The threat landscape hasn’t really changed except for a few minor adjustments. We are still seeing nation state threat actors, financial crime groups, hacktivism (though that has been receiving less press lately), terrorist organizations (e.g. ISIS) and commodity threats (e.g. CryptoLocker). The majority of these groups are just using variations of the same tactics they’ve always used to infiltrate organizations. As a society, we have a new found knowledge, visibility and awareness of these threats, but they are not new.
"Any security professional who makes an assumption that executives fully understand information security, and all of its jargon and technical terms, is foolish"
Unveiling the Dangers of Security Intrusion in Control Systems
I think the media has done a phenomenal job at helping information security professionals send the message about what a successful intrusion could mean for a company and a brand. It took a few companies to be the example for other companies and industries to help them realize that the threat is actually real, they can be targeted, and they don’t want it to happen to them.
I also believe that it takes a business-savvy security professional to interpret what the executives and the board hears in the news or other media into how that could impact the business. Any security professional who makes an assumption that executives fully understand information security, and all of its jargon and technical terms, is foolish. The universal language of business is about dollars and cents; it’s about risk and risk mitigation. A security professional can raise awareness about the dangers of a successful intrusion and translate an event into direct business impact.
The first step in building security for the enterprise is to develop a strategy. The information security strategy should be fundamentally built on the risks, threats, and impact to a core business. If you haven’t done a business impact analysis, you should. You need to understand how the business operates from a people, process, and technology perspective and map your strategy to that. By understanding what’s important to your business and aligning your strategy to that, not only will you know what to protect and how, but you will also gain support from the executives for directly addressing what’s important to them. In the end, that is what should be important to you.
Once you understand the risk, threats, and impacts to the business, then you can map the people, process, and technology strategy to it. Once you have the complete strategy built, then it’s all about execution, which is the hardest part.
Role of the Government in Augmenting Network Security Practices
The negligence comment reminded me about what the insurance industry is doing as it relates to cyber security. Insurance providers are looking at negligence and reasonable care (similar to that of the auto industry) as it relates to a company’s cyber security policy and if they provide a pay-out. I’ve seen some insurers also look at a company’s overall maturity as it relates to cyber security, and offer discounts or lower premiums based on a higher level of maturity, which is similar to health insurance or life insurance. I think this will have a larger impact than some might think if the insurance companies are no longer paying the millions of dollars associated with breaches. Ponemon’s report stated the average cost of a single U.S. breach was in excess of $7 million dollars. That can start to rack up quickly if a company suffers multiple breaches a year.
I also see a number of companies being considered “critical infrastructure” now. The Department of Homeland Security (DHS) defines critical infrastructure as "the backbone of our nation's economy, security, and health.” Healthcare was only added a couple of years ago, and today we’re seeing companies like Google and Facebook included, or they will likely be included very soon. When tagged as "critical infrastructure", the government enforces a higher standard as it relates to cyber security but also invests heavily in helping the company meet that standard.
The above items are in addition to more stringent controls being added to PCI, HIPAA, NERC-CIP and other regulations that are already out there. Failure to comply with a regulation can have a direct and negative impact on a company’s bottom line. For example, if a company can’t process credit cards due to failure to comply with PCI, that would have a direct business impact.
Take Aways from Cloud Security Strategies
Moving to the cloud can be an effective and secure strategy. Oftentimes, the right cloud provider can protect your data better than you can. However, don’t always make that assumption. When moving to the cloud it is even more important that you understand your business and the business impact. The grueling work you put in up front with contract negotiations will pay dividends on the back end. Bake security requirements and controls into the contract, establish security baselines and security service level agreements, ensure the company is SSAE16 SOC1 and SOC2 compliant, and make sure they can meet your specific regulatory requirements. The front end due diligence in evaluating a cloud provider is critical for long-term success.
Decoding the Duties of CISOs and CSOs
My role and the general CSO role has changed exponentially in the past four or five years. From an organizational perspective, security is at the forefront and no longer takes a back seat to IT or other administrative positions. The CSO presents to the board and can impact the overall direction of the business. If an organization is looking to go international or acquire another firm, security is now included in that decision.
From a technology perspective, the CSO is still charged with protecting the entire organization – people and technology. As the rate of technology advancement increases, the landscape of what must be protected increases. It’s no longer just protecting IT resources. As we now are seeing in the new world of the Internet of Things (IoT), the blend of consumer and corporate technology within an organization is an interconnected web. The CSO must work with facilities’ units for their Internet accessible HVAC systems and thermostats, for example. And they must be aware of medical devices that roll around on carts with one end attached to a patient and the other end attached to the network.
All of the consumer devices that people now use are integral parts of their day-to-day job. Companies are introducing smart devices one after the other without thinking about the unintended consequences, and the CSO is responsible for it all.