AusCERT 2013: Visibility critical when selling IT security to execs, says Foxtel CSO

Hard-to-find security skills and the rapid pace of malware evolution make a strong relationship with a managed security services (MSS) provider as important as maintaining the internal tools to keep business executives apprised of IT-security risk, Foxtel information security manager Kevin Shaw has advised.

“Whether it’s talking with executives or with the MSS provider, the more you put into a relationship the more you get out of it,” the 18-year IT-security veteran told attendees at the AusCERT 2013 security conference. “The results of doing that pay for themselves ten-fold.”

Properly informing those relationships, however, remains one of the security executive’s biggest ongoing challenges: different expectations, changing technologies, malleable business objectives – and the constant dread of being the one confessing a security breach to a risk and audit committee or angry CEO – all force security executives to be as proactive as possible when it comes to managing risk.

“Nothing is standing still, and even the IT environment you’re trying to protect is evolving quickly itself,” he said. “With third parties such as suppliers and contractors coming through, the size of the organisation can fluctuate quite dramatically depending on what projects are on the go. So, it’s a very nebulous environment that you’re trying to build some structure in.”

“It’s like trying to bake a cake on the back of a running horse.”

Data gathering for the big picture

Shaw, who manages the information-security posture for the pay-TV broadcaster, long ago recognised the importance to of knowing exactly what’s installed in an organisation’s IT environment.

“It’s amazing how many organisations don’t really understand how many devices they have on the network, who’s connecting, and where the servers are,” he said. “These days with virtual machine environments, we have people spinning up instances all over the shop without necessarily coming through the IT or security department.”

Regular discovery scans, even those conducted outside of change management database (CMDB) systems, are crucial to keeping track of the ever-changing configuration. Once devices have been located and identified, they should be verified and approved, then tied to their owners long-term so there is a clear line of responsibility.

“I want to know that if someone adds a new server, that I can come back through my actionable intelligence and confirm that box has the right agents, has been hardened for the criteria we’ve mandated,” Shaw said. “Through repeated scans that touch the boxes on a regular basis, we can later understand whether they are in the same kind of configured state as when they were was deployed.”

Under Shaw’s guidance, Foxtel has maintained a long-term MSS relationship with Symantec, which provides extra skilled staff that not only keep apprised of new threats, but monitor the company’s infrastructure 24/7 for signs of malicious activity. The MSS staff are also given data on device ownership so they can quickly tie a specific issue back to the business impact it might have.

“It really helps to be able to take all that back to the MSS provider, because they are the people with the global vision, the honeypots, and the intelligence coming back from other clients. They can start joining the dots and giving you actionable intelligence from all the data we’ve fed through.”

A few years ago, Shaw said, a potential security incident was detected only because the MSS was able to correlate the many sources of data and raise the alarm.

“The only reason it was picked up was because it went through the MSS provider, was picked up and married together with other information and sent back to us to deal with,” he said. “Had we relied on our own resources to respond to it, we would not have picked up the signal because we didn’t have all the information that they had going through the MSS.”

Everybody owns [infrastructure] when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong

The executive sell

Building on the MSS relationship not only allows Foxtel to be more proactive in maintaining its security posture, but supports interactions with executives who are less concerned with technical minutiae but think of IT security in terms of business risk.

Analysis of internal cost-recovery claims is a great way to marry IT-security activity to potential business change: once the IT staff know which business units are paying for what systems and services, it’s much easier to know how any potential security issue will affect which parts of the business.

Using this information to drive change, however, can be tricky because it can upset tightly managed perceptions of control over infrastructure. “I’ve had to learn to sell in different ways to different audiences,” Shaw said.

“Your IT operations person wants to know that your systems aren’t going to be bringing down his infrastructure; otherwise, he’s absolutely not going to let you come near anything he’s got. Everybody owns it when they don’t want you to touch it, but nobody owns it when it’s their bum on the line if things go wrong.”

Security data from regular device scans often reveals configuration changes that might have otherwise gone unnoticed, and which could potentially affect compliance with requirements such as the PCI DSS payment-cards security requirement.

Shaw has often found it’s easier for an internal security organisation to get leverage with other business units by handballing the bad news to the MSS: “it’s always effective bringing in external parties to talk to your executives,” he laughed. “People come in externally and say the same things that you would say, and it has much more cachet if it’s coming from an external expert.”

Strong relationships, backed by justifiable assertions about the integrity of IT-security efforts, can pay off when it comes time for arguing for IT-security budgets.

“Every year we find ourselves having to fight pretty hard to protect what we’ve already been allocated in terms of the budgets; those constraints are no different than anywhere else in IT,” Shaw said. “I’m constantly having to sell security and compliance, and the threat the organisation is facing, on a daily basis.”

“Your executives are not going to give you budget unless you can marry together the value from MSS, actionable intelligence – unless you can demonstrate the value to the business and where the business is trying to go. But it is a lot easier for me to get budget and funding around using an MSS than it is to buy technology and get the head count to run it internally.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.