CISO Message to the Board

Andy Harris

Communicating Privileged Access Risks at Board Level

By Andy Harris


It's very clear to us just how hard CISOs work and how their influence is often limited in the face of perceived business requirements. This has given rise to CISOs re-branding themselves as 'business enablers' or 'corporate risk assessment specialists'.

However the raw facts remain that 90% of large and 74% of smaller organisations recorded breaches in 2014. In reality the situation is likely worse because not all breaches are detected.

This gives rise to the 'prevention versus detection' debate. The nature of the problem means the debate gets very technical very quickly and therefore beyond the board's appetite to digest. We've put this article together to help Infosec professionals find the right messages to delivery at board level.

Its simple really

All the arguments follow a similar form: "The hackers use this complex attack or Social engineering technique to find a chink in the armour".

At this point the board have switched off - they don't understand the low level technology and they don't understand why the millions spent on firewalls are failing.

However they have already tuned out before the most important part that comes next: "After finding the chink the hackers search for a privileged account to hijack".

That's it, right there, an attack has no teeth until it has control of a privileged account! The 2014 statistics show that 98.8% of all breaches used a privileged account. 86% of the passwords to those accounts were simply stolen from desktop systems or network drives, 10% were obtained through social engineering (Phishing) and just 4% were guessed using a brute force process.

The curious board member would ask why is this happening now? What's changed? Well it has it's roots gradual shift towards the cloud and outsourcing. There are a number of cost advantages gained but also many security opportunities lost.


Cloud and Outsource On Premise Data Centre and own IT Team
Hardware and OS management costs are reduced Lack of clarity as to who has access to system and root accounts
Day to day Malware management reduced Likely to be outsourced by the outsourcer, now you have third and fourth parties with system level access to your applications
No need for secure facilities to house servers Lack of clarity as to who has console access to your servers
No need for highly paid IT generalists The lowest paid people now have the highest privileges to your servers and data


Simply put, you don't get to keep all the savings of outsourcing, some of it needs to be redirected into increased security.

The absolutely obvious

We've established that any attacker, internal or external needs to get access to a privileged account. Therefore it makes complete sense to protect these accounts. We've further established that if we allow people to manage their passwords they'll store them on their desktop or chose simple passwords or give them away to a phishing attack. Our approach, separate the people from the passwords - It's that simple. No passwords to store, choose or give away to phishing site.

Messages to the Board

We can break these down into functional areas:

  • Firewalls control traffic across network boundaries and hide systems from direct sight of the Internet
  • Content security blocks the flow of known and likely malware from traversing the network
  • Intrusion Detection lets you know the probability that a system or application has been breached
  • Privileged Account Management controls who can do what where and when on your systems, applications and data

All sensible security policies will have a blend of all of these, Osirium does Privileged Account and Privileged User Management very well.