Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn’t included; it provides time for an idea to crystallize, become defined, or reach critical mass.
That (somewhat arcane opening paragraph) sums up where I feel we are with regard to the term "cyber." We all know that it has crept into the security and risk (S&R) lexicon over the past few years, but, by managing to avoid clear definition, it’s become all things to all men — a declaration that “information security is different now” but not quite saying how. Think about it: If the US Department of Defence and the standards body NIST aren't aligned on their definitions of cybersecurity, how can we expect CISOs and business execs to be?
I have spoken to numerous S&R leaders recently, and, although there was a fair amount of discord, the CISO of one global financial services organization best summarized the prevailing perception:
"’Cyber’ is something coming from the Internet attacking our infrastructure assets. We're not classifying internal incidents as cyber, otherwise it makes no sense for us to have another word for something that is a classical security incident. It's about the external and internal distinction."
Cartoon included by kind permission of http://www.kaltoons.com/
Communication is an essential part of the CISO's role, but too often we get it horribly wrong. That was the message laid out by communications expert David Porter at the RSA Conference in Europe recently.
We know that a large part of the CISO’s role is to influence, cajole and encourage our business leaders to make the right choices, enabling our firms to manage risk and move forward safely. Creating compelling communications is a differentiator, but too few CISOs excel in this area and this is holding back their credibility, their career and the risk posture of their employers.
David Porter proposed spending a great deal more time than most of us would be used to, refining the introduction to any piece of communication, and actively crafting it to flow from ‘Situation’ (“Once upon a time there was a beautiful princess..”) to ‘Complication’ (“..who was imprisoned in a tall tower by her wicked step-mother”). That sounds pretty standard, but it was interesting how David then analysed different RSAC submissions and showed how even the professionally written ones deviated from this model, and how much clearer they were once the rule had been applied.
This simple setup opens up the readers/listener's mind and plants questions that seek to understand how the story can be resolved, and stories are powerful communication tools.
For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.
These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.
Make no mistake; this is a significant change in the traditional S&R professional career path.
I recently went for coffee with a very interesting gentleman who had previously been responsible for threat and vulnerability management in a global bank – our conversation roamed far and wide but kept on circling back to one or two core messages – the real fundamental principles of information security. One of these principles was “know your assets.”
Asset management is something that many CISO tend to skip over, often in the belief that information assets are managed by the business owners and hardware assets are closely managed by IT. Unfortunately, I’m not convinced that either of these beliefs is true to any great extent.
Take, for example, Anonymous’ recent hack of a forgotten VM server within AAPT’s outsourced infrastructure. VM "sprawl" is one of the key risks that Forrester discusses, and this appears to be a classic example – a virtual server created in haste and soon forgotten about. Commonly, as these devices fall off asset lists, they get neglected – malware and patching updates are skipped and backups are overlooked – yet they still exist on the network. It’s the perfect place for an attacker to sit unnoticed and, if the device exists in a hosted environment, it can also have the negative economic impact of monthly cost and license fees. One anecdote I heard was of a system administrator who, very cautiously and very successfully, disabled around 200 orphaned virtual servers in his organisation – with no negative business impact whatsoever.
It’s common knowledge that the security landscape has shifted over the past few years and the once-strong perimeters that CISOs relied upon have become stretched, fragmented, and overrun by increasingly mature attackers. There are many reasons for this change — from the increasing value of intellectual property and ideas to the business’ desire for agility and flexibility— but it comes down to the fact that the technology controls that CISOs are so used to deploying simply can’t stay ahead of the threats.
Increasingly, Security & Risk (S&R) Professionals are being asked not only to protect the organization from hackers but also to protect their organization’s brand and competitive advantage whilst enabling efficient and agile business processes. In this environment, we need to realize that technology is just one piece of an increasingly complex puzzle, and it’s a puzzle we have to solve without ever saying “no.” As one security expert Forrester interviewed put it, the right question is “How do I make sure this boat doesn’t crash?”; it isn’t, “How do I make sure this boat doesn’t even reach the ocean?”
It’s essential that CISOs shift their focus beyond technology to the wider spectrum of responsibilities that comprise an effective security practice. By redefining the situation and evolving their role, S&R professionals can:
The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”