Are you doing enough to address your risk? Here are a seasoned CISO’s fundamentals
Several years ago, I received an early-morning phone call at home from one of my security staff. Our security operations center had just contacted us, reporting anomalous data traffic. They believed we had several assets that were infected with malware. As I listened to the incident response team triage the event, I thought to myself, "What can I do as a CISO to better protect my organization?"
I had numerous networks and legacy assets under my purview, and even though I had a solid security program, I didn’t feel we were doing enough to address our risk. What fundamentals could I incorporate to better prepare my teams and my security organization?
I started to review and document how I could continuously analyze and upgrade my security systems and deployed security controls. I eventually settled on seven steps I call my CISO Fundamentals. These are processes I use to view my security program, understand its dependencies and continuously review for improvement. They have become my template to measure the maturity of my security systems and my overall security program.
Here are the first four of my CISO Fundamentals
Enumerate. As a CISO I find it crucial that I understand what is on my company’s networks, where the devices are located, and what applications and data they require. Enumeration provides that information – and it’s fundamental to cyber hygiene.
Enumeration is the discovery of hosts and devices on a network, typically using standard industry discovery protocols such as ICMP and SNMP. It can also document well-known services and the operating systems on the scanned devices. Security teams can then use much of the information collected to create a configuration management data base (CMDB). This foundational step feeds not just my cybersecurity and risk management programs, but it is also required for IT, Change Management and Governance-Risk Management-Compliance. Without an accurate inventory, it is extremely hard to manage risk and protect corporate digital assets.
Consolidate. With an updated inventory, we can identify what could be consolidated. For example, can an organization reduce its servers and server locations to more efficiently use space and resources? Can servers be virtualized or upgraded to new hardware to occupy less rack space and consume less power?
I look at consolidation as another fundamental control. I continuously review my security suites hardware and software tools to see if there is anything I can consolidate or decommission -- keeping business needs in mind. If I can reduce my costs and consolidate the assets my team must manage without impacting the services we provide to the business, I believe it’s required of me to investigate the possibility.
Mitigate. I then review the potential impact of identified risks on the organization's business operations. This process is continuous. As we add new technologies to the company’s portfolio or change deployed applications, we need to reassess security risks. If risks are identified, then we employ appropriate and cost-effective controls to mitigate the risk to an acceptable level.
CISOs and their team need to manage this process continuously and report to executive staff on an ongoing basis. I recommend CISOs use their company’s business objectives as guidelines to prioritize any identified risks that must be mitigated.
Integrate. I don’t want my organization’s security platform to be a do-it-yourself dashboard of multiple islands of isolated technology held together by duct tape. Security teams need to continually assess the integration of security components. Where appropriate, integration provides operating efficiencies and more visibility into deployed security assets, networks and risks.
I would rather have my selected solutions connected via a technology like API, providing me an overall view of risk in one platform. I know many organizations have legacy systems that are critical, and companies don’t want to touch them because they work. I understand, as I have been in that situation multiple times. However, every time I have upgraded and integrated my technologies, the new capabilities and efficiencies paid dividends.
I am aware that integrating security systems is not an easy process. Security vendors often force organizations to purchase all the platform’s components to get full functionality. Or they provide minimal customer service, instead opting to charge assistance as professional services. But if you can make a business case for integration -- it will result in reduced labor required to triage an incident or in greater visibility to strategic threats facing the organization, for instance -- then I believe CISOs need to seriously consider integration.
How I advance my security programs into innovation
Over the past 10 years, I have watched the CISO role evolve a strategic partnership, at least when executive leadership champions it. I have also witnessed a changing environment that seems to open more doorways to attackers than security professionals can close -- from new malware types to previously unknown vulnerabilities.
But even with the rise in cybercrime, I’ve learned to focus on security and risk management frameworks to create strategic roadmaps for my teams. These roadmaps provide a foundation for my organization, enabling my security and risk management programs to mature and better protect the company.
As I began to incorporate these roadmaps, I started to view cybersecurity-and-risk management as a continuous life cycle of dynamic processes. These processes I envisioned as interconnected workflows that incorporated my deployed security controls.
But even then, I continue to ask myself, "In today’s dynamic threat environment, what can I improve?"
Today’s unique threats have forced me to consider new approaches to managing my organization’s risk. In crafting my CISO Fundamentals, I learned to accept the fact security and risk management programs are not made to be static, but need to be flexible and adjust to new threats, new technologies and resource constraints. As a CISO, I know I must be innovative and willing to make changes to provide focused cybersecurity and risk management services to the business.
Here are the final three of my seven CISO Fundamentals
Innovate. As technology advances, cyber criminals are continually innovating and deploying new capabilities, thereby increasing the threats companies face. CISOs, in turn, need to be comfortable with the evolution of new defensive security technologies.
The cyber hygiene basics -- configuration management, access control, network segmentation, patch management and network monitoring -- can remove most of the cyber risk facing companies and allow a CISO to work with cybersecurity startups to identify technologies that provide value to the business.
Obviously, there are risks associated with being innovative. Exactly why I believe it is imperative to have your security basics done first. You then gain the freedom to try new technologies and processes with reduced risk.
Automate. The days of having a security analyst manually review logs and then manually investigating an anomalous finding are over. As cyber criminals use automation to quickly deploy new threats, CISOs must look at automation to improve the capabilities of their deployed security assets and risk management controls. That’s the only way to defend against today’s fast-moving threats.
I regularly review my security program’ technologies to identify where I can add automation to data-intensive services, such as threat-intelligence analysis, security-rules enforcement, and the review of logs for anomalous behavior. I believe automated analysis allows for a more effective use of resources.
Orchestrate. Orchestrating is about connecting security tools and integrating different types of security systems. In today’s security programs, the sheer volume of data and logs generated can be massive, and quickly lead to alert fatigue and human error. With security orchestration, a security program can coordinate the flow of data and tasks (e.g. monitoring IPS alerts) by integrating existing tools and processes into repeatable workflows.
I look at security orchestration as a security platform to connect my various assets, tools and processes, allowing my team to leverage automation efficiently. CISOs gain more value from their limited resources and replace slow processes with contextual decision making.
I believe orchestration is a security-program necessity because of the complexity of current security platforms and the propensity of human error. But I have found orchestration requires that I complete these other steps first.
I have found these CISO Fundamentals lead to a stable security program. Once implemented, these building blocks must be continuously monitored, tuned, tested and used by security staff to make security operations more manageable and effective.
Over the last 10 years, in multiple CISO roles, I have had to build and/or upgrade numerous security programs -- and I know my colleagues have, too. I would like to hear about other CISOs’ guiding principles. Feel free to comment here or Tweet me at @ghayslip.
Gary Hayslip, chief information security officer, Webroot. He is responsible for the development and implementation of all information security strategies, including Webroot’s security standards, procedures, and internal controls. Gary also contributes to product strategy to guide the efficacy of the Webroot security portfolio. Previously, he was CISO of the City of San Diego, and held various infosec roles with the U.S. Navy (Active Duty) and U.S. Federal Government. In these positions, Gary founded security programs, audited large disparate networks, and consolidated legacy infrastructure into converged virtualized data centers. He co-authored "CISO Desk Reference Guide: A Practical Guide for CISOs" focused on enabling CISOs to expand their expertise.
Image Credit: Creativa Images / Shutterstock