As you move further and further out—our secondary and tertiary relationships—you obviously have greater vulnerability. We have a very robust third-party service policy and network for monitoring and maintaining those relationships. In fact, that’s one of the areas that I’m responsible for myself. We have an entire department dedicated to that. We have questionnaires. We have different third parties that will then do audits and examinations of some of our more critical third-party service providers to make sure that they are maintaining appropriate levels of security. We require certain third-party audits of their data security that must be done every year. It’s pretty robust.
CFO, Financial Services Company
If you’re a CFO for an enterprise, chances are you have something in common with most hackers: You have a healthy profit motive. Many adversaries would agree with a philosophy you likely hold dear: Cash is king.
The cybersecurity industry has done itself no favors with the stereotypical hacker trope of a bad guy in a hoodie lurking behind a green DOS screen that appears to be from the 1980s (coincidentally, the decade when Hollywood gave a face to the hacker community). The shadowy figure of a lone wolf behind a keyboard is no representation for the extensively sophisticated cybercrime syndicates that have very healthy profit motives indeed.
Jonathan Lusthaus never envisioned a career studying cybercriminals. His passion was in researching religious violence. But when his dissertation topic didn’t conform to the research areas of the Oxford faculty, he needed to find a new interest.
Quite by accident, he became inspired by a well-known author on cybercrime who was lecturing on the topic at Oxford just as Lusthaus’s deadline for choosing a new subject loomed. Almost 250 interviews with law enforcement agents, security professionals, and former cybercriminals later, Lusthaus is an authority on the topic. In his book Industry of Anonymity: Inside the Business of Cybercrime, he exposes the real underbelly of this $600 billion industry1 to the rest of us.
He found that the underground market shares quite a lot in common with the financial markets that underpin healthy—and legitimate—business and industry. Lusthaus points to specialization among cybercriminals. There are very few jacks-of-all-trade in cybercrime. Instead, as Lusthaus uncovered, there are more economic benefits to investing in a “trade” and relying on others to perform specialized functions. Some are more technical, so they design the online scourge. Others are natural at selling, so they take to the underground commerce markets to promote the value proposition. Still others are strong at implementation. They provide the post-sales support to buyers who need help in getting the weapon to its intended target(s).
The division of labor that propels the world’s most sophisticated companies serves the needs of the Dark Web as well. How do cybercriminals with such specializations trust one another to make good on payment when services are rendered? In much the same way online shoppers have learned to trust legitimate online companies seeking their business. They rely on numerical rating scales of other cybercriminals evaluating their experience. They use feedback forums to exchange information about the ne’er-do-wells among them (apparently, there really is honor among thieves).
These feedback mechanisms scale the business of cybercrime. Each criminal can spend less time validating the expertise and trustworthiness of potential partners in the chain and more time executing on his craft to commit crime.
Beyond mimicking the services of online exchanges, the cybercrime market imitates rules of legitimate governance as well. Lusthaus found cybercriminals using escrow to entrust a third party with holding payment, if not goods, until everything had been verified. There’s even arbitration, where each side can argue its dispute in front of a senior member of the community, appointed to make a ruling. In certain cases, the “judge” may ban the offending party from the marketplace.
McAfee has done our own research2 on the vast cybercrime market that lurks beneath the surface of the web. Thanks to law enforcement takedowns of some prominent Dark Web marketplaces, cybercriminals are exercising their entrepreneurial chops. Several individual sellers are trading established marketplaces (which tend to be targets for law enforcement officials) for their own websites to peddle their goods and/or services on the Dark Web. Defiant website designers are accomplices in the pursuit, designing hidden marketplaces for aspiring vendors. Yes, even the Dark Web has layers that allow its participants to fly lower still beneath the radar.
Regardless of a bad actor’s intent to open her own click-and-mortar equivalent, there are plenty of helpful underground forums dedicated to the topic of cybercrime to help these criminals hone their craft. The more popular discussions entail leaked user credentials, common vulnerabilities and exposures, and “dump sites” to offer plenty of stolen credit cards, fresh for the taking.
This is the face of cybercrime. This complex labyrinth of entangled services, buyers, sellers and “regulators” is what your company is up against. And your company has the deck stacked against it. This isn’t a fair match-up. There are no Sarbanes-Oxley (SOX) requirements on the Dark Web. No GDPR governing privacy and the use of data. No compliance standards dictated by hosts of governing bodies. Hackers can code at 2:00 a.m. and exploit their victims by 4:00 a.m. There’s also no need for onerous testing windows to ensure that quality controls are met.
Unlike your competitors, which are governed by the same rules, regulations, and general business ideals as your company, adversaries respect no laws (except those of their established communities). Unlike competitors seeking to take market share, bad actors want to take you for everything they can.
You may be very familiar with the fact that you’re dealing with a highly coordinated enemy. But consider how Finance typically doles out budgets to organizations to understand the rub for cybersecurity. Budgets might be allocated based on benchmarking data. While you can find such benchmarks for cybersecurity spend, they’re a bit misleading. That’s because the real benchmarks for cybersecurity must come from adversaries. If you don’t know what adversaries are spending in research and development to create their “products,” how can you accurately assess the cybersecurity budget required to match it?
If not benchmarking data, budgets are allocated by return on investment (ROI). Again, that’s a tricky measure for cybersecurity professionals to prove. Because how can CISOs prove a negative? Even if they tried, wouldn’t smart CFOs challenge the argument at face value? Imagine a conversation between a CFO and CISO that goes something like this:
You can see how the circular argument could go on for a while. Short of attempting to shock and awe finance people with convoluted cybersecurity metrics, there’s no clever way for a CISO to answer the “What’s your ROI?” question.
It’s not that CISOs are evading the question—or that they don’t comprehend the concept of ROI. To understand why this is such an impossible question to answer, let’s look at a few adversarial attacks that put a finer point on it.
In May of 2017, cybersecurity made its way to the front page of practically every media website and the first segment of virtually every news broadcast worldwide. Those who didn’t know about ransomware before would learn it by one name, WannaCry. Unprecedented in scale and velocity, the attack infected more than 200,000 computers worldwide within its first few days—shutting down hospitals, universities, and banks.3 WannaCry held each victim’s computer files for ransom to the tune of up to $300 in bitcoin. The estimated damage of WannaCry’s wrath? Well into the billions of dollars globally.
But it would be unfair to call WannaCry ransomware. Sure, ransomware was the visible exploit to victims threatened with unrecoverable file loss. But what made WannaCry so stealthy is the way in which it propagated, using the properties of a worm to contaminate new systems. Without taking a technical detour into the weeds here, the key difference between “traditional” ransomware and WannaCry is that the latter didn’t require human intervention to spread. That’s how it proliferated so quickly. It didn’t rely on unsuspecting humans taking its bait. Instead, it exploited a vulnerability already resident in a popular operating system.
McAfee’s own analysis of WannaCry revealed that it barely qualified as ransomware at all. Its authors left it with rather crude monetization capabilities. They didn’t connect a victim’s unique identification to his bitcoin payment, making decryption of files extremely difficult. So what was WannaCry really? Ransomware? Worm? Both.
In 2018, hacker ingenuity was again on full display with the release of Zyklon. Zyklon was a fully featured package of threats for enterprising criminals to exploit—it could steal passwords, launch DDoS attacks, mine cryptocurrency, and more. What really was Zyklon? Cryptojacking? DDoS? Keylogging? All of the above.
As WannaCry and Zyklon show, hackers not only cooperate in specialty, but they collaborate to create new concoctions of converged threats. They’re mixing old varieties (like worms) with new ones (like ransomware). In McAfee’s analysis of underground forums, we see cybercriminals discussing vulnerabilities, both old and new. The results are sophisticated threats capable of contagion much faster than ever before.
Back to our conversation between the CFO and CISO. When the CISO approaches the CFO for more money, it’s usually because of this reality. Even mid-cycle, long after budgets have been allocated, the CISO may need more. WannaCry didn’t wait for a convenient fiscal period end to wreak its havoc. Bad actors don’t care about your budget cycle.
If ROI isn’t the right metric for cybersecurity, then what is? Risk management. Cybersecurity professionals are in the risk management business. Sure, they have technical expertise and scores of products in use to defend their companies against highly organized crime syndicates. But take that technical jargon out of the field and it really comes down to one clear business objective—mitigate the company’s risk.
As CFOs know, risk management and its associated metrics fundamentally differ from the more traditional finance measure of ROI. I live in North Texas, part of a region of the country that has earned the unfortunate colloquialism “Tornado Alley.” To this day, I have a healthy fear of tornadoes. Blame it on the tornado sirens that are tested the first Wednesday of every month at noon. The chilling sound is straight from a war movie. Or chalk it up to Dorothy and her trip to Oz by conveyance of a tornado, the thought of which freaked me out as a child. Either way, I fear tornadoes. But every spring in North Texas, they are a persistent threat to me and my otherwise peaceful existence.
Until I was educated on just how unfounded my fears are. McAfee’s chief technical officer (CTO) relocated to the Dallas area last year. He immediately was schooled on tornadoes by nervous colleagues and long-time Texans like me. However, unlike me, he decided to do his own research rather than succumb to the hype. He discovered that, in 69 years of tracking, there has been only one F3 or higher tornado in my county (this is a tornado capable of causing severe to incredible damage).
Now, let’s go back to our risk management discussion. Does your finance team inspect the ROI of tornado shelter signs posted clearly on your company’s campus, particularly one like mine that happens to reside in “Tornado Alley”? Likely not. Even if you examined the risk of losing these signs altogether, you might find the data supports such reckless abandon (the tracking our CTO found for my county would suggest a deadly tornado is a very unlikely event indeed).
Even if there is only one catastrophic tornado in 69 years, there’s still a risk. Should that risk materialize, foregoing visible and sensible signage to save a few dollars may prove to be a costly decision.
Cybersecurity is in the same boat. While CISOs must address volumes of threats each day (which likely won’t cause cataclysmic damage but may disrupt the business nonetheless), they must also consider the catastrophic (albeit far less likely) risk inherent in a major-scale attack that could incapacitate their company for some time. They’re walking the risk tightrope every minute of every day.
If CFOs can begin the discourse a bit differently with CISOs, they can help build the bridge from cybersecurity to risk management. Imagine that earlier conversation a bit differently:
Simply by framing the conversation differently, CFOs can assist their CISO partners in translating cybersecurity investments into business outcomes—all while losing the technical jargon and eye charts of cybersecurity metrics that most CFOs likely won’t miss. It starts with asking the right questions.
Those same questions prove fruitful for other business decisions governed by Finance’s tried-and-true ROI metric. Most profit-seeking companies are in the business of growth. Because of this, there are pressures to enter new markets, expand with new products, enhance productivity with new technologies, and the like. Many of these business cases hold up to the ROI litmus test. But how often are they searched for their impact on the company’s risk profile, particularly by expanding the attack surface for adversaries to exploit?
CFOs can help their organizations ask these risk-related questions whenever a new business case crosses their desks:
By asking these questions of their non-cybersecurity counterparts, CFOs and their teams can ensure cybersecurity is not an aftermarket afterthought of the strategic growth initiatives for their companies.
They hide during the day to feed at night. They look for a blood meal to survive, snacking on their victim while he sleeps, since they abhor movement. They are fast movers, generally covering three to four feet per minute–when scaled, the equivalent to an average adult’s sprinting pace. Yes, bed bugs are having quite the resurgence around the world.4
These miniscule predators were all but vanquished following World War II, thanks to fastidious household hygiene and aggressive pesticides that banished them into virtual extinction. In recent years, they’ve been making a comeback. It turns out a strain of bed bugs, highly resistant to those initial harsh pesticides, has entered the insect kingdom. Couple that with an influx of global travelers who serve as unwitting carriers for these repulsive hitchhikers and you have a bed-bug epidemic once again sweeping the world.
Here’s what makes bed bugs so difficult to eradicate. You can have the cleanest house in the world. You could disinfect your bedding religiously. You could do the same for pajamas or any other clothing that should touch your place of slumber. But if you happen to travel to a hotel or in an airplane that is infested, it takes just one pesky bed bug to hitch its wagon to your star (in this case, your luggage or what’s packed inside) and make its way to your domicile.
The problem is even worse if you happen to live in an apartment building or other multi-dwelling unit. Now, it just takes the neighbor with whom you happen to share a wall to be a bit laxer than you are in his standards, and you may find yourself with unwelcome inhabitants in your home (yes, these determined parasites can move along and through wall voids, using plumbing and electrical chaseways as their routes).
If that isn’t bad enough, because there is such a stigma associated with bed bugs, most people are loath to admit they cohabitate with these bloodsuckers. By the time they concede they have a problem and seek help, they may be facing an all-out infestation. If you happen to spend the night (as in a hotel) or share a wall (as in neighbor)—you get the idea. . . .
Bed bugs are an unfortunate reminder of how dependent we are on one another. It isn’t a matter of leaning on our neighbors for help. It’s about trusting them to know their environment (nearly 50 percent of people with bed bugs in one study didn’t even know they had them5 ) and to seek professional help to eliminate them.
What a fascinating allegory to cybersecurity. Companies do not operate on islands unto themselves but do so in highly complex, interconnected ecosystems. While a company may practice sound cybersecurity hygiene, it must rely on its neighbors—any third party with whom it does business and has some connection to its systems—to do the same. Otherwise, it leaves itself open to insidious predators using side doors and back doors to infiltrate. (By the way, the “systems” connected in this case need not necessarily be through extensive networks. Think back to the cybersecurity hygiene practices covered in Chapter 3. All it takes is a careless partner leaving a USB or laptop with your company’s sensitive files unattended and unencrypted, and your company is exposed.)
For all the decades we enjoyed living a relatively bed-bug-free existence, we’re reminded that what is old can be new again. And the more things change, the more they stay the same. We’re once again lamenting bed bugs in spite of all the progress once made against them.
While change is the only constant in business, many CFOs can still rest in one certainty: They manage procurement for their companies. Since this largely remains a finance function, the CFO’s kinship with the CISO is about to get a lot closer.
Just as bed bugs remind us of how reliant we are on one another to be vigilant against infiltrators, third-party relationships serve as additional points of exposure adversaries can exploit to inflict harm on our companies. Consider the following points from Ponemon6 that reflect the sobering reality:
On the positive side, there’s plenty of room for improvement in these metrics. Third-party security management is relatively new for many organizations. It’s also critically important, as the above numbers show. CFOs carry the flag for their organizations in ensuring the procurement process sufficiently vets third parties’ cybersecurity posture. Here’s an area where your CISO will help you ask the right questions.
Of course, the ultimate trusted third-party relationship is one in which a company outsources a function, or part of it, entirely. Deloitte conducted a global study in 2016 examining the outsourcing lifecycle and key trends. The top function reported as outsourced? IT, with a whopping 72 percent of organizations outsourcing at least a part of the function and 31 percent planning to increase the same.7
It was once absurd to consider outsourcing one’s cybersecurity environment. But it appears cybersecurity is following in the footsteps of its IT ancestors, as it’s becoming more acceptable to let third parties protect an organization’s most prized digital assets. Of course, the global cybersecurity talent shortage just adds more fuel to the fire. Rather than compete vociferously for cybersecurity talent that just isn’t in the market, companies are opting to hire third parties with this expertise to at least augment internal staffing capabilities.
In particular, the areas of the security operations center (SOC) most likely to be outsourced include penetration testing (75 percent of organizations outsource), threat intelligence collection and feeds (54 percent), and digital and malware forensics (51 percent).8
There are several pros to outsourcing one or more areas of the cybersecurity function. As is the case with most outsourcing, companies stand to save money and minimize upfront capital expenditures by hiring third parties with comparable cybersecurity infrastructure. Companies may also mitigate the risk of obsolescence by negotiating service level agreements with these managed security service providers (MSSPs) to dictate terms of technology refresh. Finally, MSSPs specialize in cybersecurity. They can focus on this core competency, leaving more time for their customers to focus on theirs.
As with most topics in this book, this one is imbued with several shades of gray. While outsourcing a portion of one’s cybersecurity program is perfectly suitable for many companies (particularly those with harsher staffing constraints), cybersecurity is somewhat like charity—it starts at home. Abdicating complete responsibility of one’s cybersecurity posture to a third party is risky business indeed. What an MSSP makes up for in cybersecurity experience, it lacks in understanding of your company’s unique environment. Because of this, it may miss anomalies in your environment that a dedicated internal team would readily spot. Because an MSSP supports multiple customers (on one hand, a positive benefit since it has perspective on trends across broader markets), you may find less time dedicated to your company’s needs—all of which can result in a sub-optimized cybersecurity posture should your company toss the keys over completely to an MSSP.
This is yet another area in which CFOs and their teams should exert considerable influence. Outsourcing is not bad, per se, but the terms of a relationship with a trusted MSSP must be carefully crafted to generate positive outcomes. No company cares more about your organization’s cybersecurity posture than you do. This is not a case for complete abdication of cybersecurity. It’s an opportunity for mutual partnership to leverage core competencies and additional staffing for maximum gain.
As the organization’s key allocators of resources and budget, finance professionals have much to offer a culture of cybersecurity, specifically, help CISOs and their teams speak the language of the business. This requires losing language that doesn’t fit cybersecurity—in particular, “return on investment.” Once CFOs relieve CISOs of the burden to answer an impossible question, the teams can work together in earnest to define the value of cybersecurity investments to the business.
The goal is mitigating risk as efficiently as possible. There are plenty of questions to get CISOs and CFOs communicating at a different level, such as:
To ensure cybersecurity is not an aftermarket afterthought, CFOs should ask the following for business cases submitted by other leaders:
In the way of ensuring resources are spent as efficiently as possible, it’s very fair to ask the CISO for her metrics in the following areas:
Next, as the leaders of procurement, finance professionals lead their organizations in mitigating breach-by-association through third-party exposure. Start with a comprehensive inventory of all third parties (something only 34 percent of organizations say they have, per Ponemon9 ). From there, conduct an audit of cybersecurity defenses and practices. The bad news is this could take significant time and effort. The good news is that the same auditing questions can be used to qualify any new third party interested in becoming a vendor.
The questions will focus in multiple areas to assess the aspiring partner’s cybersecurity posture, including:
For your most strategic suppliers, consider hiring a third party to audit their security practices once a year. Vetting suppliers is a great first step. But ensuring their security practices don’t become lax once they’ve landed you as their customer requires even greater diligence.
Finally, be careful what you allow third parties to promote about your company. It’s common practice for partners to issue press releases announcing their business arrangements. It’s also normal to see companies splash the logos of all their customers, suppliers, and/or partners across their websites. I’m a marketer, so I get it. Using the power of the ecosystem to increase brand value for all parties is generally a good thing.
But use caution. Any third party wanting to promote their relationship with your company alerts hackers to the side doors and back doors through which they may penetrate your company. It shows these parasites of the cyber kingdom how to infiltrate your company, once they know the neighbors that share one of your walls. If there is the slightest concern that one of your third parties wanting to promote their relationship with your company does not hold itself to the cybersecurity standards you require, don’t allow them to promote it.
This is just a subset of an extensive checklist to ensure your third parties are as disciplined about securing your organization from threats as you are. If they’re serious about earning your business, shouldn’t they be just as inclined to protect it?
* * *
The worlds of finance and cybersecurity may not seem to fit together on the surface. But a deeper look reveals there’s more in common than initially meets the eye. At its core, cybercrime is big business—something that a CFO can understand. In turn, cybersecurity is about risk management—another concept very familiar to finance types. CFOs can help CISOs speak the language of the boardroom (risk management) more fluently. In turn, CISOs can help those in procurement speak the language of cybersecurity when vetting third parties. When the two functions come together to admire their similarities and put aside their differences, both emerge stronger from the collaboration. After all, bad actors already know the value of collaborating. Isn’t it time CFOs and CISOs realized the same?