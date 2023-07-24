Trust is and always will be a two-way street, and verification is how trust is earned and maintained. The old proverb \u201ctrust but verify\u201d drives home the point that one should verify everything before accepting or committing to a course of action.\n\nEvery enterprise, regardless of sector, has engagements which require trust, be they with colleagues, employees, suppliers, or vendors. CISOs know this better than most, as they are often bringing tools into their security mix to help protect assets and are trusting that these will work as advertised. Yet, anyone familiar with 30 years of Silicon Valley marketing hype has become very familiar with the term \u201cvaporware\u201d \u2014 clearly, trust can never be absolute.\n\nVerify that third-party tools will function as advertised\n\nI am by nature a skeptic, and even my own family has long labeled me a doubting Thomas. I am a big fan of verification and that makes me a big fan of Horizon3 CEO Snehal Antani, whose use of the proverb is front and center in his company\u2019s marketing efforts but with the words \u201ctrust but\u201d crossed out \u2014 leaving only \u201cverify.\u201d\n\nIn a conversation at RSAC 2023 on the huge merits of red teaming, Antani reiterated his contention that there should be \u201cno trust,\u201d that his advice to CISOs is always \u201cdon\u2019t trust,\u201d and that the only secure policy is to go with simply \u201cjust verify.\u201d\n\nMore recently, I had the occasion to revisit the discussion and ask Antani to expand on his remarks, specifically for the CISO community. He offered that: \u201cAs an industry, we have a security effectiveness problem, in that the many vendor tools and processes within the SOC require significant effort to configure and tune correctly. Attackers know this and are able to attack at the seams of these tools.\u201d\n\nThat means that even though a company might spend millions of dollars on the latest security offerings such as SIEM, UDA, EDR, and the like, they shouldn\u2019t simply trust that these tools will successfully fend off attackers \u2014 they must verify their effectiveness early and continuously.\n\n\u201cDon\u2019t tell me we\u2019re secure through PowerPoint, show me we can effectively stifle attacks today,\u201d Antani says. \u201cThen show me again tomorrow. Then again next week, because our environment is constantly changing, and the enemy is quickly evolving.\u201d\n\nVerify your team and their abilities\n\nFew would argue with Antani\u2019s observation that the CISO\u2019s adversaries are well-resourced and able to evolve and iterate quickly. They too have personnel who went to the best schools and regularly exhibit they have no shortage of creativity.\n\nWhile many cybersecurity leaders tend to focus their efforts on verifying the tech stack, technology is only one part of the equation, according to Immersive Labs founder and CEO James Hadley. \u201cYour people are your real differentiator,\u201d Hadley says. \u201cNo matter how confident your team feels about their own capabilities, until you have metrics, how do you really know they're prepared for the next attack? Until you have proof, confidence is meaningless.\u201d\n\nHadley minces no words in his admonishment to CISOs to \u201cditch their old mindsets and infrequent check-the-box approach to cybersecurity training and instead regularly battle-test their teams \u2014 but more importantly, gain concrete proof, and verification, that they\u2019re equipped to face emerging threats.\u201d\n\n\u201cLet\u2019s face it \u2014 today\u2019s approach isn\u2019t working if nearly half of the security leaders say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.\u201d\n\nTeams should have regular training and assessment\n\nHadley is quite correct in his blunt assertion that, like tools, people should also be verified and not simply trusted. Just because a team member has the right credentials, it doesn\u2019t mean they\u2019re always going to have the latest information or tech at their disposal.\n\n\u201cIt\u2019s naive to trust that just because there are employees who have a university degree in cybersecurity, got a professional certification, or even worked in the field for a decade, they\u2019re truly cyber resilient,\u201d Hadley says. \u201cThere are likely areas that need improvement as your team works together, and those need to be identified and addressed by assessing, exercising, upskilling, and proving capabilities. From techs to execs, everyone should be benchmarked and upskilled to sharpen their skills.\u201d\n\nSteve Benton, vice president of threat research at Anomali, spoke to me at RSA2023 and shared a most useful and entertaining analogy. He spoke to the need for threat intelligence to be considered another factor, likening it to a DJ and his \u201cmusic in the mix.\u201d\n\nPlaylists represented the organization\u2019s policies and procedures. Just as the DJ carefully selects songs to ensure flow, the organization must \u201ccarefully select the controls that will be implemented to mitigate cybersecurity risks. Genres of music are as plentiful as the different types of cyber risks. The DJ mixes the genres to ensure a seamless and enjoyable experience, while the CISO needs to ensure their implementation doesn\u2019t disrupt business.\u201d\n\nThen there\u2019s the final step: performance. \u201cThe DJ needs to be able to monitor the audience's reaction to the music and make adjustments as needed,\u201d Benton says. \u201cIn the same way, an organization needs to be able to monitor its cybersecurity posture and make adjustments as needed.\u201d\n\nTest, plan, and test some more\n\nIn sum, as Antani noted, don\u2019t trust, just verify with respect to tools. Chaim Mazal, chief security officer at Gigamon, notes that focusing on achieving zero trust won\u2019t be enough. One must go beyond the recommendations being proffered by CISA and others.\n\n\u201cTraditional certifications don\u2019t prove cyber resilience,\u201d Hadley says. \u201cTo gauge true preparedness for the next attack, CISOs can put their teams through simulations and real-life scenarios.\u201d CISOs can also identify where their team\u2019s strengths and weaknesses exist, which is the point Benton was making when he noted that when it came time to perform, an organization must be ready to adjust. \n\nAs one who has worked within many a high-stress environment, all of which included a myriad of different personality types with different levels of experience and education in their background, one really doesn\u2019t know how the team is going to function until the day of reckoning arrives and the rubber hits the road. Testing and more testing is how the team stays between white lines and on the road to success. \n\nEnsure deep observability across your organization\n\n\u201cCybersecurity leaders are being fed a range of recommendations and guidelines for architecting a zero-trust framework,\u201d Mazal says. \u201cMy recommendation to them is to make sure they have deep observability across their organization\u2019s hybrid cloud infrastructure. This will address hybrid cloud security requirements beyond zero trust. Strengthening the capabilities of log-based security tools with real-time, network-derived intelligence and insights will enable them to detect previously unseen threats and better secure their hybrid cloud infrastructure.\u201d\n\nFor CISOs to continue to have their voice heard, verification is a must and achievable, but not without steadfast effort. If either technology or personnel are found lacking, the gaps in either technology or personnel will be exacerbated, and things will go south in a hurry.\n\nTherefore, test, and test often, both your personnel and the tools they use to do the job. As Mazal says, \u201ctaking a zero-trust approach to workforce cyber resilience and backing it up with regular exercise, proof, and measurable improvement will ultimately lead to stronger cyber postures for organizations, which should be a bottom-line priority for boards and business leaders alike.\u201d