Today’s dynamic IT environment is fraught with buzzwords, business clichés, and new technologies whose security implications are not yet well understood. As senior business leaders hear the phrases “advanced persistent threat”, “move to the cloud” or “security to better enable the business” they struggle with determining the responsibilities that the Chief Information Security Officer (CISO) position will hold, as well as where the role will fit within the business hierarchy.
One of the predominant issues is that the CISO position has evolved (or devolved) into an enigmatic post, one in which the occupant often has limited authority, an inadequate or shared budget, reports to multiple executives such as the CEO or CIO, and purveys over a decentralized labor force that is far too often not functionalized and frequently comprised of individuals who do not report to them directly. These issues are for business leaders to sort out through the functionalization of IT security and the empowerment of the CISO. However, the role the CISO plays within the organization must itself be examined. To that end, there are several common pitfalls that can inhibit the success of IT security leaders --- below are several recommendations that, if heeded, can help the CISO become more effective by fostering an environment that maximizes information security capabilities, while minimizing the impact security has on the business.
CISOs should not directly select or purchase information security controls.
Milt Friedman, a notable economist, famously said that there are four ways to spend money, the ideal being when people spend their own money on themselves—when this happens they not only economize, they also seek out the best products and services. All other forms of spending fall short, a trend that holds true in the budgeting for and selection of information security solutions. The problem is twofold and can be related to Friedman’s theory – first, when CISOs select security controls (for use by other people), they are far more likely to seek out solutions that provide security theatre, a term coined by Bruce Schneier to describe measures that do not actually improve security, but are likely to give casual observers a “warm and fuzzy” feeling. This is, quite simply, because the people evaluating the CISOs performance often have very little operational information security knowledge. Secondly, if the CISO has a budget and allows security operations personnel to select solutions, they will put forth a best effort to select effective controls, but they will not be cost-conscious in doing so, as the money being spent is not theirs. The fix is a situation of resource provisioning and operational empowerment – the CISO should allocate a budget to security operations personnel and allow them to select controls. As a result, they will be paying for and using the chosen solutions—the most ideal scenario using the aforementioned theory. Where does the CISO fit into this process? Before the fact, he or she is utilizing risk assessments to determine the total amount of money that should be spent on information security controls. Then, after operations personnel select their controls, the CISO retains his or her veto power in determining whether the selected controls serve their intended purpose, and whether or not they impede business functions to an unacceptable level. The CISO may then close the gaps, as necessary or make the case for additional funding.
Don’t assume (or try to make the case) that all info security technology can enable the business.
As we walk into a facility, we see physical security mechanisms such as fire extinguishers and perimeter fences. These controls are implemented in order to protect the organization from fire and intruders, respectively. They may also serve to achieve compliance with a regulatory or legal requirement. The bottom line is that no one tries to convince management that these safety measures are business enablers --- and certain information security technologies should be no different. Rather than making the hard sell that every security technology is capable of improving business processes, instead take a three pronged approach to evaluating solutions on behalf of the business. First, make certain that you have put together a strategy to ensure that information security solutions impact critical business functions as little as possible. This might mean occasionally recommending the scrapping of plans altogether for the sake of critical business functions—a step that will undoubtedly win over business leadership. Second, formulate plans to better secure (and make available) technologies and processes that actually do enable the business to achieve its strategic goals. It’s critical to demonstrate the value of security, and no matter how imperfect, CISOs need to ensure there is a quantifiable return on security investment (ROSI). To demonstrate value, CISOs need to make certain they are effectively speaking the native business language of their executives. They also need to demonstrate a detailed understanding of how the business operates its goals and strategies, and implicit knowledge of the worth of the organization’s information resources --- the ultimate justification of why it is so vital to protect them.
Third, quantify in dollars the costs that could be incurred due to adverse incident should a specific control not be implemented. There is no way to impede every cyber attack, nor do your stakeholders expect you to. Instead your stakeholders, stockholders, and observers do expect the CISO to take all reasonable measures to prevent a security breach or incident from taking place in the first place. When the incident occurs, those with skin in the game expect the team will respond quickly and appropriately to protect their investments.
Recuse yourself from security healthcheck or self-assessment activities.
Big name auditing firms and other security vendors are vigorously pushing to sell all sorts of information security “healthcheck” solutions that are based against standards such as ISO 27000. These often consist of elaborate spreadsheets that ask security professionals to rate their organization’s maturity against predefined information security control objectives – a practice that can be very effective at identifying areas of weakness. The problem lies in determining who will provide input for these assessments and accounting for how individuals measure progress differently. Security operations people or “those on the front line” tend to measure security simply – how effectively and predictably they are able to prevent, detect, and respond to attacks. As a result, the input given by these types of individuals tend to reflect the true security posture of their organizations, or “ground truth” to borrow a military term. On the other hand, higher-level management has an inherent bias to measure progress by the way of the number of projects completed, pages of documentation written, and man-hours burned in the course of closing identified security gaps. As such, CISOs should avoid contributing input to these assessments. They have plenty of responsibility in interpreting the results, reporting them to senior leadership, and developing plans for improvement.
Want an accurate and cost effective asset/data criticality analysis? Get it from your adversaries.
Want an accurate and cost effective asset/data criticality analysis? Get it from your adversaries. Identifying and valuing assets is one of the most overlooked components of information security planning, primarily because it is so challenging to garner participation and assign quantitative values to data and certain intangible assets. Further, choosing a methodology for assigning values can be daunting --- managers must determine whether to use the cost of acquisition/development of the asset, the cost of replacement, maintenance costs, or the monetary value of any competitive advantage derived from the asset. Even when formal valuation strategies are successfully developed, these efforts can be thwarted by the significant costs and level of effort they demand, or simply fail due to organization politics, personal biases, and lack of expertise on the part of participants.
The solution is to look to adversarial targeting as an alternative asset valuation method. Managers should leverage existing/known attack metrics to determine which systems, networks, and technical data are most sought after by highly sophisticated cyber attackers. The output of the metrics suggest courses of actions to help detect, deter, and respond to previously unidentified threats – and the ability to distinguish automated botnet scans from single one off (APT) attacks on individuals or systems can go a long way in determining not only which assets are targeted, but whether or not the targeting is broad or focused. The result is an effective, unbiased, and relatively inexpensive valuation.
Reshape the way you interpret security metrics.
We all know the degree to which unintended consequences can change security metrics. For instance, as more sophisticated, host based malware attacks become increasingly undetectable, it may (falsely) give the appearance that anti-virus software is successfully protecting the corporate network because the number of alerts is trending downward. One response to minimize the misconceptions created by statistical anomalies is to account for unintended consequences prior to implementing security controls and making a decision as to how metrics will be used thereafter. One approach may be to disregard metrics for a predefined period after a major change is made. Another approach may be to quantify adjustments that will be made based on the change and build those estimates into your metrics. Next, make certain to avoid implementing mechanisms that result in the collection of more data unless you are taking action on all of the data currently being collected. Doing so can reduce the value of metrics, make it difficult to focus on the most significant pieces of information, and disenchant those responsible for sifting through and compiling large quantities of data. Lastly, as threats and risks adapt over time, it is important that the defenses also change and adapt along with them. The CISO must spend time making sure they are really understanding their business environment and the array of data being provided to them, and adopt a risk-based approach prioritizing the security controls, methodologies, and metrics that will provide the greatest level of support for the organization’s business objectives. This shift of focus is not simple —and may sometimes require taking on more levels of risk than previously accepted.
Leverage collateral security efforts and industry specific partnerships.
Whether you are in the defense business, banking, health care, or e-commerce, odds are that your organization already has people charged with maintaining compliance with an array of legal or regulatory requirements. Unfortunately, many CISOs launch information security programs that run entirely independent of these efforts, resulting in overlap, waste, and an inability to achieve economies of scale when procuring services. This may be particularly problematic in conglomerates that operate in multiple sectors. A more effective alternative is to take a “collateral security inventory” in order to measure the scope and effectiveness of existing programs. The result of this may be the elimination of redundancies and a more streamlined organization. Further, participate in industry specific partnerships whenever possible. One example of this is the Defense Industrial Base Collaborative Information Sharing Environment (DCISE), a mechanism for sharing threat data among military contractors. Such groups can provide a more comprehensive and holistic understanding of the current threat landscape and can also serve as a means of verifying and validating the threats you know to be material to your organization – thereby boosting your credibility in the eyes of those evaluating your performance.
About the Authors
Salvatore C. Paladino is a Cyber Security Analyst and Project Manager with a large defense contractor in support of the Department of Homeland Security and the Department of Defense. His areas of expertise include technology evaluation, transition, and deployment, information security policy development, information assurance training and awareness, and the identification of emerging cyberthreats. He has authored numerous technical papers and has testified before the New York State Commission of Investigation as an expert witness specializing in cybersecurity.
Mr. Paladino holds a BS with a concentration in Computer Security from Utica College of Syracuse University and an MBA in Technology Management from the State University of New York. In addition to being certified in Risk and Information Systems Control (CRISC) and a Certified Information Systems Security Professional (CISSP), he is a CompTIA Network+, Security+, A+ and CTT+ Certified Professional. He is also an Adjunct Instructor of Cybersecurity in the School of Business and Justice Studies at Utica College. Sal can be reached for comment at firstname.lastname@example.org.
David Sarmanian is a Director with a large defense contractor who supports the United States Intelligence Community and the United States Army. He is a former Cyber intelligence analyst and Computer network defender. He is responsible for directing Cyber go to market solutions, strategies and business planning across six vertical markets serving as the cross-functional business lead for the Cyber Security practice. His areas of expertise include cyber operations, information assurance and information systems security. He has extensive experience in risk and compliance management for national security solutions for U.S Government and commercial customers.
Mr. Sarmanian holds a BS from the University of Rhode Island and is currently completing his Master’s in Cyber Intelligence from Utica College. He is a Certified Information Systems Security Professional (CISSP), Certified Incident Handler (GCIH), Certified Intrusion Analyst (GCIA) and is IT Infrastructure Library (ITIL) v3 certified. David can be reached for comment at email@example.com.