With digital transformation rapidly multiplying attack vectors across the cloud, remote work environments, and Shadow IT endpoints, mapping your digital footprint, let alone implementing an effective attack surface management strategy, is not as easy as it once was. As a result, communicating the value and progress of Attack Surface Management (ASM) to the board is becoming a considerable challenge that must be addressed before threat landscapes evolve beyond the reach of mitigation capabilities.
Whether you’re a C-Suite executive or a board committee member, this post will help you communicate Attack Surface Management to the board, clearly and effectively.
Ensure Board Members Have a Minimal Level of Cyber Risk Understanding
A common mistake made when communicating ASM or any other aspect of cybersecurity is assuming board members are sufficiently familiar with the topic being discussed. With the exception of the CISO, most board meeting participants will have very little knowledge of cyber concepts, especially with one as complex as Attack Surface Management.
To ensure your ASM discussions are received well, you may need to provide a quick summary of the topic to bring all board members up to speed. The following definitions of key terms will help establish a minimum baseline of understanding of ASM. All definitions have been intentionally simplified so that they can be easily understood by those that aren’t technically adept.
- Attack Vector - A pathway that can be exploited in a cyberattack to achieve a data breach. Attack vectors are sometimes referred to as security risks or cyber threats.
An example of an attack vector is outdated server software containing a vulnerability that hasn’t been patched with the latest security patches. Another common example is a security misconfiguration in a SaaS solution, such as the one that caused the Microsoft Power Apps data leak.
- Attack Surface - An organization’s attack surface is the sum of all attack vectors across its digital solutions and IT ecosystem. This includes the vendor lansdspace since third-party relationships combine the attack surfaces of each vendor and its partnering organization. The inclusion of the third-party network is what makes attack surface management such a complex cybersecurity strategy.
- Attack Surface Management (ASM) - ASM is an ongoing effort of security risk discovery, remediation, and monitoring across an organization's attack surface. One of the primary objectives of ASM is to keep an organization’s attack surface as compressed as possible to reduce the possibility of threat actors breaching a network.
For a concise overview of Attack Surface Management, watch the video below.
Be prepared to Provide an Accurate Breakdown of the Company’s Digital Footprint
After ensuring all board members are grounded in the basic concepts of ASM, a logical follow-up question will likely arise: how big is our attack surface?
With modern attack surfaces spanning integrations, multi-cloud solutions, on-premise software, mobile apps, and even service providers, manual methods of using your asset inventory to map your IT assets is no longer an accurate option.
Manual mapping methods are predicated on the assumption that asset inventories are always kept up-to-date and that Shadow IT practices are non-existent - notions that only exist in a CISO’s Utopia.
Accurately mapping an organization's attack surface, including all of its subsidiaries and IP addresses, requires modern asset discovery methods found in advanced Attack Surface Management solutions.
Using UpGuard as an example for illustrative purposes, an ASM solution can automatically discover all the web-facing assets making up your external attack surfaces. These assets are linked to your organization using indicators such as active and passive DNS, web archives, and other fingerprinting techniques.
Specifying the IP address range of your domains or subdomains will ensure new assets within those ranges are discovered and monitored in real-time once they become active, keeping your calculated digital footprint always up-to-date.
Such ASM platforms usually offer the option of exporting all discovered asset inventory items, either as a PDF or as an Excel document. While export settings could provide options for shortlisting assets likely to be a liability, such as only exporting inactive domains, the resultant inventory list will still likely be too comprehensive and overwhelming for a board meeting context.
Remember, the most important metric by which successful board meetings are measured is value.
To prevent concentrations from wavering when discussing a topic as detailed as ASM, always aim to preference value over volume. Presenting a list of over 500 domains to demonstrate your mapped attack surface is of little importance to board members.
It’s more meaningful to generate a report outlining all of the security risks discovered in your attack surface, thereby demonstrating both your digital footprint mapping efforts and the vulnerability management efforts of your security teams.
To further support the communication of only relevant information, with UpGuard’s reporting feature, you can choose which report aspects are generated based on varying information requirements. Board reports can be customized to reflect only crucial factors influencing your security posture, including company risk rating, industry average, and risk severity distribution.
Provide Proof of the Efficacy of your Attack Surface Management Program
At the end of the day, your board’s primary concern will be whether their ASM investments have been paying off. That is, whether all of the components of your ASM program, asset discovery automation, risk assessments, risk management, and the implementation of security controls work together to improve your overall security posture.
The higher your security posture, the higher your organization’s likelihood of defending against common cyberattacks, such as phishing, ransomware attacks, and data breaches.
This information is most efficiently communicated by showing evidence of your organization’s security rating improving over time. Security ratings are the cybersecurity equivalent credit scores in the finance sector. They’re unbiased, quantitative measurements of an organization’s security posture based on a set of common attack vector categories.
Security ratings don’t just represent your evolving security posture as influenced by your overarching cybersecurity program. This tool can also measure the efficacy of specific cybersecurity branches, such as Vendor Risk Management and ASM, by providing real-time scoring on the performance of their sub-processes, including risk assessments, vendor due diligence, and general cyber hygiene.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships
Attack Surface Management solutions, such as UpGuard, can generate Board Reports summarising the overall performance of an ASM program. These reports are intentionally designed to represent the critical features of an ASM program that matter most to board members, including:
- Security rating changes over time - Security ratings are an unbiased indication of whether your security posture is improving due to your ASM program.
- Vendor risk matrix - A vendor risk matrix distributes vendors by business impact, proving your ability to prioritize high-risk vendors.
- Vendor security rating changes over time - This feature demonstrates that your ASM program also secures your third-party attack surface, an effort to reduce your organization’s risk of suffering third-party breaches.
Some samples of the above ASM summary features included in UpGuard’s board reports are shown below.