[BreachExchange] Winning the security fight: Tips for organizations and CISOs

[Destry Winant]

https://www.helpnetsecurity.com/2019/10/09/winning-the-security-fight/

If you ask Matthew Rosenquist, a former Cybersecurity Strategist for
Intel (now independent), overcoming denial of risk, employing the
right cybersecurity leader, and defining clear goals are the three
most critical objectives for avoiding a negative outcome.

Getting things right

“Every organization, large and small, begins with a belief they are
not at significant risk. This denial is dangerous and can persist even
when attacks occur,” he told Help Net Security.

This denial must be addressed with facts and critical thinking and,
once leadership accepts the need for cybersecurity and the
responsibility for addressing related risks, they must find and employ
a good cybersecurity leader.

Rosenquist warns against employing experts from unrelated domains.

“Far too often organizations believe cybersecurity leadership is a
simple project management or technical role and that, therefore, just
about anyone could be successful in it. I have seen excellent human
resources, marketing, engineering, and finance managers be given the
role which eventually resulted in calamity,” he shared.

Even worse: they might bring in staff they trust but are not
competent, creating a closed group of novices that will flounder
without even knowing they are failing.

“Being successful in cybersecurity is not accomplished by luck or by
mistake,” he remarked. “It takes contextual knowledge, special skills,
experience, passion, and the relentless pursuit of understanding and
mitigating risks in order to build the right foundations for success.
A leader must use all of their proficiencies to be able to communicate
risks, develop plans, articulate value, motivate team members, drive
operation excellence, and to foster goodwill across the organization.
In cybersecurity, the absence of quality leadership guarantees
crises.”

(The good news is that most large companies have overcome denial of
risk and many are including cybersecurity skill sets into the C-suite
and even the board of directors.)

Finally, it is essential that every security organization has clear
strategic goals to satisfy stakeholders’ expectations. Only with clear
goals that the top organizational rung agreed upon can a long-term
plan be developed – one that will be resistant to distractions and
deliver sustainable value.

“Without clear goals there is also no way to gauge, justify, or
prioritize security, therefore expectations will never be met and the
program will eventually be viewed as a failure,” he pointed out.

CISOs’ challenges

Chief Information Security Officers (CISOs) have their work cut out for them.

In order to be effective, they must:

- Understand, manage, and communicate the complex set of shifting
cyber risks that exert pressure on the enterprise
- Garner support from the C-Suite and the board levels as well as
middle management, and influence the actions of every employee and
vendor
- Address and stay in lockstep with the technology and process shifts
implemented across the organization to secure potential
vulnerabilities.

“Unlike the straightforward operational challenges of Information
Technology, cybersecurity is forced to constantly change in order to
meet and counter the persistence and innovation of the attackers,”
Rosenquist noted.

“It is not just about addressing the weaknesses of yesterday or the
issues of today, but also the new attacks that tomorrow will bring.
The CISO’s goal is to continually achieve optimal balance between the
risks, costs, and usability factors for cybersecurity.”

Constantly managing cyber risk

Eliminating all risks an organization may face would be astronomically
expensive and extremely burdensome – the CISO’s role is, therefore, to
manage cyber risk through prioritization. To decide what is most
important to a risk management initiative, the goals must be defined,
exposures identified, and possible avenues for control explored.

“The organization’s risk appetite is defined through an
executives-and-board discussion. It should be expressed in both
qualitative and quantitative terms for clarity and metrics tracking,”
he explained.

“For example, it may include conditions like ‘no data breaches
involving sensitive customer information’, compliance to all
regulatory requirements, and less-than 4 hours downtime per quarter
due to cyber-attacks. The list can be as extensive as desired but must
also accompany estimations for costs, friction to system usability,
and impacts on employee productivity.”

Once defined, these targets become the overall goal for the
cybersecurity program, and based on those goals the CISO can identify
what is most important to secure, what technology constitutes the
digital ecosystem, what controls are already in place and what
controls should be put in place.

The answer to the questions of what is most important to secure and
how should also be influenced by the CISO’s understanding the
opposition.

“If you know the goals, methods, and capabilities of the attacker
archetypes that constitute the primary threat to the security goals,
it is possible to identify the most valuable avenues for investment to
intercept the likely attacks,” he concluded.

Garnering support from the board and the C-Suite

It’s important for CISOs to realize what the board is there to do and
tie cybersecurity to their objectives.

“Be clear and speak in plain terms, don’t try to overwhelm them with
technical or security terminology, don’t use FUD, be open and
pragmatic,” he advised.

“Use industry data as benchmarks and always frame challenges in
respect to the overall goals. Be as clear as possible and consistent
with the framework of your metrics over time. Give your insights and
recommendations and back it up with logical reasoning. You are their
expert. Be ready to help them understand when asked.”

Boards, he explained, are about strategic positioning and success.
They do not focus on minutia, even if it is interesting to the CISO.

Most boards want to hear the high-level issues, have an opportunity to
ask questions, want to understand if compliance is being met, and how
the security posture compares to peers. If issues are being worked,
they want progress reports and to know if anything else is needed.

At the same time, the CISO must be able to communicate the value
proposition in terms of the executive management’s business goals.
Here it’s less about strategy and more about the goals of the
individual executives.

“All the profit centers want to know how security can be a competitive
advantage or protect the reputation with their accounts. For example,
Sales and Marketing may be most interested in keeping their customer
lists and revenue targets confidential. Legal may be most concerned
with regulatory compliance and data breaches. IT is always concerned
with downtime and malware cleanup. The CISO must understand the
requirements, be a team player, and convey the benefit to foster
necessary support,” he noted.

Integrating new tech

For every new technology that is implemented in the organization, it’s
important to evaluate the unintended risk consequences and adapt as
necessary.

Hacking tools and methods are constantly developed and security teams
must be vigilant in maintaining awareness and proactively land risk
mitigation capabilities across the prevention, detection, and response
cycles.

New security security tools represent both an opportunity and a risk,
Rosenquist pointed out. “In many cases, better tools can reduce the
risks, costs, or friction of usability and productivity. These may be
worthwhile to consider adopting. Alternatively, if peer organizations
shift to better tools ahead of you, this makes you a comparatively
easier target which may earn the attention of attackers seeking an
easy victim.”

Of course, not all security products are worth the money.

“The security industry is cutthroat and still full of misdirection,
fear-mongering, snake oil peddling, and immature products. It really
is a ‘buyer beware’ market,” he added, and advised CISOs to look
beyond the marketing noise when evaluating the latest offerings.

They should:

- Listen to promotional materials with a high degree of skepticism
- Dive into the methodology behind metrics
- Verify claims
- Tap industry experts for opinions
- Reach out to peers who have firsthand knowledge of the product’s
effectiveness.

Finally, he noted, for those solutions that look promising, CISOs
should evaluate the products in-house to prove real usefulness and
align results to the organization’s risk goals to determine the value.

His prediction for the coming years is that more and more security
solutions will be embracing AI to better manage risks.

“Specifically, AI will be leveraged to handle the scale of more
threats in autonomous ways, provide adaptive controls based upon
unscripted ‘learned’ criteria, allow for faster detection of malicious
activities across silos, self-develop customized responses, and
provide better prediction insights all at a lower cost.”