The threat landscape continues to evolve on seemingly a minute-by-minute basis. With cyber criminals looking to breach organizations both from the outside-in and from the inside-out, both companies and their employees need to continue raising their game relative to the technical controls being used to prevent and detect compromise as well as the awareness methods being used in order to ensure that the people within the company know what a potential threat looks and acts like. Threats such as Business Email Compromises (BECs), phishing, and ransomware continue to evolve and become more sinister resulting in companies scrambling to figure out how they are going to protect their employees, network, intellectual property, and bank accounts. Given the ongoing success of these threat vectors and the staggering numbers accumulated by these attacks both in numbers of victims and monetary losses measured in the billions, they will not be going away anytime soon. It is too large of a market for cyber criminals to ignore.
"If the security organization introduces too many obstacles to basic productivity, users will look for and invent ways to establish work-arounds"
Significance of Cyber Security Awareness among Employees
It is important to maintain a delicate balance between technical controls used to prevent and detect cyber intrusion and carefully targeted awareness campaigns of how intrusions occur within the organization and how those intrusions manifest themselves within various parts of the business. For example, ensuring software developers understand the importance of a secure software development lifecycle, educating finance and treasury workers on BECs, and teaching people throughout the organization about the dangers and potential damages that can result from phishing and malware. Ultimately, everyone wants to do the right thing and does not want to be Patient Zero of how a malware infection or a system compromise brought about potentially thousands of hours of unproductive time or millions of dollars of fines upon the organization. To that end, however your employee population needs to be aware of how to identify when a threat is in front of them and know how to react and respond followed by the implementation of strong technical controls on the backend to support them if they make a mistake or can prevent the threat from ever appearing in front of the employee giving them the opportunity to make an incorrect decision in the first place.
Understanding Requirements of Reliable Network
One of the most important things to remember is that your network is everywhere. You can no longer focus on the perimeter and believe that you will be protected enough because your network is borderless. You also cannot just focus on the endpoint because the company data that you are responsible for protecting also lives out in the cloud. Your network is wherever your employees are. This means that your network is in an office, in a hotel, on an airplane, in a taxi, on a boat, or everywhere in between. This makes the job of the cyber security professional more complex and difficult to control on a daily basis. One of the most important aspects of building a successful cyber security program is to ensure that it can incorporate itself into the business and protect the company’s assets while at the same time not introducing too many barriers for the employee population to do their jobs. Such an approach to security can often lead to the opposite of the visibility that the security teams needs to be effective in their jobs. If the security organization introduces too many obstacles to basic productivity, users will look for and invent ways to establish work-arounds such that the security team may lose visibility into how data is traveling into, out of, and across the network. This situation makes it nearly impossible for the security team to be effective, but is an avoidable situation that they ultimately brought upon themselves. Security and productivity must maintain a balance. Skew too heavily towards one or the other and the results can be disastrous.
More regulation isn’t the answer. In fact, as the government races to design and pass new regulations and if it does so without enough consultation with the private sector, the wrong regulations could actually hinder innovation. Such a result would be counterproductive to continued advancement in the space as cyber criminals and their tactics continue to evolve.
The issue that many companies struggle with is they equate compliance with security, or assume that compliance is a sufficient baseline for security. This couldn’t be further from the truth. While there may be some sound security practices within the various regulatory frameworks that our companies are beholden to adhere to, compliance is a point in time snapshot of specific controls and neither represents ongoing operational nor organizational practice or maturity. Compliance should be a validation of the existence of controls already being in place and inherent in how the company operates, not a task list of items that are addressed in an adhoc fashion when it is time for the annual audit.
Compliance in Cloud
One thing that I have found myself repeating more times than I can count to folks who are more infrastructure or operations minded is that you cannot buy your way to security or compliance. All too often executives see terms like “FISMA Compliant” or “PCI Compliant” when looking to purchase solutions from IaaS providers believing that by partnering with these companies that they are magically compliant or that all they need to do is throw a few logical controls around the environment to logically separate it from the rest of your infrastructure and your job is done. While cloud computing may give you the ability to quickly and easily scale up and scale down the infrastructure as the needs of your business expand and contract, they merely provide the capability to make it easier to meet your control objectives, not necessarily as a fast track to compliance.
Another area that companies are currently struggling with as it relates to the migration to the cloud is how to protect and control data once it is off network. Traditional DLP solutions do a good job of tracking data around the network, on servers, and on endpoints. Where the existing paradigm falls short is how to do the same when that data is stored in Google Drive, Microsoft OneDrive, Dropbox, Box.com, or the myriad of other online file storage and collaboration tools available. How do you track who that data is being shared with? How do you know who is copying, downloading, or printing those documents? How do you track when that data might be moving from cloud to cloud? How do you control that data once it is accessible on a mobile device? While there are some burgeoning solutions in the space looking to tackle this problem, it is still something that many security teams are still trying to wrap their arms around, particularly since many organizations, whether they know it or endorse it or not, are using multiple file sharing applications today, even if most of them are falling into the Shadow IT bucket.
A Word for CIOs
The role of the CISO has changed dramatically over the past few years. When I was in my first senior security role the job was primarily technical. While there may have been exposure to executive management, the most successful security leaders were the ones that were less known. In other words, if executives weren’t breathing down your neck, nothing was wrong and you were doing your job well.
Fast forward to today and the landscape has significantly changed. Today’s cyber security leader not only is expected to have executive presence, but is a regular attendee in Board meetings, has control over a budget to control their program, and has a strong knowledge of both security and enterprise risk management. The job has moved from one that is primarily technical to one where the person in the role must have a good balance of technical savvy, business expertise, and the ability to build effective cross-functional relationships while making reasonable and balanced risk/ security decisions.
New technologies and a constantly evolving threat landscape continue to make the CISO role both challenging and extremely rewarding. Ever evolving regulatory and privacy standards and the constantly changing threat landscape make the CISO role one where you are constantly learning and updating your vision and priorities of the types of problems you need to consider to keep your company, its users, and its clients safe. I wouldn’t want it any other way!