As a CISO, you constantly worry if today is the day you’ll have a security incident. It’s a common problem. There are huge expectations on you and your team, but the support from the business is not always in line with those expectations.
For today’s post, we interviewed cyber risk expert Michael Lines. Over the course of his 20-plus-year career focused on information security, Michael was the first global CISO at both FICO and TransUnion. Additionally, he served as global CISO for PriceWaterhouseCoopers and D+H Ltd. Michael is currently a cyber advisor helping boards of directors and management teams address cyber risk. He took some time to talk to us and share his perspective on why organizations continue to fall victim to significant and damaging data breaches and fraud.
GroupSense: What are the biggest issues CISOs are facing today?
Michael Lines: The biggest challenge for CISOs and for the management of information security in general is the pace of change. The job of a CISO continues to evolve at an ever-advancing pace, and many CISOs are unprepared for all the responsibilities that the job today demands.
Fifteen years ago the security leader was a primarily technical position which grew out of network and systems administration. The role has evolved. Now the stakeholders the CISO is responsible for include the board, senior management, internal audit, legal, compliance, the business division and the IT organization. Add to that all the third parties the CISO has to interact with, negotiate with, report to and police for compliance.
To be a successful security leader today, a CISO must possess political savvy and prowess in addition to hard technology skills. A CISO must have the ability to communicate and educate the leadership team around a seemingly endless stream of issues, while at the same time, prioritizing those issues such that they do not come across as Chicken Little, constantly crying that the sky is falling. At the end of the day, the business exists to make money, and the CISO’s role is to educate the business on how this can be done while balancing the risks that could cause it to lose a significant amount of money due to fines, lawsuits and lost business.
GS: With all the advances in security technology, why do we continue to see so many successful breaches?
ML: For all the advances in security technology, business technology is advancing just as fast. IT budgets are exploding in major organizations as they pursue digital transformation - basically a wholesale shift in how companies acquire, service and monetize their customer relationships by embracing digital means to do so.
This in turn has been accompanied by a shift from the old school, in-house data center environment to the cloud, combined with new methods for creating and deploying business applications, including agile methods, virtualization, containerization, microservices, mobile enablement, and so on. The result is a mind-numbing mix of technologies scattered across the world. Where there used to be a few mainframe systems at the core running a handful of business applications, now there can be thousands of applications fragmented into a myriad of component parts, all of which have to be tuned and configured in order to work at all, let alone securely.
Businesses have enough trouble just keeping track of what they are running in production. Creating documentation has gone by the wayside - now the imperative is to see how quickly code can be released and evolved (the “throw it against the wall and seeing what sticks” model). However in that rush to release, again what the CISO wants in terms of proper threat modeling often is done haphazardly if it’s done at all. I think we can see the devolution of this all in the increasing service outages plaguing major corporations.
GS: What is your advice on how CISOs can or should counter these trends?
ML: You have to start with risk. What are your real threats? How are they most likely to attack you? How vulnerable are you?
Don’t boil the ocean - the myriad demands on CISOs to meet all the business, management, third party and regulator requirements are prohibitive. To succeed, you have to pick and choose your battles and make the case for the investments you need to execute successfully.
Two decades ago, there were probably a hundred security vendors selling hardware and software to secure the enterprise. Today, there are thousands, with more popping up every day. This is another cause of stress for CISOs, as all of these vendors are pounding on their doors shouting that they have the silver bullet to solve all their issues. Here’s a news flash from someone in the trenches: THEY DON’T!
The end result is millions of dollars are wasted in partially-deployed implementations of technology that not only slow down the business, but also erode the credibility of the CISO when risk reduction promises are not met and the clamor to “fix the problem” goes unanswered. The result is that after an average of 18 months that CISO is out and a new one comes in with a new silver bullet solution or suite of solutions. Then it's off to the races again with more delays, more cost, more impact and no measurable reduction in reducing risk to the enterprise.
The worst thing a starting CISO can do is to say, we’re going to adopt Framework X - whether it’s NIST, ISO, ISF, take your pick - and fully implement it, saying, “Then we will be secure.” While these frameworks are useful, they need to be used in the context of what risk they are trying to reduce. To just implement them all is the IT equivalent of boiling the ocean. You will expend an enormous amount of energy - and money - for very little return. Instead, the CISO needs to focus on control efforts to address the most likely risks and means. You will spend far less and have a far easier story to sell to leadership on what you are doing and why.
GS: What can a CISO do today to achieve these goals and secure the enterprise against breaches, hackers and other threats?
ML: Maintaining customer trust when cyber fraud can happen without anyone ever entering your network is a tall order. Working in today’s open and collaborative environments, allowing third parties to access your networks, shadow IT, and employees as a threat vector means that you must sometimes knowingly allow sensitive data to leave the safety of your network. Additionally, you have to allow access to an increasing number of third parties. No technology on the planet can fully protect this data or know when it has been compromised.
To get a handle on what’s happening with data outside of the network, you need to get smart about using cyber intelligence to identify when that data is being misused and to get proactive about brand abuse.
GS: That sounds like a big job for anybody. Could you give us a basic breakdown of how a CISO would get started?
ML: Definitely! Start by identifying the threats that are most relevant to the business. What can you learn about the motives of the attackers that may target you? What means might they use to inflict harm? What gaps exist in the organization that are most likely to cause these means to be realized? What can you do from a people, process and technology perspective to address these gaps and the associated risks?
Any CISO needs to get ahead of threats and attacks by looking for evidence of them outside of their own network. A security team needs to be able to monitor for data already exposed and compromised credentials at a basic level. Add to that third-party breaches, especially supply chain breaches, and shadow IT and you’re starting to get a fuller picture. Wrap it up with knowing that any big company’s execs could be targeted at any time. Doxing and swatting have become shockingly popular and effective techniques for individuals looking to intimidate or otherwise inconvenience executives, celebrities and elected officials.
GS: Michael, thank you so much for your time. We appreciate your help in understanding more about better approaches to risk management. Where can people get more of your perspective on this issue?
ML: Thank you, it’s been fun. People can check out my blog at heuristicsecurity.com.
Reach out to GroupSense to find out more about how cyber intelligence can help you better understand, prioritize and communicate about the threats to your organization.