[BreachExchange] A Proposed Model for Permanent Change in Cybersecurity

[Destry Winant]

https://www.securitymagazine.com/articles/89468-a-proposed-model-for-permanent-change-in-cybersecurity

Why is it that we keep on doing the same things in security year after
year and we expect a different result? For decades, we have been
buying and installing security tools to “fix” our security issues
around things such as patch management, privileged access, application
vulnerabilities, etc. And yet these issues remain at the top of the
list of security issues today.

Assuming our goal is to actually fix security issues and keep them
fixed, how might we change our approach to this problem? The fact is,
most CISOs are now being held accountable for measurable and
sustainable risk reduction, and not just having fixed a lot of
security flaws. This may require ongoing reporting of the risk
reduction achieved on a monthly basis. Such KPIs could include the
percentage measurement of reduced sensitive data leaving the network
month over month, as well as the percentage of enterprise data
captured by a DLP (data loss prevention) solution.

For a new “permanent change” model to work, it’s crucial that, from a
goal’s perspective, we should only take on new security initiatives if
we can have confidence that the initiatives fix a security issue (as
measured by risk reduction), and that fix is sustainable in an
automated manner. In other words, we fix the problem in a manner that
includes not only the tools, but also the processes and controls.

The first step is usually identifying the area of security where we
want to invest in improvement. Ideally, the area(s) chosen for
investment will be a security domain where the greatest risk reduction
can be achieved for the dollars spent. A second criteria might also be
that once implemented, the solution (i.e., the tool and related
processes) will continue to control the risk being remediated and
control the risk that the risk will grow again over time.

For example, we may want to focus on a risk area around firewalls and
hone in on the hygiene related to the firewall rules across the
environment. We might approach this by hiring a consultant to come in
and clean up all the rules, eliminating those which are out of date,
consolidating those that are redundant, etc. The problem with stopping
here is that the firewall rules will fairly quickly become stale again
and will grow quickly. What is missing are the control processes/tools
to manage the future changes in firewall rules, and the tools to
monitor those changes.

Once we have decided upon the security areas to focus our investments
on, we then need to consider what processes need to be implemented to
remediate the security risk. Only after the end-to-end solution is
designed should we determine the “tools” that will help enable the
solution. While building the solution(s) to reduce security risks, we
should consider several factors including coverage, remediation of the
risks and automated monitoring of controls.

Typically, when we take on a large initiative to reduce risk in a
particular security area, we put together a plan to remediate, and
then we put forth a major effort to fix the issues. From a risk
perspective, this represents a reduction in risk. However, it is
equally important to take steps to ensure the risk does not rise
again.

We need to build into our remediation program/security initiative the
processes and tools to monitor this control in the future. We all know
that over time, vulnerabilities/risks/issues tend to grow and come
back unless there is a focused effort to ensure they don’t. There have
been several occasions where I spent a large sum of money to “fix” a
security area, reported the results to the board, and then had to go
back to the board some time later to request budget to fix again.

CISOs cannot wait for someone else to solve this problem of
permanently fixing security risks and keeping them fixed. While tools
may help, the problem will ultimately be solved by CISOs thinking of
an end-to-end process that will not only remediate risks, but
continuously watch over the controls, ensuring they continue to manage
the risks.