today.

Until boards have cybersecurity expertise in their ranks, CISOs and risk management teams will make up the difference. Security experts will have to speak the language of the business and avoid getting caught up in the nuances of cyberthreats.

The most successful CISOs are the ones to regularly meet with IT and non-IT stakeholders, according to Gartner. Researchers expect to see 60% of CISOs establishing partnerships with their counterparts in sales, finance and marketing by 2024, compared to less than 20% of CISOs today.

How security experts derive business value from risk and threat-based analysis can be done by using the "three P's": prediction, prevention and proaction, said Connor. In doing so, security leaders are able to unpack a business risk to their C-suite and board.

Connor recommends CISOs can cut to the chase in two ways:

In a quarterly report, reserve a single slide for the business risks accumulated during that period in a graphic. The graphic should be the summation risk analyses, detailing how much monitoring a threat needs. Compare those successes to the language of the business, including continuity or incident mitigation, improved reputation or decreased costs, he said.
Choose relevant information to share. A CTI briefing is likely interesting for other security practitioners, but what the business needs to know is whether it will be an ongoing threat (read: expense).

Threat intel reports for all

CTIs inform security professionals and stakeholders of the risks from the threat landscape, while also providing research into how to defend against specific threats or advanced persistent threat (APT) groups.

"You need to have the facts to justify what you're sharing and otherwise summarizing," said Connor. Different companies and industries deal with unique risks; there is not a one-size-fits-all solution to risk management.

What they have in common is what results from an inactive risk assessment: consequences.

Risk is understood by its likelihood and impact while a threat is determined by the capability of intent and asset controls. A risk does not become a threat without capabilities, including attack methods and resources.

"In nature, you could say that Mother Nature is a threat at times with storms from an operations standpoint. It may not have the technical capability, but it has the ability to use that capability," said Connor. It's the mathematical difference between having the intent to cause harm backed by the resources to do it successfully.

When capability of intent is understood, security teams can better predict the likelihood of something occurring. The Factor Analysis of Information Risk (FAIR) Model is an industry standard framework for risk management, which divides risk into two areas of quantitative analysis:

Loss event frequency takes into account the frequency of a threat and associated vulnerabilities.
Loss magnitude groups the primary loss and secondary risks associated with a risk.

"How can we think from a loss event frequency from a threat perspective? That's the challenge," said Connor. Frequency aids in prioritizing risks operationally, yet "from an intelligence standpoint, we're definitely disconnected there."

Quantifying intent and capability depends on how sophisticated a threat actor is, and their motivation depends on the type of company and industry.

There are subtle differences in motivation between threat actors, however. Making a blanket reference for "nation states" could dilute a more detailed understanding of the threat, said Joshua Miller, senior intelligence analyst at Proofpoint, during the summit.

"It's possible that you'll use these terms in your writing. It's also possible that you'll come up with different terms that you feel make more sense with what you're seeing in your telemetry," he said. Identifiers include, but are not limited to, state prohibited, state rogue and state ordered.

Executives care about nation-state actors to a certain degree, but they'll lose interest if specific groups are named. Instead, what CISOs can do is associate a specific APT to a loss event, including e-commerce skimming and ransomware.

From there, threat researchers should be able to quantify an APT's number of attack methods and overall capability based on intelligence gatherings, campaign analysis, or simulated attacks. Intent can be derived from an APT's former targets: Did they target a competitor? What kind of data did they steal?

"I know that there are a lot of people who chase after APTS because the state-ordered APTs are super fun and sexy," said Miller. But depending on the industry, "it may be those 'state prohibited but inadequate' ransomware groups that pose more of a risk to your organization."