Discover PerformanceHP Software's community for IT leaders // January 2014
Staying ahead of the cybercriminals
In a world where breaches are inevitable, organizations will have to get on the same page about what assets to keep under heavy guard.
Enterprise security is more challenging than ever. Attacks are up and defense costs are rising. Criminals are organized and well-trained. Our defenses are less successful. What’s a CISO to do?
Q: If you’re a CISO running a decent operation, trying to keep a half-step ahead of the enemy and monitor tech trends—what should be most on your radar for 2014?
Art Gilliland: As a CISO, the first thing I’d be worried about is that there’s an adversary out there that is financed like a profit center. That means they can invest in growing their capabilities in a way that far outpaces mine, because I’m a cost center.
I’m also concerned with the fact that my company is rushing to adopt new ways of delivering services and implementing processes. This includes greater adoption of mobile devices, outsourcing to SaaS providers or cloud providers, and use of consultants and outsourcing as a way to stay focused on key differentiators.
So, as a CISO, I’m dealing with this highly sophisticated, market-based adversary that can invest in a way that far outpaces me, and my company is rapidly changing the infrastructure I’m supposed to protect. I am not as well-funded as I need to be. I’m under increased scrutiny from the board of directors and the senior people of my company. There’s a shortfall of manpower and expertise that I need internally.
In short, I’m making do with less money, less expertise, and the scrutiny on my performance is way higher.
Q: Those are a lot of challenges. How are you supposed to respond?
AG: You have to redefine what your job is. Your job is not just to implement security technologies and keep them up all the time. You should be spending a lot more time trying to understand the business risk, as well as working with business leaders to help them understand how the choices they make impact risk. When you talk to them, you have to tie security directly to the business outcome they’re trying to deliver.
That requires a pretty different kind of skill set. Traditionally, CISOs are technologists or network security people. You still need tech savvy, but you also need a much more business-centric perspective.
Q: Is the line of business now taking a more active role in protecting the enterprise?
AG: The line of business doesn’t think it’s their job. And part of our challenge is to change that thinking. Business people make really fast decisions about where to put data and adoption of technology. They assume it’s just going to get protected, and security is still bolted on at the end.
As a CISO, I’ve got to figure out how to make security an enabler to business results. I’ve got to help them understand why it’s important; I’ve got to be a lot more collaborative, and that requires me to have business acumen and credibility. The skills gap isn’t just the lack of trained security people—there’s a pretty significant skill gap to be an effective CISO, too.
Q: We’re hearing more and more that it’s not just a matter of whether systems will be breached, but it’s a matter of when. How do you talk to the business about risk when risk is so pervasive?
AG: Telling stories that business people understand is absolutely critical. We often use the wrong data to communicate. It’s not effective to cite the number of viruses or number of blocked IPs. It’s far more effective to help them understand what is actually happening on the other side of the equation and who the adversary is. Stories that leverage the kill chain methodology help business people internalize the challenge.
The kill chain is a way to explain the ecosystem of the adversary and how it makes them so effective. The folks that we’re competing against are literally the best in the world. They innovate the same way our businesses innovate, and they only need to be right once. So, it’s inevitable that there will be a failure to stop them.
That’s a message they can understand: The adversary has a business process. They’re a competitor. At some point, they’re going to win, too. So let’s figure out which things matter the most and be more focused on protecting those, and less focused on protecting other things.
Q: Do we need to change our vocabulary as well as our communication tactic?
AG: Security people need to talk like business people. Talking about policy control frameworks is like speaking in tongues. If I show up and talk about the impact on a business process and how and why the bad guy competes against us, we can now have a more rational conversation. We need to talk in business terms, versus flogging them with policy frameworks.
Q: You’ve said before that one of the reasons criminals are becoming more successful is because IT is so predictable. Are there ways of decreasing predictability?
AG: I think the predictability part of it is something we’re stuck with. We’re never going to have unlimited funds, and we’re going to have to be compliant with standards and regulations. Those things are set in stone.
However, where we spend our budget does not have to be predictable. It does not have to focus on the latest technologies. It can actually focus on things we think are going to be disruptive to the adversary’s process.
Most people just follow ISO 27001. They check the boxes, and they’re done. If we are actively trying to evolve our capabilities to specifically target the adversary’s process, we can be less predictable and potentially less vulnerable.
Q: Despite the fact that successful attacks are on the rise and security costs are rising as well, a recent survey on the global state of information security found that most C-level executives have a high level of confidence in their security program. Are they unaware that we are losing ground to the adversary?
AG: I think they’re blissfully naïve. I also don’t know how you would say anything different. They have to trust their people, they have to feel like they’re executing in the way they want. The biggest problem is that we in the security world have educated them to aspire to the low bar. We have trained them that compliance to policy or framework is the same as being secure. ISO, check … PCI, check … Guess what: the bad guys are a lot better than that. Honestly, that is our fault: we taught them to think this way because we have been using these frameworks to describe our security programs. They don’t understand security—they expect us to understand security.
An interesting anecdote that highlights this comes from some research we did recently that found that there’s a disconnect between the CEO and the CIO in terms of what they worry about most in cyber security. The CEO is most worried about nation-state attacks; for the CIO, that is way down in their list of threats to the business. Often, the CEO reads about a new threat in the newspaper and the first question for the CIO is: “Are we safe from this?”
Q: That gets us back to the beginning of our conversation, where part of the CISO’s job is to educate the business as to why something is a high priority or a low priority.
AG: Yes. We need to help the executive understand that the real mission is not the one-off, it’s the ongoing capability-building. Could there have been a bad guy who figured out how to get around our protections? Sure, but educating the business about the processes that are in place to make it more complicated for this ephemeral adversary is what the CISO needs to be doing. “Yes, we’re vulnerable to that, but we’re doing the best we can, and the assets we care most about are protected.”
In our next issue (Feb. 27), Art Gilliland discusses network security, shared intelligence, and more. For more on the business conversation about securing your enterprise, visit HP Enterprise Security, and take our free HP/IDG IT security assessment.