There are two kinds of CISOs: pre-breach and post-breach. Pre-breach CISOs were too focused on tools and considered investing in preventive technologies. In doing so, they give little thought to the problem of restoring and restoring service in a timely manner should something bad happen . Bad things happen; it's not a matter of if, but when (and how often, so "invasion cadence" seems to be a better KPI than invasion likelihood).
How Security Breaches Empower CISOs
Now more than ever, the mantra of “not if, but when” needs to be ingrained in our risk management thinking. Post-breach CISOs, on the other hand, understand (often fairly dismissed as "hard-won experience") that people and process are far more important. In an incident response situation, being "all hands on hand" is more of a liability than a benefit. Someone may be trying to help deport the intruder, but is actually destroying evidence or breaking the chain of custody in case the case goes further into criminal prosecution.
This simple dichotomy of pre- and post-breach CISOs reveals important differences in the perspective, prioritization, and preparedness of security programs across industries and companies of all shapes and sizes. Breakthroughs make your business stronger.
Mike Wilkes was fortunate enough to speak at Black Hat and the corresponding Black Hat CISO Summit 2021 in Las Vegas. The session was titled "Executing (dis)orders: Cognitive and Systemic Risks in the Conference Room" and was well attended and well received, as many attendees later requested a copy of the minutes.
While the recording isn't currently available, ActualTech Media released a recording last December. This presentation contains the seed of thought for this post as it revolves around identifying cognitive risks that affect the governance of security projects. It also includes a section on the nature of systemic risk as an emergent property of complex systems.
Systemic risk needs more attention, especially as we start to see more "security chaos engineering" entering the CISO community's discussion of risk management.
Black Hat is the first 'out mission' since the COVID-19 lockdown. There, CISO Bob Lord gave a very insightful talk on "How to Add Vulnerabilities to Your Resume and Live to Tell the Story" and greatly contributed to our thinking about the nature of resilience , and how we should embrace failure instead of being afraid of it.
Why CIOs Should Embrace Cyber Intrusions
Bob Lord knew a thing or two about the breach, as not only was he the DNC's first security officer, but he also became the CISO of Yahoo! In November 2015, he took a job at Yahoo! Involved in disclosing some of the largest breaches in history that took place in 2013 and 2014.
Among his presentations was his creation of an incident response timeline that includes a part of the incident response lifecycle that is often not documented or formally acknowledged: Regulators, cyber insurers, boards of directors, and just about every paper-based critic of CISOs and A moment of reflection on the work they did prior to the event or intrusion.
There is the first "attack", which is when a malicious attacker compromises or compromises your infrastructure in some way. But there is a second "attack" from which CISOs are often not immune. It is very frustrating to work in a profession that is excluded from most D&O (Directors and Officers) liability insurance, where the main mode of operation is to bring the CISO into the oncoming bottom, regardless of the strength of their security programs. It is dangerous to allow this pattern to continue.
Each leak is an extremely valuable experience. A "battlefield-tested" CISO should be more cherished and valued. But instead, ample evidence was found that the CISO-breaking successor was the one who got the raise (whether deserved or not).
At an information security conference in New York a few years ago, a CISO told a story about someone (not them) who worked at a large company for $800,000 a year but actually spent precious $100,000 on the security program itself. A few dollars, and then a ransomware incident happened.
"Bang!" as they say in the army. The "boom on the left" is the event that led to the accident or sabotage, while the "boom on the right" is the part of the timeline that occurs after the event and milestone.
The result was that the CISO was fired and the new CISO was paid $1.2 million. Security program budgets are "aligned" with industry benchmarks for the industry, representing approximately 5 percent of total IT spending. It will be cheaper to protect an organization with a reasonable security program budget than to pay the ransom, increase the security budget and increase the CISO's compensation to market rates for such organizations.
Taking an “anti-fragile” approach to cybersecurity
A friend who studies martial arts mentioned the book Antifragile by Nassim Nicholas Taleb. One of the themes of this book is that fragile systems and fragile things are prone to breakdown when they are stressed and stressed. For example, bones can be improved and hardened by applying pressure and external force. They are born to withstand stress and shock.
Therefore, antifragility is perhaps a property that we want to understand better in order to build reliable and robust systems. The system can actually benefit from volatility and random attacks. Of course, antifragile systems are built with antifragile components. Robust and antifragile systems are those that exhibit elasticity in an educational and psychological sense, rather than in a mechanical engineering sense related to ductile strength and tensile properties.
When cloud infrastructure is attacked, we don't just want to restore it to its previous shape, just restore pre-existing functionality and features. Instead, we want to see the infrastructure improved and transformed by the Olympics and made even better. In this sense, cyber resilience means adapting. It illustrates the modular nature of the system, allowing us to combine its elements in new ways without much additional work and expense. A well-designed cloud infrastructure should exhibit design principles that successfully help it fail gracefully, rather than "blink and disappear" when it fails. This is just one aspect of the adage "what doesn't kill you only makes you stronger".
Here are some design principles that feel like they should be found in a modern information security program:
-
Fault Tolerant, Robust, Adaptable
-
scalable, resilient, self-healing
-
Segmented/isolated environments
-
Improve and reduce complexity
-
Degrade gracefully instead of failing completely
-
Atomic, Simple, Modular Components
-
Tight Integration and Loose Coupling
-
Deep Security
-
Adhere to the principle of least privilege
-
Trusted Design, Not Just Certified or Certified
How CISOs Get Out of Network Intrusions
In conclusion, allow me to encourage you and your peers to find strength in failure. When you've lived through a security incident or breach, your mettle has been tested. Don't be shy about telling the story, use it to bring the respect you deserve. Others won't give it to you; you have to give it to yourself. With this invasion, you've actually raised your profile by leapfrogging the "post-invasion" community.
Take John Simonyi, for example, who is currently the chief security officer at Dell Technologies. He has 60 CIOs under him. In 2019, he spoke about the challenges of finding information security talent across the many organizations Dell owns and operates, including RSA. He also mentioned that when Sony was hacked by North Korea in November 2014, he was the global chief information technology officer at Sony (it is worth noting that he only held the position for two months). So there is life after a breakup, and you should figure out how best to put that on your resume and write an authentic narrative around why this incident made you stronger.
SecurityScorecard can help you move forward from a cybersecurity incident
If you're interested in understanding how you and your business can better prepare for and respond to cyberattacks, SecurityScorecard's Incident Response solutions enable CISOs to take immediate action to remediate incidents and reduce risk when an attack occurs.