How an IT asset checklist can set up CISOs for success [Q&A]
The Great Resignation and tech layoffs have pushed staff turnover to an all-time high. And with every personnel change, years of institutional knowledge are lost in the transition. That information can be critically important for security executives, like CISOs, who must be the ultimate stewards of organizational security across an ever-changing attack surface.
Organizational environments today are increasingly complex and constantly evolving, making it challenging to understand exactly what is at risk at any given moment. For CISOs joining an organization, it is vital to understand exactly what is on their environment to effectively secure it.
We spoke with Brian Contos, chief strategy officer at Sevco Security, about how CISOs and similar leaders starting a new role can quickly get acclimated and set up for success at their organization.
BN: So, what is the first thing to know when you start at a new company as a CISO?
BC: Ask yourself, 'What assets are you responsible for?'
Though outlined in the NIST framework and Gartner best practices, because of the volume and variety of their responsibilities, even the most experienced CISOs may not prioritize enough resources or be given the recourse, to address the first step -- identify. Identification is an intuitive first step, you need to know what devices you have on your local network or in the cloud, what applications they are running, who has access to them, and how they are secured.
With any job handoff, an organization can stand to lose years of crucial institutional knowledge, including information on asset inventory, the environments that the organization owns (cloud, remote, global footprint, etc.), and the solutions it has access to. That task can seem impossible for someone just stepping into a role without the right tools, integrations, and actionable intelligence. Legacy scanning solutions and outdated inventory management solutions only create a myopic snapshot that lacks substance and real-time awareness of known operational changes and unknown environmental drift. Those approaches are cumbersome and ineffective without proper context on the organization’s environment, including devices, security controls, users, applications, SaaS solutions, IoT, etc. across roles, geographies, and business units.
CISOs stepping into the role may need to lean on tools that will enable them to consolidate all the information on an organization's IT assets. In order to effectively protect an enterprise, you need to know the assets that make up the attack surface. At Sevco, we recently released a report, State of the Cybersecurity Attack Surface, which found that nearly 20 percent of IT assets are invisible to security teams. This gap opens the door to bad actors looking to evade detection, maintain persistence, steal sensitive data, deploy ransomware, and conduct other nefarious acts.
Like the parable of the blind men and the elephant -- each coming to a conclusion predicated on limited information -- if you don't know what you have it doesn’t really matter what you do.
BN: How do you evaluate coverage for your critical assets? What do you look for?
BC: Once CISOs have a list of their company's IT assets, they need to look at each area they are responsible for and evaluate its coverage -- the NIST framework's second phase, protect. One seemingly simple yet complex task in hybrid environments is ensuring compliance with regulatory mandates that specify that endpoint controls must be deployed on all endpoints. If you have siloed asset intelligence, this process becomes complicated once you have more than one solution deployed, and many organizations operate with six or more endpoint controls on each device.
A major issue that new CISOs will deal with is understanding how their security posture changes over time. Traditionally, every IT asset inventory -- the attack surface -- has been a static snapshot. Inventory snapshots lack the clarity to support incident response processes confidently. When conducting any investigation, it is critical to know the historical linkages between MAC addresses, IP addresses, device types, users, applications, versions, geolocations, etc., and how they change over time.
BN: How do you determine if you're overpaying for devices and assets?
BC: Another way to look at asset inventory is resource management, including managing budgets. Making the best use of a limited resource and getting the most ROI on that investment is a priority of every C-suite. In our State of the Cybersecurity Attack Surface report that I mentioned earlier, we uncovered some surprising findings related to over-licensed enterprises. In a time of cost-cutting, enterprises are paying for a surprising number of unused, stale software licenses. The report found that 17 percent of endpoint protection software is licensed but not in use, and six percent of patch and configuration management software is licensed but not in use.
With companies facing economic headwinds and budgets under strict scrutiny from the top down, ensuring you're getting the most out of your security investment is critical. We’ve seen companies struggling to identify the assets their dollars are at work protecting in a time where optimizing security ROI is an imperative.
BN: What is the big takeaway for CISOs starting at a new company?
BC: CISOs have a lot on their plate, from cybercriminals and nation-state actors to managing resources effectively and enabling the business. Gaining situational awareness across critical assets from an IT operations, security, and compliance perspective can seem daunting, but a technology defense that integrates into business processes and enhances the effectiveness of IT, security, and related teams is the best solution to these technology woes. The NIST framework -- identify, protect, detect, respond, and recover -- is a great guidepost for CISOs. But on a practical level, you have to make sure that you're starting with an understanding of what your attack surface looks like and how it's constantly in a state of change. An attack surface intelligence solution is foundational for every major cybersecurity framework, and it has to be the first step that security leaders take. Without this step, CISOs may be experiencing security hubris and not adequately mitigating risk.