EXECUTIVE SUMMARY:
What People have helped you create a leapfrog effect:
Sr. Engineers & Architects are really the ones seeing what technologies are available. CISO’s do not have the bandwidth to do the evaluation of what is needed next. They need to have a vison for what might be needed 5 years down the road. Understand your future state is critical.
For example, today the perimeter has changed to the endpoint, but 5 years from now it may be just the data. So, are you considering what this means to the organization? Should you be looking at zero trust?
2/3 of the leaders will retire in a few years. Who are you bringing along to fill that gap? Security must be part of innovation. The CISO is the last one to know that vulnerable code has been deployed but gets all the blame or even fired.
Many architects/Engineers do not have the aspiration to sit in the leadership chair. Leadership cannot be all about tools. The next security leaders may not be the engineers or architects. It may be people directly from the business.
Developing People for Cyber:
- Bringing young people into security operations first to give them a good baseline.
- Catching people before they leave and helping them understand the big picture and opportunity within security.
- Bringing people in through the business to teach them and then convert them to security.
- Career Development plan – letting others in the business participate in cyber (i.e. 10% of their job)
- Roadmap –
- Mentoring to help younger or other business people will see this as a career path.
- Mentoring veterans in cyber labs. Cybersecurity didn’t exist so looking at how to bring in a wide variety of people.
- Good tools for training and suggested career paths and the training and knowledge needed:
What Process have made a difference?
Processes are developed by people, Clayton Christensen at Harvard, Research on People and Processes:
https://hbr.org/video/2688242135001/the-explainer-disruptive-innovation
Digital transformations fail because of processes not because of the people.
Architects define that process. The devil is certainly in the details at the process level.
It is how we manage risk and realizing there may be a higher tolerance for some risks. Bringing the Enterprise Risk team into what is being done can be an advantage, so they do not slow down the progress. You may even have to teach auditors/risk how to understand your risks or even how to audit what you are doing.
Define what is important and what is not instead of chasing the latest and hottest new threat.
At times, what we hear in the news is not what is important. A good example is the death rate. We do not hear about the top issues, but more often the news channels are reporting what they think will bring about the most attention.
Part of the CISO role is to be looking toward the future and seeing past the current hot news or operational health dashboard. Solving today’s issues will not help you a year from now. That is the challenging aspect of the CISO role. You must be very good at solving today’s reactive challenges along with taking the time to prepare and predict for what is coming in the future.
When an issue such as SolarWinds arises, are we looking at the big picture to see if there are other similar exposure points across other vendors.
On 3rd parties, we all tend to let them slide. Do we check on them routinely and validate compliance or even visit them personally?
The business puts the pressure on the security team to approve vendors with or without full certification. “When all the other banks use them why can’t we?”
It may be helpful to leverage industry collaboration to monitor vendors. Share the risk with the business if they are applying the pressure to approve.
When a threat like SolarWinds arises, there should be some diligence to scope out what the actual threat is within your specific environment and then use a risk model to determine the priority level of that risk. Back it with actual statistics if available.
Sometimes new patches can introduce new vulnerabilities, therefore, doing your own threat hunting to determine if implementing the new patches right away is necessary.
Threat hunting can be more defensive and less intrusive than preventative technologies which can cause friction.
Using Process to elicit Change:
There is no standard that will control people. It needs to be a slow steady education process continuing raising the bar.
Standards that do provide a framework:
- CIAQ cloud security assessment. https://searchcloudsecurity.techtarget.com/definition/CAIQ-Consensus-Assessments-Initiative-Questionnaire
- NIST provides the framework to communicate the status of a program
- Free Level 1 NIST Risk Assessment – https://securitystudio.com/fortify-experts-gateway/
- NIST provides a “tool bucket” to assist both individuals and organization move in the right direction. (s2me.io – Free Assessment for individuals)
- ISO based standards especially for those overseas who follow ISO more closely can be great resources to provide a framework.
Technologies & Vendors who moved your security program forward
- Partnering with Vendors because mutual success is more important than individual success.
- Outside consulting firms such as PWC, EY & Hybrid Technologies
- Help set strategy. They can be a good sounding board for direction and have the resources to complete the work.
- They can help provide the process to come up with a better solution.
- However, you don’t get a choice on who is assigned to your project so can be hit or miss at times.
- Spending time really understand your cloud providers
- Studying AWS and using their tools to become more analytic & security focused.
- Begin driving security through their metrics “How good at are you at managing your data?”
- Leveraging Cloud Services from bigger providers who can advance your Email & Data Security such as AWS & Azure.
- Being agile and recognizing vendors and priorities change from year to year. Who’s current roadmap aligns with your roapmap or current needs.
- AV Vendor – Malware Bites – Has reduced stress knowing they have removed endpoint risks.
- Implementing EDR for better visibility and faster stoppage when needed.
What Technologies/Vendors have made a difference?
Moving towards a fusion center can be helpful when using tools such as Splunk and Sentinel side by side, but it needs to be done so that business participants can digest it well.
Trinity Threat hunting (https://www.trinity-ds.com/advanced-threat-protection/) – acting as a man in the middle.
SecureCircle (https://www.securecircle.com/) – Encryption to enable zero trust. Access is pushed down to the data level. Reducing perimeter to the data level.
Economy solutions include:
- Teramind (https://www.teramind.co/) – Threat hunting and DLP.
- Red Canary (https://redcanary.com/) for threat hunting, honeypot.
- ZeroFox (https://www.zerofox.com/) for threat hunting service.
- ManageEngine (https://www.manageengine.com/) – Browser security – 22 malware apps in extensions. Configuration manager and blocker of extensions.
- SecurityOnion (https://securityonionsolutions.com/) – good for on prem – not cloud.
- HTOC – Black Hills Security (https://www.blackhillsinfosec.com/services/htoc/) – Analyzing logs.
When evaluating your default firewall posture, should it be “allow all out, deny all in” or maybe it is “deny all out and deny all in and open up what is truly needed.” It would be helpful to understand what others are doing and how they are approaching this.
With such a vast threat landscape, vendor reduction will help reduce the threat landscape.
Agent consolidation can help reduce the complexity.
Using Microsoft E5 can reduce complexity – “Sufficient” might be better than “best-of-breed”.
Maybe taking ownership of your destiny and becoming more of a security development shop is a better approach especially around IAM. It removes the limitations from the vendors and allows you build your own widgets & automations for different product areas without relying on a vendor.
Some of the larger security companies do not react to the market fast enough. A Best-of-Breed approach is easier when you are all on-premises. When going to the cloud, it requires extensive integrations which is exponentially more difficult. Therefore, the move from a best-of-breed approach back to fewer big providers may make more sense.
Microsoft has come an exceptionally long way in the last 18 months.
Windows Defender ATP (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is now at the top right corner of Gartner.
Access Security Broker (https://www.microsoft.com/security/blog/2019/10/29/gartner-microsoft-leader-2019-cloud-access-security-broker-casb-magic-quadrant/) for Cloud has also come a long way as well.
Microsoft helped reduce some companies from 20 vendors/products down to one vendor.
Manual IAM provisioning and processes still exist across many companies so there are still many opportunities to streamline IAM processes.
In Summary:
Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to improve your security program.
If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments.
In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward