Category: #CISO CORNER

Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.

An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.

According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”

Common Behavioral Indicators

The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.

The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:

1. Downloading substantial amounts of data to external drives;
2. Accessing confidential data that is not relevant to a user’s role;
3. Emailing sensitive information to a personal account;
4. Attempts to bypass security controls;
5. Requests for clearance or higher-level access without need;
6. Frequently accessing the workspace outside of normal working hours;
7. Irresponsible social media behaviors;
8. Maintaining access to sensitive data after termination;
9. Using unauthorized external storage devices;
10. Visible disgruntlement toward employers or co-workers;
11. Chronic violation of organization policies;
12. Decline in work performance;
13. Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
14. Excessive use of printers and scanners;
15. Electronic communications containing excessive use of negative language;
16. Installing unapproved software;
17. Communication with high-risk current or former employees;
18. Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
19. Violation of corporate policies;
20. Network crawling, data hoarding or copying from internal repositories;
21. Anomalies in work hours;
22. Attempts to access restricted areas;
23. Indications of living beyond one’s means;
24. Discussions of resigning or new business ventures; and
25. Complaints of hostile, abnormal, unethical or illegal behaviors.

Remediation Pain Points

Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.

Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.

Steps to Combat Insider Threats

Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.

To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:

1. Information Governance

It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.

2. Advanced Forensic Data Analytics

User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.

3. Incident Response and Recovery

External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.

4. Legal Considerations

An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.

A Cross-Organizational Challenge

Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.

George Moraetes

Source: https://securityintelligence.com/the-cisos-guide-to-managing-insider-threats/

Demand for top-level security professionals continues to exceed supply. Recent data from the job site Indeed shows that “severe cyber security skills shortages persist in every country.” In fact, in only two countries—the U.S. and Canada—does the supply of job seekers exceed even 50% of employer demand.

In this environment, the best security professionals can be selective in choosing where to apply their talents. It is, therefore, important for corporate management and board members to get inside the heads of these leaders and understand what factors make them satisfied and successful in their jobs.

To help, we have identified four overarching questions CISO candidates typically ask when evaluating an opportunity. As you look at the questions below, it is worth thinking about how your organization stacks up—and what actions you might be able to take to make improvements.

• “Who is my sponsor and how much influence does he or she have?”

This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, while the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information-security function to which the CISO will not be privy. As a result, the CISO will have to rely on his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she must be confident that there will be support in high places.

• “How deep is the organization’s commitment to information security?”

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information-security function and the need to make everyone in the organization—top to bottom—responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy, both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises that reflexively cycle through security teams.

• “What key performance indicators will I be measured against?”

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if,” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as those about resources, reporting lines, and compensation.

• “Where will I be in five years?”

Those who lead the information-security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader position in organizational leadership. It is important to understand each candidate’s desires vis a vis what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.

Conclusion

In today’s environment, board members cannot afford to be complacent in their oversight of cybersecurity issues and, in particular in helping the organization hire the right people for the most critical positions. A big step is to understand the issues that are of the most importance to today’s CISOs.

Kal Bittianda

Source: https://www.securityroundtable.org/need-ciso-good-answers-four-questions/

Today, no business executive would disagree with the statement that cybersecurity is a business issue, not just a technology issue.   An increasing number of businesses and governments experience cyber incidents and the way they handle such incidents can have a significant effect on their reputation.

A cyber incident can cause a number of damages for companies.   One is damage to business continuity.   If a company’s IT system or operation system is compromised, the company may need to make a judgment to stop operations of those systems.   The second type is loss of stakeholder trust.   Today, business transactions are conducted under the assumption that information provided by companies is accurate and reliable.   If a company’s IT system or operation system is compromised and information is manipulated and the company cannot guarantee integrity of the information it provides, then the company is unqualified as a trusted business partner.

Along with this, digital innovation is emerging as a new reason why cybersecurity is a business issue.  Many innovations are taking place in all parts of the world in the form of AI, big data, robotics, fin-tech, biometrics, etc.  Unless a company is digitally secure, it cannot internalize digital innovations into its business system and leverage them for value creation.   In the age of digital innovations, cybersecurity is becoming an imperative for business growth, presenting a new challenge for the C-Suite.

Cybersecurity has traditionally been a topic that only a few executives are expected to understand.  However as additional security concerns spread across a business, cybersecurity is now a topic that concerns all members of the C-Suite.  For example:

• A Chief Financial Officer needs to ensure secure transactions between financial institutions or business partners.
• A Chief Marketing Officer needs to master how to ensure cybersecurity in marketing activities via digital and social media, and
• A Chief Human Resources Officer needs to ensure that digital recruiting processes are secure in a competitive market.

A New Opportunity for the CISO

How cybersecurity is addressed with regard to each managing function needs to be harmonized under company-wide priorities and principles.  This presents a new opportunity for Chief Information Security Officers (CISOs).  Traditionally, a CISO has been a supporting role for the Chief Information Officer or the Chief Risk Officer.   However, a CISO now needs to interact directly with all C-suite members.  The C-Suite needs to agree on what the company wants to protect from a holistic perspective and the CISO needs to facilitate these discussions.

To facilitate these discussions, a CISO should ask below questions to C-suite.

• “What are our crown jewels that we want to protect with top priority?”
• “What are business consequences if those crown jewels were damaged?”
• “How much investment are we willing to make to mitigate those risks?”

Across an organization, there are many solutions to ensure cyber resilience.  As a technology solution there are Managed Security Services.   As a financial solution there is cyber insurance.   An operational solution may be a Computer Security Incident Response Team (CSIRT) or employee training.   A legal solution may be fiduciary actions based on a lawyer’s advice.  The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company.  Who leads this effort is not defined in many companies.  This is a new space in corporate business management and a new opportunity for the CISO.   By taking on such a role, a CISO can provide company-wide impact and contribution because if CISO plays such as role, cybersecurity strategy becomes a comprehensive and integrated package rather than an aggregation of independent tactics.  It is owned by entire C-suite and woven into company-wide business strategy.

Shinichi Yokohama

Source: https://www.securityroundtable.org/the-emerging-role-of-the-chief-information-security-officer-in-the-c-suite/

Over the last several years, the role of the chief information security officer (CISO) has undergone a critical transformation from technical guru to core member of anorganization’s senior leadership team. But in highly regulated, complex industries such as financial services and healthcare that harbor large amounts of personal information, the role is undergoing a further evolution as sensitive data takes on an increasingly central role in all parts of the business.

This more information-centric environment, which is still taking shape, calls for a different way of thinking about and managing risks within the organization (see Figure 1). This change in thinking includes:

• A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
• Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
• A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.

A new profile for a more strategic role

The CISO thus will evolve from the unsustainable “cyber czar” position to become responsible for managing the organization’s information risks, supporting and sustaining the appropriate risk management culture and engaging with the C-suite regarding the use of new technologies and the information-risk implications of entering new businesses. Indeed, we can see the beginning of this shift as some sophisticated organizations (especially in financial services) adopt titles such as “Chief Information Risk Management Officer.” This is a welcome development, given that making cybersecurity everyone’s responsibility has been a longstanding goal of the information security community.

In the years ahead, the new breed of information security leaders will need to focus on:

• Establishing uniform perspectives and behaviors that can crystallize into social norms regarding the use and handling of information at work – even when those norms are different than those governing how people handle personal information at home.
• Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
• Having exceptional strategic orientation and the ability to communicate and influence outside of one’s chain of command.
• Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.

These changes will only take place, however, after the necessary perception and behavior regarding information risk and security becomes broadly ingrained throughout the organization. Until then, information security leaders will have their hands full creating that consensus and nudging us to a more secure future.

Kal Bittianda

Source: https://www.securityroundtable.org/from-cyber-czar-to-risk-officer-the-cisos-next-evolution/

The market for top-tier CISOs is now highly competitive. Information cybersecurity has become a high-profile corporate concern, and the bar has been raised on the pool of qualified candidates. By one estimate there were 2,700 CISO job openings in the United States in June 2015. So even if organizations are able to effectively evaluate candidates against current and future requirements, they must also be prepared from the start to actively sell the opportunity to an audience that is naturally skeptical.

In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:

1. “Who is my sponsor and how much influence does he or she have?”

This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she has to know there will be support in high places.

2. “How deep is the organization’s commitment to information security?”

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.

3.”What key performance indicators will I be measured against?”

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.

4. “Where will I be in five years?”

Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate’s desires against what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.

For more information on what to expect and consider while hiring a CISO, download your copy of Navigating the Digital Age. Get the book here.

Kal Bittianda

Source: https://www.securityroundtable.org/what-to-expect-and-consider-when-hiring-a-ciso/