Winning the security fight: Tips for organizations and CISOs
For large organizations looking to build a robust cybersecurity strategy, failure to get the fundamentals in place practically guarantees a disaster.
If you ask Matthew Rosenquist, a former Cybersecurity Strategist for Intel (now independent), overcoming denial of risk, employing the right cybersecurity leader and defining clear goals are the three most critical objectives for avoiding a negative outcome.
Getting things right
“Every organization, large and small, begins with a belief they are not at significant risk. This denial is dangerous and can persist even when attacks occur,” he told Help Net Security.
This denial must be addressed with facts and critical thinking and, once leadership accepts the need for cybersecurity and the responsibility for addressing related risks, they must find and employ a good cybersecurity leader.
Rosenquist warns against employing experts from unrelated domains.
“Far too often organizations believe cybersecurity leadership is a simple project management or technical role and that just about anyone could be successful in it. I have seen excellent human resources, marketing, engineering, and finance managers be given the role, which eventually resulted in calamity,” he shared.
Even worse: they might bring in staff they trust but are not competent, creating a closed group of novices that will flounder without even knowing they are failing.
“Being successful in cybersecurity is not accomplished by luck or by mistake,” he remarked. “It takes contextual knowledge, special skills, experience, passion, and the relentless pursuit of understanding and mitigating risks in order to build the right foundations for success. A leader must use all of their proficiencies to be able to communicate risks, develop plans, articulate value, motivate team members, drive operation excellence, and to foster goodwill across the organization. In cybersecurity, the absence of quality leadership guarantees crises.”
(The good news is that most large companies have overcome denial of risk and many are including cybersecurity skill sets into the C-suite and even the board of directors.)
Finally, it is essential that every security organization has clear strategic goals to satisfy stakeholders’ expectations. Only with clear goals that the top organizational rung agreed upon can a long-term plan be developed – one that will be resistant to distractions and deliver sustainable value.
“Without clear goals there is also no way to gauge, justify, or prioritize security, therefore expectations will never be met and the program will eventually be viewed as a failure,” he pointed out.
CISOs’ challenges
Chief Information Security Officers (CISOs) have their work cut out for them.
In order to be effective, they must:
- Understand, manage, and communicate the complex set of shifting cyber risks that exert pressure on the enterprise
- Garner support from the C-suite and the board levels as well as middle management, and influence the actions of every employee and vendor
- Address and stay in lockstep with the technology and process shifts implemented across the organization to secure potential vulnerabilities.
“Unlike the straightforward operational challenges of information technology (IT), cybersecurity is forced to constantly change in order to meet and counter the persistence and innovation of the attackers,” Rosenquist noted.
“It is not just about addressing the weaknesses of yesterday or the issues of today, but also the new attacks that tomorrow will bring. The CISO’s goal is to continually achieve optimal balance between the risks, costs, and usability factors for cybersecurity.”
Constantly managing cyber risk
Eliminating all risks an organization may face would be astronomically expensive and extremely burdensome – the CISO’s role is, therefore, to manage cyber risk through prioritization. To decide what is most important to a risk management initiative, the goals must be defined, exposures identified, and possible avenues for control explored.
The organization’s risk appetite is defined through an executives-and-board discussion. It should be expressed in both qualitative and quantitative terms for clarity and metrics tracking, he notes.
“For example, it may include conditions like ‘no data breaches involving sensitive customer information’, compliance to all regulatory requirements, and less-than 4 hours downtime per quarter due to cyber-attacks. The list can be as extensive as desired but must also accompany estimations for costs, friction to system usability, and impacts on employee productivity.”
Once defined, these targets become the overall goal for the cybersecurity program and based on those goals the CISO can identify what is most important to secure, what technology constitutes the digital ecosystem, what controls are already in place and what controls should be put in place.
The answer to the questions of what is most important to secure and how should also be influenced by the CISO’s understanding the opposition.
“If you know the goals, methods, and capabilities of the attacker archetypes that constitute the primary threat to the security goals, it is possible to identify the most valuable avenues for investment to intercept the likely attacks,” he concluded.
Garnering support from the board and the C-Suite
It’s important for CISOs to realize what the board is there to do and tie cybersecurity to their objectives.
“Be clear and speak in plain terms, don’t try to overwhelm them with technical or security terminology, don’t use FUD, be open and pragmatic,” he advised.
“Use industry data as benchmarks and always frame challenges in respect to the overall goals. Be as clear as possible and consistent with the framework of your metrics over time. Give your insights and recommendations and back it up with logical reasoning. You are their expert. Be ready to help them understand when asked.”
Boards, he explained, are about strategic positioning and success. They do not focus on minutia, even if it is interesting to the CISO.
Most boards want to hear the high-level issues, have an opportunity to ask questions, want to understand if compliance is being met, and how the security posture compares to peers. If issues are being solved, they want progress reports and to know if anything else is needed.
At the same time, the CISO must be able to communicate the value proposition in terms of the executive management’s business goals. Here it’s less about strategy and more about the goals of the individual executives.
“All the profit centers want to know how security can be a competitive advantage or protect the reputation with their accounts. For example, Sales and Marketing may be most interested in keeping their customer lists and revenue targets confidential. Legal may be most concerned with regulatory compliance and data breaches. IT is always concerned with downtime and malware cleanup. The CISO must understand the requirements, be a team player, and convey the benefit to foster necessary support,” he noted.
Integrating new tech
For every new technology that is implemented in the organization, it’s important to evaluate the unintended risk consequences and adapt as necessary.
Hacking tools and methods are constantly being developed and security teams must be vigilant in maintaining awareness and proactively land risk mitigation capabilities across the prevention, detection, and response cycles.
New security security tools represent both an opportunity and a risk, Rosenquist pointed out. “In many cases, better tools can reduce the risks, costs, or friction of usability and productivity. These may be worthwhile to consider adopting. Alternatively, if peer organizations shift to better tools ahead of you, this makes you a comparatively easier target, which may earn the attention of attackers seeking an easy victim.”
Of course, not all security products are worth the money.
“The security industry is cutthroat and still full of misdirection, fear-mongering, snake oil peddling, and immature products. It really is a ‘buyer beware’ market,” he added, and advised CISOs to look beyond the marketing noise when evaluating the latest offerings.
They should:
- Listen to promotional materials with a high degree of skepticism
- Dive into the methodology behind metrics
- Verify claims
- Tap industry experts for opinions
- Reach out to peers who have firsthand knowledge of the product’s effectiveness.
Finally, he noted, for those solutions that look promising, CISOs should evaluate the products in-house to prove real usefulness and align results to the organization’s risk goals to determine the value.
His prediction for the coming years is that more and more security solutions will be embracing AI to better manage risks.
“Specifically, AI will be leveraged to handle the scale of more threats in autonomous ways, provide adaptive controls based upon unscripted ‘learned’ criteria, allow for faster detection of malicious activities across silos, self-develop customized responses, and provide better prediction insights all at a lower cost.””