Monday, October 24, 2016

Challenges Facing CISOs

I was recently asked to comment on what I believe are the biggest challenges facing the CISO or CSO as we venture closer to 2017. This past year was one where ransomware clearly dominated the early headlines, followed by email security and the ramifications of when personal emails are leaked publicly. The ransomware issue affected multiple health care institutions in high-profile ways that caused disruptions in the medical industry, highlighting apparent gaps and vulnerabilities in that critical infrastructure. Still, the affected organizations proved highly resilient as they executed their business continuity plans. The leaking of private and protected information via email also has had wide impacts on legal issues within the US as well as potentially affecting the pending Presidential election. That issue uprooted deep social, political, and legal debates across the country. Even more recently, news regarding the US releasing control of core Internet infrastructure and governance to international bodies, followed by a massive DDoS against a core DNS provider accomplished via a botnet comprised of IoT devices, revealed how dependent we are upon the Internet for every-day life, and how vulnerable our interconnectedness remains.

From this 2016 experience, we might be tempted to run to the critical infrastructure debate again as the next pressing issue for corporate Security Officers. We might also run to the topic of regulation and government oversight or proactive government protections through means like intelligence sharing etc. as the pressing issue that must be addressed in 2017. We may also be tempted to run to the topic of securing email and protecting our executives from being publicly embarrassed as the next big noble cause. Or, we might sound the alarm regarding the risks of interconnectedness and personal devices known as, the Internet of Things (IOT), calling for new solutions and standards to be adopted by providers in that sphere as yet another layer of regulation. Any such move would also likely stir the hornet's nest with regard to the personal privacy debate. Any or all of these topics might land on the various lists of predictions for security concerns in 2017 that are likely being drafted by marketing teams now.

However, in my opinion, these issues have already had their time in the spotlight. We've already identified them, debated them, regulated them, and industry has already provided solutions. Those solutions have had adequate bake-in time and are well matured. We already know how to prevent malware from installing onto our endpoints, regardless of the type. We have numerous layers of technology that can satisfy that mission for us. We have countless threat intelligence communities who regularly pass malware samples and identifiable attributes among each other. We know how to operate under disasters should our critical systems come under attack or be rendered otherwise inoperable. Business continuity and disaster recovery plans were all the rage in 2004, so we know how to operate if our protections fail us on a grand scale. We know how to secure email both in terms of preventing unauthorized access, and from allowing email to be used as a means for weaponization, delivery, and infiltration. The dynamic sandbox and file analysis book has been written, the solutions darn near perfected, complete with open source options. We also know how to mitigate DDoS, and we as both consumers and professionals expect life disruptions from that. The Hacktivist community beat that into our subconscious years ago with round after round of attacks against financial institutions that led to broad consumer awareness of the state of cyber security. You see, this is all old news. The impacts that permeated through 2016 weren't for a lack of technology or available preventative solutions.

The problem that 2016 highlighted is, we don't do what we know we should do. The real problem is, people in general are becoming increasingly aware of the cybersecurity issues and potential impacts of our interconnected world, but they don't understand what it takes in terms of resources and conformity to implement the right solutions, and we lack the discipline to adopt our lives to operating within those boundaries of propriety and security. What we lack is understanding and willingness to change or adapt our culture for the sake of security, and that is what I believe is the main challenge facing the modern CISO/CSO as we approach 2017; awareness without understanding, and corporate culture that refuses to change.

Executive leaders are inundated with a message of doom from the media, a message of defeatism from prior victims, which is exacerbated by the stream of new ideas elevated by the security industry. Executives and the public are being told, "security is broken," and they are drawn to the sales pitch that claims the latest approach to addressing problem x is finally the approach that we've been waiting for. The claim is that past attempts didn't work because we didn't have big data or automation or machine learning or whatever. These new solutions are ready off the shelf and sales teams market existing vendor partnerships to demonstrate the ease of integration within existing solutions. The fear of the cloud has subsided and now represents an marketing opportunity to re-tell the same old story under a new name. I recently heard the argument that said, "if we had already solved cyber security problems, why does the vendor floor at the RSA Security Conference keep growing?" That's an argument used by sales teams or businesses seeking investors, trying to convince you that something new is needed and they have just the thing. I can count off the top of my head five new start-ups in the past two years that I was asked to evaluate, each of which claimed they had finally solved a problem that no one else could figure out, but each of which represented a practical example of an old idea that lacked maturity and wisdom from the lessons learned over the past decades. None of them were new or unique, but they claimed to be, and were attractive to executives because they represented the latest start-up that was just waiting to bloom into the next huge Silicon Valley success story. If it used cloud or machine learning or AI, then surely it works right?

You see, there's this lie out there that claims we can't and haven't solved the cyber security challenges with technology. This message for some reason permeates the executive levels of many companies. They assume they can't solve the security problem, so they invest heavily in efforts to help them quickly remediate the pain. They assume that since solutions of the past didn't work (as exemplified by the constant stream of breaches), that practitioners from the past are irrelevant. Executives hear buzz words like "APT" and "nation state" and "threat actors" and assume those individuals or organizations are too sophisticated to defend against, and require something new. They hear the message of doom and gloom and succumb, meanwhile, they hire CISOs or CSOs and divert the responsibility to them, seeking the minimally viable solutions that enable them to operate as a business while satisfying regulatory and customer expectations. It's this mixed message of assured doom, unpreventable threats, the need to think of new and innovative methods, and a constant stream of start-ups that have us all confused.

The reality is, we have the solutions already. We've had them for a while now. What we lack is common understanding of the root problems and what it takes to solve them, and we lack the discipline to see those solutions through implementation and to adhere to the boundaries we must live in once they are established. You see the solutions are often expensive, intrusive, and will define structure around your day-to-day. They will define how your business can function. They will create friction above other, easier options. They will take time to implement, during which your window of risk will remain unmitigated. In the end, they will be effective, but companies and organizations have to understand what they are doing, they have to count the costs, and they have to accept what comes based on that decision. We have to learn to stay true to our decisions, not stray from them, and see our commitments through to the end. What remains in our way isn't a lack of technology; it's ourselves.

There's another factor that further complicates the CISO's effectiveness. Many companies today pride themselves in their culture, and they are adamantly against anything that challenges or causes that culture to change. I've even heard it from CISOs themselves:

"We have an open culture here and we want our employees to have open and free access to the Internet - to choose for themselves what they need to do to be the most productive at their jobs. We aren't going to get into the business of restricting access to websites based on the appropriateness of content or their hosted subject matter because who are we to decide that? Employees and their managers get to decide what is appropriate for themselves. We are going to focus on transparent security."

Corporations surrendered to employee culture in another highly visible way known throughout the industry as Bring Your Own Device or BYOD.

Herein lies the core problem. We, the security practitioners who do understand the problem, aren't willing to define and enforce safe boundaries, and we aren't willing to hold our employees accountable to operating within them, because that constricts "culture" or the "user experience" in a way that creates friction for the employee or consumer. Sometimes we are willing, but our executive or HR teams aren't. Culture to many companies is what defines them, and is the tool by which they attract new talent and retain who they have. How many times have you heard, "we don't do that here, because that's against our culture." I've even heard the phrase "we need to create frictionless solutions" so we don't disrupt the employee work experience. Ok, as long as that is your goal, you can't adopt the readily available and effective solutions that provide you the capabilities that will defend your organization against the outcomes your executive team is afraid of. In fact, I have observed debates within Information Security teams, that implementing a protection should be paused because if they create friction for the user, that's a "bad experience" that will have a negative impact on the Information Security team's reputation. That comes from yet another danger to the modern CISO/CSO; the temptation to be liked and viewed as a great leader, over the mission of being effective at your role. Now, I'm not advocating extremes here and I'm not saying the modern CISO has to be a bulldozer. There is a balance to be found and I think we're currently leaning toward the extreme of likability over security.

If you are a security practitioner, you've probably experienced this first hand. You've probably prepared to implement a solution that provides optimal security for your constituents, only to be told you have to pull back layers of protection to accommodate culture and reduce user friction. Those layers of reduced capability and accommodation create vulnerabilities and complexity in implementation. Complexity increases risk, cost and time to implement, and ability to maintain effectively. That increases overall program cost, and corporate boards and executives already view Information Security as a cost to do business that must be tightly controlled lest it out pace revenue generation. A valid concern no doubt, but one to temper with an effective CISO. A lack of understanding and balance can lead to reduced budgets and minimal capacity that becomes the root cause for why implementations of security capabilities fail or are so burdened with problems and friction. When the InfoSec program creates problems and friction, their reputation is damaged and their voice in future affairs is diminished, as are the career opportunities for the CISO. And so we become afraid of doing what is right because for some reason, we aren't willing to accept what it takes to do this right.

This is the core problem, and it's one that extends beyond the realm of Information Security.

The modern CISO or CSO isn't faced with a technology gap, but rather with an education and culture war, not unlike the battle we are seeing played out on a social scale throughout the United States. The modern CISO and CSO need to work diligently to understand the real problems and to educate up, out, and down - to ensure those making decisions and those affected by the decisions truly understand end-to-end the cybersecurity challenge. The CISO and CSO need to learn boldness but also humility, to be able to insert themselves into conversations and challenge their peers, but at the same time be willing to learn and grow with them. The CISO and CSO need to influence company culture and highlight the boundaries that culture can develop within, not to be dictated by culture that creates the vulnerabilities they are trying to mitigate. Then, once understood and defined, CISOs and CSOs can have effective and real conversations about what can be done and what it will take to be successful at information security. That conversation needs to be met with cultural flexibility on the part of the other executive staff members. Once resourced appropriately, the CISO still needs to deliver the goods, which takes diplomacy, patience, and wisdom. The quarterly business review and updates to the board of directors might be the same or may be representative of minimal incremental updates over time, but this is essential and we need to learn to be proud of that work and to see it through with patience and diligence. We also need other executives to embrace the boundaries and culture impact these new effective solutions will have, and we need them to enforce adoption and compliance within their organizations.

We need leaders who will use corporate email and all the security solutions that surround that, and to be careful and diligent with not only what they click or open, but also and more importantly so, with what they write and send.

Corporate leaders including CEOs and boards, need to seek CISOs and CSOs who have a long-standing and successful career at effectively practicing information security. These leaders will have the experience that can lead their executive peers to understanding, to help them navigate the challenges facing their organization, and to help shape culture. In the end, there will be boundaries and these should be carefully crafted collectively, but also upheld and protected as staunchly as the culture itself. Executives need to allow their security officers to uphold and enforce those boundaries. To help ensure the boundaries and methods are appropriate, today's CISOs and CSOs need to come from the field where they actually experienced the realization of the risks companies face today. The well practiced CISO will know what voices from industry to listen to, and they will know what works and what doesn't, and CEOs and business executives can trust in that. When the voice in the conversation has lived it, and survived it, they bring maturity and perspective that you cannot fabricate and that cannot be passed down from mentors. Executive peers need to recognize and respect that. These new CISOs and CSOs need to be diplomats and mentors; the type of people who get to know the company, it's culture, it's needs, and then present with unwavering determination backed by personal conviction, the solutions and steps that must be taken to reach the common goal of information security. They need to lead to a better state, even if that involves friction along the way. They can't be easily swept away by the company culture or the celebrity shock of executives (even those who are celebrities). They also need to be granted the authority they deserve, and they need to be right there at the table, engaged in business growth conversations, so they can understand and help craft company culture and strategy moving forward. They need to be veterans from the cyber battles that have been raging for almost 2 decades. Practitioners who have been there, done that.

Pick your analogy: the gold medal athlete returning from the Olympic games to open a gym; the retiring veteran returning from decades of war to open an outdoors gear store; the former CEO who led a successful business looking now for a seat on a board; the sea captain calling this his final season and looking forward to joining the industry that designed the ships he has spent his life on etc. This is who you need to find as a CISO or CSO; the practitioner who was successful, who has been there, who knows where you are headed, and who has the wisdom born from experience to show you how. If you are an aspiring or existing security officer who doesn't fit this mold, you may not be up for the challenges you are facing in the coming years.

If you are a security executive, solving the challenges facing you in 2017, starts with building the right relationships with your peers to reach a place where you can be heard and your voice respected. You need to become part of the team and need to demonstrate wisdom and experience that will establish the trust you seek. You need to surround yourself with successful security practitioners and you need to elevate their experiences and wisdom into the executive conversation to enable common understanding. You need to educate up and influence down. You need to bring truth into the confusing cyber security debate and influence company culture, not be dictated by it and tossed around by the shifting current caused by the latest craze. You need to diplomatically find your seat at the table with the business leadership to help define the path forward together, serving as that point of reference that the business and corporation can use to maintain true north. You need to stand by your experiences and appropriately challenge your peers when necessary. Finally, you need patience and endurance to stay true to accomplishing what you set out to accomplish without diverting to entertain the latest new product or tool. You need to establish yourself, humbly, as the authority and subject matter expert, and you need to hold your executive peers accountable to the charter of information security.

You need to do what you know is the right thing to do, but doing follows understanding, and you can't do this alone. You need to help your peers understand, and let that understanding, together, define what you do and how you do it.

I am not advocating in any way a CISO or CSO who has a "my way or the highway" style, nor one who builds and executes through pride and subversion. I'm advocating for the seasoned security practitioners who can speak confidence, truth, and wisdom into the executive teams, and who has the maturity to stay true to what they believe and to hold their peers accountable to what they need, not necessarily what they want.

Otherwise, we will have employees building email servers in their basement, or leveraging Gmail without basic MFA enabled to conduct official company business, and when they are exposed, the finger pointing will come back on the CISO and the CISO will point to a lack of solutions from industry, and the cycle will continue.

No comments:

Post a Comment