[BreachExchange] Missing the Forest for the Trees: Top 5 CISO Pitfalls in Cybersecurity

[Destry Winant]

https://securityboulevard.com/2019/06/missing-the-forest-for-the-trees-top-5-ciso-pitfalls-in-cybersecurity/

There is a lack of focus in cyber security.  This rarely stems from
lack of hard work, desire, technical ability or aspiration.  Many
cybersecurity leaders and teams voice concern around lack of funding,
minimal executive support and share all too common stories of burnout
at all levels of the organization (including the CISO).  However,
these are often symptoms rather than root causes.  Without
understanding the root causes, cyber security leaders can miss the
forest for the trees — with the company’s true security risk reduction
suffering for it.

Following are recommended actions CISOs can take to avoid five common
pitfalls.  Subsequent articles will get into more depth on each.

1. Prioritize business risk

Many cybersecurity programs are attempting to boil the ocean rather
than focusing on or starting with what’s most important for business.
If you knew that 20% of the information, business processes, and
operations were what mattered most to your business, wouldn’t you put
more effort into protecting that 20%?

There are some legacy methodologies companies use to attempt this.
Some companies have focused on traditional information classification
frameworks to identify the most critical data and assets to protect,
which is not a bad place to start. However, it tends to be heavily
weighted on data theft (confidentiality), leaving integrity and
availability concerns disconnected. Business continuity and IT
disaster recovery programs and plans traditionally work to ensure that
they are able to react to availability issues from any type of outage.
That said, in many cases, these efforts are disjointed and data
integrity risks are largely left to be managed by a quality or
compliance department.

What to do: CISOs can help their companies connect deeply with their
business and understand worst-case scenarios for information theft,
manipulation or operational disruption, not limiting thinking to IT
systems.  If you narrow your focus to securing the elements most
critical to your business, you can build speed and depth to protect
what matters most for your company’s livelihood.

Think about it this way: If your company has 1,000 IT systems and 10
different functional areas, comprising 500 business processes, then
where do you start?  How far do you go?  Is everything critical?  I’ve
seen companies fail to answer this question and stall or significantly
slow their efforts on a critical control or focus only on one risk
dimension (e.g. compliance, or data theft).

You can identify your most critical business risks by imagining what a
CEO would be most concerned about if a cyber attack hit at 3 a.m. on a
Saturday. The CEO won’t be thinking about the technical details or
what strain of malware is the most likely: The focus will be on
business risk and operational impact.  Keep this in mind when you
choose where to focus your information security program.

2. Avoid getting caught up in the media’s fascination with reporting on breaches

Media distractions are on the rise.  Due to mostly privacy-driven data
breach reporting laws, media attention tends to focus on customer
breaches and exposed personal information.  This reporting bias
doesn’t account for all of the internal and external attack types and
the companies’ true risk impact profile. When you’re inundated with
stories of cybersecurity breaches, it’s easy for your company’s
executives to get into a reactive mindset or to start exhibiting
confirmation bias that may or may not be applicable or top risks
within an organization’s sector.  This kind of thinking can point you
away from your company’s biggest risks.

What to do: While you can’t control the articles your company
executives read, there is a strategy to avoid whipsaw reactions to
specific vulnerability and breach-related news.  You can leverage news
media in a way that provides isolated value instead of distraction by
getting deeply involved in threat intelligence and sharing with other
companies (especially within the same industry or sector). Evaluate
the input from the media against your business-driven risk management
processes so that you can rationalize what you should react to and act
upon.

3. Be strategic about your cyber tool plays

Judging from the social media backlash about the “vendor circus” at
major security conferences and events, there is some recognition and
reflection about the cyber tool sprawl.  When it comes to AI, machine
learning and blockchain, we are often promised silver bullets – and
told that we’re going to need them.  This creates a sense that, if you
don’t deploy a vendor’s magical new solution, then you face an
imminent failure to protect your company.

I recently learned of a smaller organization’s security leader who was
proud to have acquired seven marquee threat detection tools, but when
asked about how he had the ability to leverage them all effectively,
he responded with, “I focus on the one that is giving me the most
actionable data.” In other words, he was only actually using one
threat detection tool at a time. The other six were still running and
producing logs and alerts, but no one was looking at them.

What to do: Don’t expect your strategic architecture practices to
start out fully mature.  Bring a deeply experienced, big picture
security architect on board to develop an ecosystem of cyber security
tools that work together and are appropriately scalable.  CISOs need
to look past initial funding for “cool” tools toward more
comprehensive total cost of ownership (for both internal and external
resources), linkages to business scope, ability to drive down risk and
plans for appropriate scale.

4. Solidify the basics

The basics matter.  It is difficult to achieve comprehensive risk
reduction if you don’t have the fundamental concepts nailed down.  The
Center for Internet Security Critical Security Controls (CIS CSC)
lists inventory and control of hardware, inventory and control of
software, continuous vulnerability management and controlled use of
administrative privileges as the top four basic controls. However,
many companies report incomplete or ineffective efforts in all four of
these fundamental efforts.  Meanwhile, investments may be focused more
on the “sexy” tools and controls that are popular in the market.

 What to do:  The solution is not to completely stop everything to
catch up on the basics, but it does call for some ruthless
prioritization and the rekindling of core efforts to ensure you team
isn’t spread so thin working on shiny new tools that it obstructs
progress on critical building blocks.

The CIS CSC provides a robust and periodically updated playbook.  They
even recently segmented the first six controls into a grouping of
Basic CIS Controls.  They include hardware and software inventory,
vulnerability management, controlling admin privileges, secure
configuration (hardware/software) and maintenance and monitoring of
logs.  While they all seem essential for any security program, far too
many companies do not have solid progress and maturity towards these.

Connecting the dots between prioritizing business risk and solidifying
the basics, does your company leverage business risk to drive
privileged access security programs?  Are the biggest risks being
dealt with first or are you using a first come, first serve model that
may not be most effective for your organization?

5. Get tools and capabilities to the appropriate scale

Buying a tool and not implementing it at scale to protect your
business information assets does not drive risk reduction.  Far too
often, a company will buy a tool (or 10), have some wins implementing
some of the features and then either move on to the next thing or
realize they don’t have resources to execute to scale or to support
the tool after the initial investment money runs out.

What to do: Getting to the appropriate scale with these efforts is the
only way to fully achieve the risk reduction efforts that your money,
time and effort will have costed you.

Scaling is hard.  It can be grueling at times.  However, it is where
the magic happens with risk reduction.  Remember, “scale” doesn’t have
to mean “turn it on everywhere.”  In fact, “appropriate scale”
connects directly back for the business risks you are intending to
reduce.

Companies that achieve appropriate scale leverage solid and consistent
project management and measurement methodologies. They think
proactively about total cost to achieve desired risk reduction and
they don’t cut and run when they see the next shiny object or tool
their peer company decided to implement.  Since many CISOs only have a
17-24-month CISO tenure, they may not be focusing on long-haul
solutions at scale.

The flip-side precaution is that proven leaders (if they are using
measurement tools) know when something is not working or performing to
the desired outcomes.  In this case, cutting a project or capability
may be warranted.  However, if this is the case, cut the entire
capability and solution; don’t leave it running with a skeleton team
keeping it alive.  This will cost in more ways than one in the long
run.