Being a chief information security officer (CISO) is not unlike being in a war zone. Professionally and politically, your survival is dependent upon being “left of boom”—to coin a term from the US Pentagon when dealing with Improvised Explosive Devices (IEDs). In other words, constructing your defensive measures to be in place to prevent “boom” from occurring is the most prudent course of action. About 10 to 12 years ago, as a CISO in the US federal government, the job was to protect and defend because at that time we were most concerned with the basic security hygiene of the enterprise and viruses in the wild, so we tried to do basic preventive maintenance. We were not yet facing sophisticated, targeted attacks. We were trying to keep our configurations up to date, and then we thought we would be okay. CISOs’ perspectives have evolved because of the advanced persistent threat (APT) becoming a larger problem in the past few years. We have gone from protect and defend, to early detection and rapid incident response with immediate recovery so that businesses can continue to operate in a compromised environment. Essentially, we have gone from risk management to risk tolerance.
Threat Intelligence and Analytics
The enterprise now must have an active capability to gather and analyze threat intelligence to learn which of the threats and threat actors are looking at and targeting the enterprise. This requires a thorough understanding of your business lines and the types of business processes your enterprise is involved in so as to better understand who is targeting your business and how they are conducting their operations. If you know what type of threats there are, you can determine what type of technology to put in place, such as behavior-based rather than signature-based technology.
Today, more than ever, CISOs and their staff have to be agile enough to get ahead of the problem as opposed to letting the problem—or the “boom”—happen and cleaning up afterwards. The “right of boom” approach is quite costly and ends up consuming most of a security program’s resources. “Right of boom” enterprises include all of those who have made headlines because of their publicized breaches over the past couple of years.
Looking forward, there are encouraging developments in big data analytics, where helpful proactive information can be derived from the terabytes of information from companies’ deployed security devices. In the past, security staffs did not have the tools to analyze this data in a cost-effective fashion, so often, the data was lost due to storage limitations. Today, with advanced analytics, a company can take that information and develop pattern and behavior analysis to see if something is actually getting into the enterprise, or worse, data is being exfiltrated. Additionally, there are cloud and mobile security operating realities that may have the effect of weakening security over the next 5-10 years because adversaries’ targeted capabilities are getting stronger. Keeping up with these developments is a constant challenge for CISOs.
Legislatively, the US Congress has not approached the cyber security problem from a holistic, enterprise-wide perspective. Rather, US legislation has been focused on compliance with requirements of questionable security relevance. Most legislative efforts have not emphasized the rapid and continuous changes of the IT environment that are necessary in meeting the challenges of securing today’s enterprises. Legislation is generally about putting controls in place and making sure they are implemented effectively and doing risk management—which did not work well in the past and is even more misguided in the present. In today’s environment, an organization needs to be more proactive, rapidly changing to meet the attacks with rapid responses that are difficult to legislate. The US bill, Federal Information Security Modernization Act of 2014, which is more attuned to continuous monitoring of technical controls, may be a step in the right direction, but legislative solutions generally tend to stifle the ability of enterprises to meet the security challenges with swiftness and agility.
The critical skills gap in cyber security staff requirements is growing, but enterprises are having a difficult time meeting the demand. Companies seem to want a cybersecurity staff with the wisdom of experienced executives, but at the pay scale of college graduates. The problem that the Fortune 1000 has yet to solve is that the experienced substantive expert understands how to apply security across an enterprise, while the recent college graduate may only know how to put controls in place.
Professional certifications are also important, but are becoming more and more targeted at specific roles. For example, incident responders, forensics staff or governance and compliance professionals should have the relevant certification that attests to their knowledge of that particular skill set. But the big concern is—as businesses cut costs and move the experienced staff into retirement—who will mentor the next generation on how to effectively manage risk across large heterogeneous enterprises?
Bruce A. Brody
Chief Information Security Officer, Cubic Global Defense
Chief Cyber Security Strategist, Cubic