EXECUTIVE SERIES

Reporting to the Board

A Toolkit for
CISOs
Table of Contents
03 Introduction

05 Embrace the Opportunity

06 Lay the Right Foundation to Improve Receptivity

09 Align Your Message with the Business

11 Prepare Your Presentation with the Right

Agenda and Dashboard

14 Conclusion

17 Appendix: Sample Board Reporting Dashboards

2 ©2018 SecureWorks, Inc. All rights reserved.

Introduction
Cybersecurity, once relegated to the back
office of the business, is now a front and
center priority for boards of directors. As
businesses become more digitally empowered,
cyber threats find more ways to breach defenses,
increasing the risk to business operations and
bottom line. From loss of revenue and intellectual
property to legal liability and reputational
damage, plus the cost to resolve, boards of
directors bear the responsibility for appropriate
oversight of the risks associated with a breach.
To execute their due diligence, they rely on their
organization’s cybersecurity leader to help them
understand two things: What are the risks to the
business, and how well is the company
managing those risks?
You’ll know you’ve met your cybersecurity reporting
goals when your board can say the following:
• We understand risk in the context of our unique
business and its objectives.
• We have confidence that risk is being managed
effectively and that there is a process in place to
continually test those assumptions.
3 ©2018 SecureWorks, Inc. All rights reserved.
In this toolkit, you’ll find steps for building a
foundational relationship with your board,
techniques for implementing a successful
reporting process, and tips for creating a board
presentation agenda that will help you establish
your role as a trusted and credible leader. The
appendix contains sample dashboards and other
reporting tools.
Informed by client input as well as our
observations across 4,400 client organizations
in more than 55 countries, this guide comprises
leading practices of Chief Information Security
Officers (CISOs) from all types of industries
who have established strong C-suite and board
reporting relationships. Secureworks® believes
these practices will better position CISOs to not
just survive a crisis, but lead through a breach,
should one occur.
• We have confidence that our security investment is
appropriate to both known and anticipated risk.
• We have a high degree of confidence that we are
crisis-ready.
Seven Objectives for Your
Board Reporting Relationship

1  rovide practical knowledge of the

P
threat environment.
5 Establish benchmarks based on the
results of testing and assessments.

2 Identify your company’s top risks.

6  evelop a dashboard to monitor
D
cybersecurity risk over time and
against relevant benchmarks.

3 Demonstrate that your security

strategy is aligned with your
company’s risks, tolerance, and goals.
7  stablish and agree on a roadmap to
E
demonstrate progress.

4 Adopt a company-wide cybersecurity

risk management framework.

Why Boards Care About Cybersecurity

Boards have a responsibility to protect shareholder value. And now the assets on which corporate value
depends are largely digital and intangible, putting them at risk from cyber threats.

In 1975, 17% of S&P 500 firms’ market value was tied to intangible assets.

In 2015, that number was 87%.

Source: Intangible Asset Market Value Study (2017), Ocean Tomo, LLC

4 ©2018 SecureWorks, Inc. All rights reserved.

Embrace the Opportunity
As the Chief Information Security Officer (CISO) role continues to evolve from security
expert to business leader, more security leaders are answering the call to provide their board
of directors with a better understanding of how, and how well, the organization is managing the
business risks inherent in a cybersecurity breach.

This is not a simple task. Even CISOs with a
well-established board reporting relationship must adapt
their tactics as board members grapple with new and
unfamiliar risk issues, such as global data protection
regulations or digital transformation.
It’s difficult for board members, too. The linkages between
cybersecurity risk and business risk aren’t always intuitive
to business leaders who don’t have an IT or security
background. Your boardroom audience has very little insight
into the complexity of your operations or the persistence
of your cyber adversaries. It’s up to you to share enough
information to ensure they are confident the risks are
well-managed, without overloading them with details.
Legal, risk, and security advisors encourage board
members to focus on the big picture issues, such as
those shown in Figure 1.
To avoid making conversations with your board feel
more like an inquisition than a briefing, be proactive in
your approach and pre-align your primary talking points
with the board’s priorities. Board members are conditioned
to test assumptions. Careful preparation to ensure you
understand the board’s expectations before you walk
into the room is key.
As challenging as it can be to establish the right reporting
framework with your board, there are rewards. When
you present to the board and executive team, you have
an opportunity to educate, align priorities, and ask for
leadership support in the areas where you need it most,
such as holding other functional areas accountable or
gaining a seat at the table in strategy initiatives.

01 02 03 04
Governance & Responsibility & Awareness & Goal Setting &
Leadership Accountability Communication Board Reporting

05 06 07 08
Cyber Risk Legal & Security Tools & Incident Preparation
Management Compliance Operations & Management

Figure 1: Eight Areas of Board Oversight for Cybersecurity Risk (Source: Board Cyber Risk Oversight Framework, Secureworks)

5 ©2018 SecureWorks, Inc. All rights reserved.

Lay the Right Foundation
to Improve Receptivity
Board meeting agendas are tightly packed, and directors can be quick to deprioritize what they
are hearing if they don’t relate to the content. To significantly improve receptivity, be proactive
about two things: 1. foster one-on-one interaction with board members outside of the formal
meeting context; and 2. lay an educational foundation about the cyber threat environment,
including the threat actors and their motives.

Do Your Research
Understanding perspectives and motivations in the
boardroom is a good way to establish trust and gain
confidence. Research the backgrounds of your board
members to determine what they bring to the table. Are they
former CEOs or CFOs? Have they led corporate mergers or
digital transformations previously? Each one brings a unique
leadership perspective to the table that may predispose
them to interpret your reports and proposals differently than
you expect. What’s more, directors often serve on more
than one board, particularly in public companies, and may
bring expectations about cybersecurity shaped by their
experience with those other businesses. A little homework
will tell you if one of your board members has been through
the trial of a public breach.
Some CISOs have found it useful to find a sponsor among
the executive team, often the CFO or General Counsel, who
is willing to share information about the company’s strategic
goals and facilitate an introduction to board members.
If possible, engage with the chair of the board committee
with primary responsibility for cybersecurity risk, whether
that be the Audit or Risk committee, or a special committee
dedicated to IT, information security, or data protection.
Discuss the top potential business impacts and risks that
can win consensus with the broader board as the focus for
your agenda. Ask them what they want to hear more about.
Remember: from their perspective, cybersecurity is a means
to a business outcome.

Make It Personal
An Opportunity to
No matter how much research you do, meeting
Improve Receptivity
directors for the first time in a formal presentation is not
ideal. It’s helpful to have a few well-placed advocates According to the Marsh-Microsoft Global
for cybersecurity before wading in. Forming individual Cyber Risk Perception Survey, February 2018:
relationships with select members of the board and
53% of Chief Information Security Officers
executive leadership team ahead of time is even better. Start
said they provide reports to board members
by identifying those with the strongest interest in the subject
on cyber investment initiatives. Yet only 18% of
matter. Discuss the organization’s strategic initiatives and
directors said they receive such information.
gain an understanding of what keeps them up a night.

6 ©2018 SecureWorks, Inc. All rights reserved.

Take Every Opportunity
to Educate
Many CISOs tout the value of coming
to the boardroom prepared to discuss
breaches making headline news. When a
major news story breaks, board members
will likely reach out and ask for assurances.
Instead of succumbing to a cycle of
reactionary fire-drills, use that opportunity
to educate proactively. One leading
practice is to offer up a simple, informative
“anatomy of a breach” story.
Most board members like to improve
their knowledge of cybersecurity risk by
learning how a breach happened, including
the result of forensic investigations, threat
actor motivations, and a layman’s overview
of the techniques, tools, and procedures
used. Effective storytelling will enable you to
successfully demonstrate how the breached
company became vulnerable to the threat
and what your organization does differently
— or could do differently — to avoid
becoming a victim.
Your anatomy of a breach story should
be simple. Describe the event in terms
of business vulnerabilities and business
impact, including reputational damage and
loss of revenue, market share, or business
continuity. Then discuss the potential
impact of a similar breach on your own
organization and how you may or may not
be managing that same risk.
You have limited time
to convey ideas in the
boardroom. Acronyms
and complex cyber speak
will erode the board’s
receptivity to your ideas.
7 ©2018 SecureWorks, Inc. All rights reserved.
The more you educate your board about Reporting Tip
cybersecurity risks, the better positioned FUD is Not
you will be to dispel myths such as, ‘‘we Your Friend
can’t be breached” or “cybercriminals
don’t want anything we have.” Instead, Ensure that the tenor of
board members will begin to understand your security discussions
that security is a process of continuous is balanced between
improvement, not a one-and-done program pessimism and positivity.
that simply needs ongoing maintenance.
The threat environment is
justifiably scary. Rather than
Establish a Common sowing fear, uncertainty,
Language (Hint: The and doubt (FUD), use your
seat at the table to build
Language of Business) confidence in your strategy
to protect critical assets
As part of their risk oversight responsibility
and accelerate revenue
to stakeholders, corporate directors must
opportunities in the face
quickly identify risk and progress trends.
of threats.
Establishing a common language with your
board—defined as using the same specific
terms and definitions for cybersecurity
metrics every time you meet—makes the
board’s job much easier, and will help you
win the board’s confidence and trust.
Dialect is also important. The language of
business is numbers, including revenue and
margins. The language of cybersecurity
operations—e.g., signatures, cryptography,
and exploits—has no place in board
reporting. You may have success pulling
a few select operational terms into your
board dashboard, but only if they are
well-defined and reinforced quarter after
quarter as part of your common language
with the board.
In the boardroom, time is limited, so
eliminate acronyms from your vocabulary.
Acronyms, without definition, will erode
the board’s receptivity to your ideas. And
pausing to define a term like IPS will rob
you of time that might be more wisely
spent on making a case for your budget or
establishing your credibility.
Join Peer Exchanges to
Share Best Practices
Secureworks clients consistently cite three types of
knowledge essential to doing their job:
• Insights gained through their own experiences and
security tools
• Insights their vendors bring from working across
thousands of clients
• Insights gained from other security leaders who share
their lessons learned and best practices
The Dos and Don’ts of Board Reporting
What Not to Report
Acronyms
Technical and security jargon
Tactical plans that tell how
security works
A problem with no solution
Metrics without measurement
Data without business relevance
Too much data
8 ©2018 SecureWorks, Inc. All rights reserved.
Consider joining a peer networking group to discuss
board challenges and learn what has and hasn’t worked
for other security leaders. And ask your vendors for
support in developing better metrics and risk assessment
conversations.
Once you’ve laid foundational relationships with directors
and established common language, you can build
confidence and trust with practical reporting.
Consider This Instead
Full names and descriptions
Business terms and a common language
for every meeting
Strategic plans that demonstrate why security
is a means to a business outcome
A realistic roadmap for improvement
Replicable metrics that track trends
Financial, operational, reputational, and regulatory
concerns that align with board oversight responsibilities
Confidence-building stories about
proactive plans
Align Your Message with the Business
Too often, CISOs find that their first board presentation devolves into a contentious
discussion about a single metric that the board doesn’t understand. You may be tempted to
pad your report with extra data in an attempt to highlight the risk, but that won’t address the
root cause of the disconnect. To increase board receptivity and build confidence that the risk
is being managed effectively, offer enough context to make the data relevant to likely business
risks and strategic goals.

Avoid the Tactical Components
of Your Program
Useful board reports address business risk, not
cybersecurity risk. Your message should be practical and not
overly-dependent on all the details of your day-to-day battle
against the adversaries. Boards expect that the organization’s
security program has put the appropriate IT support, controls,
and processes in place to prevent what it can, detect what it
can’t prevent, and respond quickly to mitigate risk. They don’t
need to know how cybersecurity works, nor do they need
to learn your whole security dashboard. What they do need
to know to exercise their fiduciary duties with confidence
is that the risk is being managed. That means they care
deeply about the impact a breach could have on innovation,
productivity, revenue, reputation, and shareholder value.
Breaches have an obvious link to business impact, causing
many board members to focus only on crisis readiness
and response plans. When tackling the difficult task of
demonstrating how the rest of your program is connected
to business outcomes, it may be helpful to highlight
cybersecurity’s role in organizational resilience. For example:
• What IT systems will have the most impact on business
availability if they experience an outage due to
cybersecurity breach or remediation? By addressing the
risk of losing business availability, you have an opportunity to
discuss where to prioritize resources and enforce security
policies.
• Of all the products we deploy, which would have the
most impact on revenue or reputation if it put consumer
safety at risk and had to be pulled? Help boards imagine

Use a Revenue and
Margin Lens
For cybersecurity, proving a return on investment (ROI)
can be a mythical goal. While some security initiatives
will improve efficiencies and squeeze more value out of
existing investments, it is difficult to measure a return on risk
prevention. This underscores the importance of delivering
your cybersecurity risk report in terms of business outcomes
that impact current or future revenue and margin.
how threat actors could use the company’s unique
vulnerabilities to harm customers, partners, or consumers,
and then describe what protections are necessary to
mitigate those risks.
• Where is the workflow of mission-critical intellectual
property that could weaken our competitive position
if it were stolen or made public? Is that system behind a
firewall or in the cloud? Who has access to the information
and on what devices? Discussing the flow and storage of
digital assets will lead to a conversation about administrative

Lead with Anticipated access controls and authentication initiatives.

Business Impact
Clearly articulating the alignment between cybersecurity
practices and business outcomes will help manage budget
expectations and avoid misaligned priorities.

9 ©2018 SecureWorks, Inc. All rights reserved.

These questions will help directors think about the
consequences of not taking security actions, and also lead
to a discussion about how to prioritize and apply limited
resources in a way that has the greatest impact on risk
mitigation. To ensure early alignment with the company’s
strategic initiatives, you’ll also want to emphasize positive
business outcomes. Link security dollars spent to outcomes
such as risk reduction, productivity achievements, and new
strategic undertakings.
Put a Different Twist on Risk
Tolerance and Investment
CISOs seem to universally agree on one thing: the
biggest driver behind a company’s level of tolerance for
cybersecurity risk is whether or not they’ve been breached
before. Low-tolerance strategies can cost more. To help
board members understand the options and trade-offs:
• Start with a snapshot of the current state of risk,
end to end
• Review the desired outcomes
• Present several investment options at varying levels (use
a threat effectiveness lens to highlight how hard it would
be for a threat to succeed and the price point to stop it)
• Articulate the tradeoffs at each level (what you will gain
and what will need to be deprioritized)
In addition to assembling the data, consider interviewing
C-suite leaders in advance and including their perspectives
on what risks they’re willing to accept. While it requires
some rigor, this exercise may help you land on an agreed
tolerance more quickly.
10 ©2018 SecureWorks, Inc. All rights reserved.
Explain the Limitations of Industry
Boards naturally want to benchmark cyber risk
and investment against industry baselines and standards.
Industry context—including threat trends for the type of
data you handle—is an essential component of your risk
assessment. It also informs regulator expectations of
your company’s level of cybersecurity rigor. Your
challenge is, however, to expand the lens through
which your board assesses risk to include the uniqueness
of your company’s threat landscape, including poorly-
enforced policies and processes, insufficient resources for
patching, poorly-architected IT infrastructure, and lack of
third party oversight.
Reporting Tip
Boards should understand that if you’re breached
because your environment presents the path of least
resistance for an adversary, it will be of little consolation
that you had the same controls and investment level as your
industry peer group.
Room for Improvement
85% of board members believe that IT and
security executives need to improve the
way they report to the board. 54% of board
members say the information reported is
too technical.
Osterman Research: How Boards of Directors Really Feel
About Cybersecurity Reports, 2016
Prepare Your Presentation with the
Right Agenda and Dashboard
Security is a fairly new discipline in the boardroom, creating
an undefined playing field for CISOs. Cyentia Institute’s
Cyber Balance Sheet Report 2017 finds that board members
prefer for CISOs to express risk in one of two ways:
• Tell a story: describe the problems and how you are
solving them (or not)
• Give a sign: prove you are reducing exposure via various
Key Performance Indicators and Key Results Indicators
Questions Boards Are Asking (or Should Be)
• Is cybersecurity being managed appropriately and
effectively across our organization?
• Have we tested those assumptions with
independent third parties?
• Have we established an appropriate cyber risk
escalation framework that includes our risk appetite
and KPI/KRI reporting thresholds?
• Do we have adequate data governance policies and
controls to protect critical assets?
• How do we manage risk from our third parties
and suppliers, including Cloud and critical
business suppliers?
• Are we able to rapidly contain damages and
mobilize response resources when a cyber
incident occurs?
11 ©2018 SecureWorks, Inc. All rights reserved.
Universal cybersecurity risk management frameworks, such
as the NIST Framework for Improving Critical Infrastructure
Cybersecurity, are essential for guiding that conversation.
Practical board reporting also demonstrates that the
security program is consistently delivering on projections
and promises. Your agenda, and any dashboards you
present, should include adequate evidence to give the
board confidence that you know the current level of risk,
what vulnerabilities are a priority, and what progress is being
made to address them.
• Do we have a tested incident response
plan for the whole business?
• How are we staying current on the
threat landscape?
• Do we have adequate organizational
talent to govern, own, and execute the
cybersecurity agenda?
• How does our program align with
industry standards, those of our peers,
and regulatory requirements?
• Is our organization cyber-focused and culturally
cyber-conscious?
• Are we focused on, and investing in, the
right things from a people, process, and
technology perspective?
Tips For Agenda Planning:
Three Board Meeting Scenarios
Chances are that your next board presentation will fall into one of the following three
categories. Here are some tips shared by Secureworks clients for leading a productive
conversation in each scenario:

Reporting Tip

01
Board Members
Suffer from Slide
Fatigue

Slideware is rarely your

First-time Appearance,
Onboarding New Board Members
If you’ve done your foundational ground work, then you have a good idea of what’s
important to your audience. Address their needs first, then swiftly move to your
concerns about the top risks and threats and how they relate to business operations
and objectives.
Plan for interruptions and discussion
A two-way dialog will help you identify
what’s most useful to the board.
Link your program to the organization’s
top business risks
• What data and IP are mission critical?
• Where is that data and how is
it accessed?
• What are the top threats that may
go after them?
• What are the top cybersecurity
risks to the business and how likely is
each one?
• Which risks are most important
to avoid?
• Can any risks be mitigating or
transferred through insurance?
friend in the boardroom.
Keep your live presentation
materials to no more than
five slides (sometimes
1-3 will do), and focus
on the quality of your
narrative. Always have
Consider including a quantifiable information
third-party risk assessment available as backup, or
Third-party assessments establish an in the board book, but
un-biased baseline of risks and exposures. don’t rely on the slides do
They can lend credibility to your security the talking for you.
roadmap and may help reinforce your
concerns about strategic initiatives that are
increasing security risk.
Reporting Tip
Establish cornerstone issues
Use an introductory meeting or annual A Picture is Worth
update to suggest a couple of issues a Thousand Words
that relate to the long-term value of the
enterprise and should stay on the board’s Sharing a high-level view
radar. Over time, the board will become of the organization’s IT
your advocate for change on these issues infrastructure configuration
by setting a tone-at-the-top expectation and where the crown jewels
for the whole company. are located can be an
effective risk management
discussion tool.

• What is the plan for the remaining risk?

12 ©2018 SecureWorks, Inc. All rights reserved.

 02
Quarterly Reporting with Dashboard Review
To help board members fulfill their risk oversight responsibility, establish a reliable and
consistent set of metrics that acts as a gauge against your baseline. The numbers you
report should be replicable and communicate trends over time.
• Less is more on your dashboard.
The business relevance and quality
of your metrics are more important
than volume. Rather than presenting
the number of unpatched systems, for
example, provide a month-over-month
update on patch latency, specifically for
mission-critical systems.
• Help the board revisit known risks to
ensure that controls are in place and
assess their effectiveness.
• Explain the timeline to resolve specific
exposures and describe the mitigating
controls you’ve put in place.
03
Annual Report
This is your chance to roll up the year’s prior presentations to demonstrate the strategic
value of the investments made to date—and present future concerns that may warrant
budget adjustments. Aligning progress with the agreed-upon roadmap will help make the
case for renewed support from the board.
• Always start with your “ask.” What do
you want from the board or what do you
want them to agree to?
• Provide a narrative about progress
against desired outcomes: business
execution, security controls, and risk
position. Keep it high level.
• Leverage a rollup of your quarterly
metrics to provide risk and vulnerability
trends, as well as the current state of
risk exposure.
13 ©2018 SecureWorks, Inc. All rights reserved.
• Demonstrate your readiness for
“the big incident” by highlighting
established protocols.
• Show that steady progress is being made
against the roadmap.
• Use insights from the metrics to
highlight how security is supporting the
organization’s key strategic initiatives.
• Finally, plant the seeds for future
investment in response to changes in the
threat landscape.
• For public companies, this may also
be a time to prepare annual business
risk disclosures. Be prepared to review
incident and breach impact metrics.
• Illustrate how improved security has
reduced business risks or helped achieve
goals such as digital transformation.
• Paint a picture for what’s next given
emerging known threats.
• Clarify your action plan and reiterate
your asks for resources or support.
Reporting Tip
Dashboard
Components
to Consider
• Emerging threat trends
• Incident or breach trends
• Time to respond
• Time to detect
• Vulnerability management
• Compliance and control
• Data loss prevention,
integrity, and availability
• Third party vendor risk
• Employee awareness
• Status of key initiatives
• Assessment results
Dashboards
Are a Supporting
Prop, Not the
Presentation
A useful board report tells
a story about how well risk
is being managed at the
business level. Within that
report, your dashboard plays
a supporting role, while the
narrative you use to explain
the risk is essential.
Within the dashboard,
key metrics should be
replicable—appearing
consistently in each report
over time—to help board
members assess risk
trends over time.
Conclusion
As CISOs take a business leadership position, it is important to
do so with thought and purpose. Building relationships with your
executive team and members of the board is critical to earning
the support that will help you lead confidently through a breach
should one occur.

Consistency in board reporting will pay off as you establish

metrics and narratives the board comes to rely on for assessing
the organization’s response to cybersecurity risk. To maintain
that confidence, stay focused on business outcomes. A lapse
into tactics that describe “how the security program works”
will distract attention from the more valuable “why security is
important” story, pulling the discussion off track and threatening
to erode the board’s perception of your leadership role.

Finally, continue to test the effectiveness of your security program

and help the board benchmark better management of the
risk over time. Together, these factors will support a reporting
framework that helps you answer your board’s most burning
question: “How secure are we?”

14 ©2018 SecureWorks, Inc. All rights reserved.

 Join the
Conversation
Do you have board reporting strategies or useful templates
to share with your CISO peers? Secureworks will continue
to update this Toolkit appendix with redacted templates for
reporting visuals, dashboards, and assessment results.
Our goal is to foster an ongoing exchange of leading
practices among security leaders from companies of all sizes
and industries. We look forward to hearing from you at
thoughtleadership@secureworks.com.

15 ©2018 SecureWorks, Inc. All rights reserved.

About
Secureworks
Secureworks® (NASDAQ: SCWX) is a leading global cybersecurity company that
protects organizations in the digitally connected world. We combine visibility from
thousands of clients, aggregate and analyze data from any source, anywhere, to
prevent security breaches, detect malicious activity in real time, respond rapidly,
and predict emerging threats. We offer our clients a cyber-defense that is
Collectively Smarter. Exponentially Safer.™

Corporate Headquarters Europe & Middle East

1 Concourse Pkwy NE #500 FRANCE
Atlanta, GA 30328 8 avenue du Stade de France
1.877.838.7947 93218 Saint Denis Cedex
secureworks.com +33 1 80 60 20 00
secureworks.fr

GERMANY
Asia Pacific
Main Airport Center,
AUSTRALIA Unterschweinstiege 10
Building 3, 14 Aquatic Drive 60549 Frankfurt am Main
Frenchs Forest, Sydney NSW 069/9792-0
Australia 2086 secureworks.de
1800 737 817
secureworks.com.au NETHERLANDS
Transformatorweg 38-72, 1014
JAPAN AK Amsterdam,
Solid Square East Tower 20F +31 20 674 5500
580 Horikawa-cho, Saiwai-ku
Kawasaki, 212-8589 UNITED KINGDOM
81-(44)556-4300 UK House, 180 Oxford St
secureworks.jp London W1D 1NN
+44(0)203 907 6280
secureworks.co.uk

1 Tanfield
Canonmills
Edinburgh EH3 5DA
United Kingdom
+44(0)131 260 3040
secureworks.co.uk

UNITED ARAB EMIRATES

Building 15, Dubai Internet City
Dubai, UAE PO Box 500111
00971 4 420 7000
EXECUTIVE SERIES

Appendix

Sample Board
Reporting
Dashboards

17 ©2018 SecureWorks, Inc. All rights reserved.

 Office of the CISO ------ April 2017 ------ IS Managed Devices

Compliance Operations Endpoints..............................................................14,974

Desktops.............................................................9,194
Total Thin Clients........................................................1,888
Hardware Laptops............................................................. 3,588
Assets*** Unknown Windows (AD)................................224
Virtual Desktops...................................................80
PCI HIPPA Projects Budget Audit SLA Strategy Servers....................................................................1,080
Network......................................................................656

Threat Landscape

External Internal Network Server Client Confidentiality Integrity Availability

Infrastructure Infrastructure Infrastructure

Client Security Stack

Win 2000
0 Left
80% 73% 98% 81% 84% 91% 83%

Anti-Virus Desktop Laptop Application Patch Software AETD Firewall

Encryption Encryption Whitelisting Management Vulnerability Advanced Endpoint Default XP Systems
Software Monitoring Threat Detection Rules 39 Left

Server Security Stack

Server 2000
93% 0% 59% 91% 66% 2 Left

Anti-Virus Application Software Patch AETD SIEM Firewall

Secureworks purchased; Server 2003
Whitelisting Vulnerability Management Advanced Endpoint implementation started
Default
Monitoring Software Threat Detection October 2016. Rules 59 Left

Network Security Stack

3% 84%

OS Patching Authentication SIEM IPS Firewall Router/Switch Wi-Fi Security PKI/Certificate

% of Network Devices with % of Network Devices in Secureworks purchased; Secureworks purchased; Security Configuration 2012 Expired Cert on Infrastructure
non-Vulnerable OS (LiveOnly) ACS - Central Auth implementation started implementation started Prod Network (Validation
October 2016. October 2016. Disabled)

Gauge Legend
Good (85%-100%) Warning (65%-84%) Bad (0%-64%) Unknown
***Calculations below this point are based on the entire network not just the AD/Domain. Items such as PSO Networks/Non-IS Managed Systems/Medical Systems that are plugged into the Production Network are included.

Security Projects Vulnerabilities Within SLA

Internal: Critical Vulnerabilities: 12% Actual; Target 85%
Secureworks - Managed Security Service Provider
Internal: Non-Critical Vulnerabilities: 32% Actual; Target 85%
External: Critical Vulnerabilities: 0% Actual; Target 85%
External: Non-Critical Vulnerabilities: 37% Actual; Target 85%

External Vulnerabilities Internal Vulnerabilities

Marketing Vulnerabilities - 15 14,531 Systems with CVSS of 10
Research Vulnerabilities - 1 14,421 Systems that have Vulnerabilities that have
TLS/SSL Related - 70% Adobe - 34%
Discovered since last report - 35 publicly available exploits
IIS - 17% Java - 23%
167 Information Disclosure - 4% Microsoft - 29%
Misc. - 9% 7,404,464 7,244,830 Misc. - 14%
146 6,588,793 6,804,076 6,817,588

111 113 5,085,915

99 102 99 100 102 4,723,940 4,900,115 5,867,915
4,130,714
79 82 5,238,762 5,437,305 4,929,117
166 70 66 76 75 4,576,551
66 5,137,565
145 3,416,982
2,761,477

98 102 99 111 113 100 100

3,341,360
2,998,737
82 76 73 2,743,755
78 69
65 66
2,165,702 1,807,525 1,888,471 1,382,580 2,138,638
2,012,242 1,666,510 1,668,933 1,386,959 1,869,178

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr

Vulnerability Legend

Critical CVSS 7-10 Non-Critical CVSS 0-6.9 Total/Trend *Critical / Non-Critical Findings based on Standard ISS / 01 Time to Remediate 30 Days Critical /
90 Days Non-Critical
Dashboard
Threat Landscape LOWERED TO GUARDED Wednesday, June 29, 2017 09:00:00
CTU researchers continue to analyze the NotPetya malware. Clients should block
MeDoc accounting software updates, verify backup and restore processes, and HISTORY
Guarded Cybersecurity Index segment networks for different business functions.

RECON INCIDENTS ATTACKS Threat Intel

Security Stack

Physical
NETWORK WORKSTATIONS SERVER CLOUD SaaS CLOUD IaaS Security

Compliance Operations

SSAE16

SSAE16
ISO (SOC2/
FFIEC 27001 GDPR HIPPA NERC/CIP PCI Audit BCP Projects RISK Strategy
Type 2)

Classification: Confidential - Limited External Distribution

Vulnerabilities

Criticality Within SLA> Outside SLA Outside SLA Trend

Critical 79 21%

High 93 7%

Medium 98 2%

Low 98 2%

Total 93 7%

External Vulnerabilities Internal Vulnerabilities

900 ???
800
700
600
500
400
300
200
100
0
Feb Mar Apr May Jun July Feb Mar Apr May Jun July

Non-Critical Critical ???? Non-Critical Critical ????

External Vuln Details Internal Vuln Details

Vuln Count Criticality Vuln Count Criticality

SSL Certificate Expired 18 critical Microsoft CVE-2017-84?3: Windows Explorer 2571 critical
Remote Code Execution Vulnerability
SSL Certificate Supports Weak Encryption 3 critical
Microsoft CVE-2017-????: 2571 critical
World Readable and Writable 1 critical Win32k Elevation of Privilege Vulnerability
Directory on Anonymous FTS
Microsoft CVE-2017-????: 2571 critical
Birthday attacks against TLS ciphers with 97 non-critical WordPad Remote Code Execution Vulnerability
64bit block size vulnerability (Sweet32)
CIFS Account Lockout Policy 4433 non-critical
SSL Certificate - Signature Verification Failed 60 non-critical Allows Password Brute Forcing
Vulnerability
Microsoft CVE-2017-0170: Windows Performance 2639 non-critical
CMP Timestamp Request 69 non-critical Monitor Information Disclosure Vulnerability

Microsoft CVE-2017-????: Microsoft Browser Security ???? 2639 non-critical

Threat Landscape Detail
LOWERED TO GUARDED Wednesday, June 29, 2017 09:00:00
CTU researchers continue to analyze the NotPetya malware. Clients should block
MeDoc accounting software updates, verify backup and restore processes, and HISTORY
Guarded Cyber Security Index
segment networks for different business functions.

• CTU researchers identified 15 possible breaches. Most of these unconfirmed breaches affected government organizations or containing government identification
• Most threat actor activity and interest focused on financial organizations, specifically targeting credentials. CTU researchers also identified a significant increase in activity
affecting hotels, business services and technology
• North America and the combination of Europe and Russia (Europe + Russia) were the most targeted geographical locations although CTU researchers observed an
increase in advertised data from China, Australia and South America. UK financial e-crime also continued to rise.

Reconnaissance Reconnaissance is measured via standard deviance over weeks for seen events on our network as reconnaissance
MOST RECENT CHANGE

Timestamp Value Comments

2017 07-09 ??:24:46 49.218.60 49218 is outside of the standard deviation. There is still a good bit of apache struts scanning occurring

Number of Reconnaissance events by month

Top Events Count
70000
60000 Apache Struts wildcard ?? OGNL remote code execution attempt 34167
50000 Netcore UDP Backdoor Exploration Attempt inbound 8487
40000
Bash CGI environment variable injection attempt 1663
30000
20000 SQL Injection Attack SQL Tautology Detected 369
10000
TEST TEST TEST 99
0
Jan Feb Mar Apr May Jun July

Threat Landscape Detail - Incidents

???????
Incidents
MOST RECENT CHANGE

Timestamp Value Comments

2017 07-09 11:24:46 ?? ??

CAT 0 ?? Network Defense Testing CAT 5 Non-Compliance Activity

CAT 1 Root Level Intrusion CAT 6 Reconnaissance
CAT 2 User Level Intrusion CAT 7 Malicious Logic
CAT 3 Unsuccessful Activity / Attempt CAT 8 Investigating
CAT 4 Denial of Service CAT 9 ??

Incidents Opened (6/1-6/30) CAT 5 Incidents By Business Unit (6/1-6/30)

200
8
175
7
150
6
125
5
100
4
75
3
50
2
25
1
0
CAT 1 CAT 2 CAT 3 CAT 4 CAT 5 CAT 6 0

Team 1 Team 8
Team 2 Team 9
Team 3 Team 10
Team 4 Team 11 Team 1 Team 5
Team 5 Team 12 Team 2 Team 6
Team 6 Team 13 Team 3 Team 7
Team 7 Team 4 Team 8

??

Unsafe malware research 12

Cross Client Data Publication 5

?? 10

Other 7

TEST 99
Threat Landscape Detail - Attacks
Attacks Unsuccessful events are actual threats against Secureworks that were not turned into compromises. This is measured via standard deviation over
weeks for unsuccessful events against our networks
MOST RECENT CHANGE

Timestamp Value Comments

These events 2017-07-10 11:45:45 17.00 17 unsuccessful attack incidents created from 6/1-6/30. This is within standard deviation.
generally are http
attacks, but include
phishing, brute This graph represents the number of unsuccessful attempts to compromise secureworks divided by week for the last 4 months.
force attacks and
other events as CAT 3 Incident Trending
well.
30

25

20

15

10
5

0
Jan 2017 Feb 2017 Mar 2017 April 2017 May 2017 June 2017 July 2017

Team 1 Team 5 Team 8

Team 2 Team 6 Team 9
Team 3 Team 7 Team 10
Team 4

Threat Landscape - Threat Intel.

Threat Intelligence The threat intelligence score is taken from the portal. The scores are translated into stop lights from the Cyber Security Index maintained by our
Counter Threat Unit
MOST RECENT CHANGE

Timestamp Value Comments

2017-07-10 11:45:43 100.00 LOWERED TO GUARDED Wednesday, June 29, 2017 09:00:00
CTU researchers continue to analyze the NotPetya malware. Clients should block MeDoc accounting software updates,
verify backup and restore processes, and segment networks for different business functions.

The Secureworks® Counter Threat UnitTM (CTU) research team welcomes you to the Open Sources Intelligence Update for July 10, 2017. This update
provides a brief daily highlight of CTUTM activities, major issues, and trends affecting Secureworks clients.

CTU Research

Nothing to report

Vulnerabilities and Threats

LeakerLocker Ransomware Found in Two Apps on the Google Play Store

???

Unmasking Android Malware: A Deep Dive into a New ?? Variant

http://blog.fortiner.com/2017/07/09/unmasking-android-malware:-a-deep-dive-into-a-new-??-variant-part-??
http://blog.fortiner.com/2017/07/09/unmasking-android-malware:-a-deep-dive-into-a-new-??-variant-part-??
http://blog.fortiner.com/2017/07/09/unmasking-android-malware:-a-deep-dive-into-a-new-??-variant-part-??

OSX ?? Malware Linked to Operations ?? Hijacks User Network Traffic

???

Petya’s ?? Boot Record Infection

http://blog.fortiner.com/2017/07/08/petya-s-??-boot-record-infection
Security Stack Detail - Network (abbreviated)
OVERALL STATUS - DEGRADED OPERATION

The Firewall metric is determined by the deployment of firewalls on all production networks. It is determined by taking the total number of
production networks that have no firewall or allow for ?? and dividing by the total number of networks.
Firewall MOST RECENT CHANGE

Timestamp Value Comments

2017-07-?? 500.?? At this time, all production networks have firewalls enabled.

More information >> More History >>>

App Firewall is determined by coverage of application firewalls that host internet facing services. This traditionally only applies to web
traffic today. Application firewalls in blocking get one point. Applications in read only get 5. Applications with 0 application firewall get 0.
The score is an average.
MOST RECENT CHANGE
App Firewall
Timestamp Value Comments
2017-07-?? ?? We currently have a Web Application Firewall blocking ?? of IDP secureworks.com and
secureworks.com. Redcloak, the mobile portal, T ICE have a ?? that is non blocking, but being
monitored. Cloud Guardian, ??, ??, and CTU ?? ?? source code is stored have no ??. Currently,
we’re working on deploying the ?? ?

More information >> More History >>>

Security Stack Detail - Workstations (abbreviated)

OVERALL STATUS - OPERATIONAL

Encryption is determined by the percentage of workstations with no errors running full disk encryption. This ?? which use AES-256 local-
ly. Checkpoint and BitLocker (Windows 10)
Full Disk MOST RECENT CHANGE
Encryption
Timestamp Value Comments
2017-07-12 12:42:32 87.00 87% of devices are utilizing Full Disk Encryption (??)

More information >>

Network Access Control is determined by the percentage of workstations with a valid certificate and AnyConnect that can
connect to the corporate network.
Network MOST RECENT CHANGE
Access
Control Timestamp Value Comments
2017-07-12 12:49:01 100.00 100% of devices are part of the domain and configured as part of GPO with network control
access. This is ensured by the ability to join our network.

More information >>

Security Stack Detail - Servers (abbreviated)
OVERALL STATUS - DEGRADED OPERATION

Forensics is calculated by a percentage of workstations that have EnCase installed. EnCase is the tool we use to perform data forensic investigations.
MOST RECENT CHANGE
Forensics
Timestamp Value Comments
2017-07-10 15:10:15 0.00 Working with IT on deployment, CSO is building an encase install package that ProdOps can test deploy-
ment on sample machines.

More information >>

File Integrity Monitoring is a host intrusion detection system that watches for unauthorized file changes indicating a potential compromise.
File Integrity MOST RECENT CHANGE
Monitoring
Timestamp Value Comments
2017-07-10 15:10:36 75.00 ?? software deployed and configured, monitoring process/procedures currently in development. We’re
having regular meetings where we ?? and respond to events.

More information >>

Advanced AETD is calculated by the percentage of workstations running Red Cloak.

Endpoint MOST RECENT CHANGE
Threat
Detection Timestamp Value Comments
2017-07-10 19:08:51 75.00 The Linux agent for Red Cloak is built, but in beta. We’re working on installing the Windows agent now.
Plan to have it fully deployed by 8/15

More information >>

Security Stack Detail - Cloud SaaS (abbreviated)

OVERALL STATUS - DEGRADED OPERATION

Adaptive Planning is a budgeting and planning tool. Calculation is a metric determined by the vetting done by Security Architecture and Vendor Risk Manage-
ment as well as the number of exceptions to standards.
MOST RECENT CHANGE
Planning
Timestamp Value Comments
2017-05-02 20:24:28 0.00 This legacy service from Dell has not been reviewed by CSO and therefore gets a default total score of ??

More information >>

Box is a hosted application that is used to store files and documents in a secure manner for collaboration. Calculation is a metric
determined by the vetting done by Security Architecture and Vendor Risk Management as well as the number of exceptions to standards.
Box com MOST RECENT CHANGE

Timestamp Value Comments

2017-05-02 20:30:32 90.00 Architecture and Vendor Management Review with flying colors. It also has one exceptions currently

More information >>

Concur is a Dell hosted application used by SCWX for travel and expense related activities. Calculation is a metric determined by the vetting done
by Security Architecture and Vendor Risk Management as well as the number of exceptions to standards.
Concur
MOST RECENT CHANGE

Timestamp Value Comments

2017-05-04 17:03:42 70.00 This legacy service from Dell has ?? been reviewed by CSO, some controls in place.
Security Stack Detail - Cloud IaaS (abbreviated)
OVERALL STATUS - DEGRADED OPERATION

Backup is calculated as a percentage of machines that are backed up in some form

MOST RECENT CHANGE
Forensics
Timestamp Value Comments
2017-05-18 19:54:15 100.00 CloudOps reports that all needed backups are successful

More information >>

Vulnerability Management is calculated by the number of devices without known vulnerabilities.

Vulnerability
Management MOST RECENT CHANGE

Timestamp Value Comments

2017-05-18 19:22:03 95.00 95 of the hosts have vulnerability management in AWS

More information >>

Whitelisting is determined by the percentage of security groups per device that allow all connectivity inbound or outbound.
Whitelisting
MOST RECENT CHANGE

Timestamp Value Comments

2017-05-18 19:24:15 95.00 95 of the hosts have a complete lockdown of outbound traffic in AWS. The remaining 5% need to
be investigated as they could potentially have access.

More information >>

Security Stack Detail - Physical Security (abbreviated)

OVERALL STATUS - OPERATIONAL

All doors in SCWX controlled spaces that have the specific purpose of controlling access and reporting anomalies to our monitoring system.
This excludes Dell Controlled and Monitored points of entry. There are 195 SCWX doors globally. To be considered fully operational, the door must:
Only open when prompted by associated badge reader
Close without assistance from person accessing it.
Doors Alarm ?? when forced open, or held open beyond its alloted time.

MOST RECENT CHANGE

Timestamp Value Comments

2017-05-02 ??:04:28 100.00 All doors are currently operational.

More information >>

All cameras in SCWX controlled spaces that have the specific purpose recording activity in the vicinity of key areas. SCWX cameras are UNMOUNTED and
therefore only usable for investigative purposes after an incident has occurred. This excludes Dell Controlled and Monitored cameras. While we do have the
ability to petition Dell for a summary of activity from a given camera and time window, we do not currently possess the agreements to receive raw footage
for investigative purposes. There are 148 SCWX cameras. To be considered fully operational, the camera must:
Cameras Possess a recording resolution of 1280x720
Perimeter, SOC, IT Storage, and Data Center Cameras will record full time motion video.
All other cameras will be prompted by motion sensor.

MOST RECENT CHANGE

Timestamp Value Comments

2017-07-12 16:15:11 96.00 More legacy low resolution cameras have been replaced with high resolution cameras.

More information >>

Operations (abbreviated)
OVERALL STATUS - OPERATIONAL

Audit Audit - Remediation status for security impacting audit findings.

MOST RECENT CHANGE

Timestamp Value Comments

2017-07-28 14:02:23 90.00 1. Control standard ??? is ??? in a manner to allow the data custodian subjectivity to determine require-
ments around encryptions ??? - Recommend closure. Submitted to Internal Audit for Review. Due
8-1-2017.
2. The current ??? policies, procedures and standards do not sufficiently address or include the vendor
management compliance items. - ???
3. The Vendor Risk Management Program does not identify ???

BCP BCP - Readiness of Business Continuity Plan testing and ??? analysis.

MOST RECENT CHANGE

Timestamp Value Comments

2017-07-28 08:40:28 100.00 ???
???
???
Legal ??? Compliance - Approved
IT Operations BCP - Approved
Finance BCP - Approved
???
???
Sales BCP - Approved
CTO BCP - Approved
HR BCP - Approved
Security BCP - Approved
???
Service Directory BCP - Approved
Marketing BCP - Approved
CTU BCP - Approved