Author: Sharon Smith

This article is part of a series where we are discussing your role as an organizational leader in the cyberwar that has been all over the news on regular basis lately. I started with a frank discussion on whose side you might actually be on when you don’t protect your organization’s network. In the second article we discussed creating a culture of security and the third article was all about strategy. This is the fourth and final article in this series and we are discussing resources for your security team and organization.

In order for your security team to be on the front line of this cyberwar, defending your network and your data, they need to have the best resources available in order to defend against the many threat actors attacking organizations like yours every day.

One of the biggest challenges in this war we defend against in cyberspace is that it is always changing. The adversaries continue to get better and change their strategies, and if we don’t arm our people with knowledge and skills we will continue to be on the losing side. Depending on your industry that could result in a loss of data, intellectual property, or national security secrets, and could literally be a question of life or death for those in the healthcare industry.

New technologies emerge at lightening speed, which provide hackers new ways to launch their cyber attacks that we need to keep up with. Every time a new application is deployed, a new line of code is written, or a new Internet of Things (IoT) device is connected to the network, we invite the bad guy in. Not because we are asking to be attacked, but because they know how to use our technologies against us for their gain.

Let’s look at the three categories of resources and the key factors they address to win this never ending cyberfight waged against us on a daily basis.

People

Have you created your cyber team with the best offensive and defensive players? Like sports and traditional war, you have to have the best players or soldiers to win in a cyberwar. Not only does that mean that you have the right people in the right roles; it also means you have trained them and continue to train them. This applies to your internal employees and any third parties that work on-site or off-site to help secure your organization’s cyberspace and data.

Security personnel are in a constant state of adversity, trying to keep up with new technologies and threat actors. They almost never hear “job well done.” Often your security team is only recognized when something goes wrong, but not  for the success of stopping a breach, which is their job every day. Other employees are recognized for a job well done, for doing their job well, but the security team is often overlooked since their success is typically invisible.

People want to be recognized for what they do and often the security professional goes without such recognition most of their career. You want to help your team avoid burnout and apathy, this is going to be one of the key ways you can do that.

Time

Time is most definitely a resource and if you have ever said “I don’t have time for that” you know what I’m talking about. I’ve seen it myself, too many times, good people leave due to overwhelm and exhaustion.

This is a team of highly specialized people where you can’t afford high turnover. Not only because turnover is expensive in and of itself, but because these individuals have such specific knowledge that when they leave the time it takes a new employee to catch up is dangerous. In the time spent ramping up, they can easily miss what their predecessor would have seen. While you can’t avoid all turnover, it will happen, you can reduce the amount of turnover by understanding how much your team can actually do and providing additional resources like contractors, third parties, and tools where needed.

Whether you hire more staff or outsource, you must remember that time is a resource that cannot be changed and security is a role that cannot be given to just anyone or ignored due to budget constraints.

Tools

Every good mechanic needs a set of tools and the same is true for your security team. The problem often becomes which tools to use within your security team since there are so many and the tools can be very noisy. Noisy being all the alerts they can generate if not configured (or tuned) properly.

The best way to ensure you are getting the right tools for your team is to include your frontline defenders in the vetting process for new tools. Who knows better what you need, the person doing the work day in and day out or their manager or the executive team? You want what’s best for your security team so ensure the users are part of the decision making process.

It is often good to include a vendor-neutral security consultant who can ask questions of the vendor that you and your team may not have thought about and do it with complete objectivity.

• What is the tool truly capable of?
• Does your team already have a tool that can do something similar they are not fully utilizing?
• Does the new tool integrate with the current infrastructure?
• What alerts will it generate?
• How hard is it to configure?
• And often missed but extremely important, will you need a support contract or consulting contract from the vendor just to make it work?

With the right team doing the amount of work that makes sense with the right tools, you are setting your organization up for success in the fight against cyber attacks. If you have not given this issue much thought or deep thought before, that’s okay;, you’re not alone in that. It’s time to get started and the sooner the better because as we continue to see there are more and more breaches, attacks, and threat actors in cyberspace than ever before. As we continue to put more in the cloud, connect more devices, and have a larger remote workforce, this becomes more and more part of your everyday operational concern just like keeping the lights on and the water running.

If you want to discuss any of these resource concerns with a vendor-neutral consultant email sharon@c-suiteresults.com to start discussing the resource questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) and advisory services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain security and compliance.

Do you have a security strategy? I don’t mean locks and guards, I am asking if you have a cyber security strategy. Until recently there has been no shortage of frameworks for best cybersecurity practice and more regulations than most organizations know what to do with. But even with all of that, there have been minimal requirements to have a security program and even less enforcement on the issue.

That is, until now. The New York Department of Financial Services (DFS) has established their Cyber Security Requirements for Financial Companies (23 NYCRR 500 ). The new DFS regulation holds an institution’s senior leadership accountable by requiring an annual compliance certificate signed by a senior officer or board member. This is the first state legislation of its kind and I am sure with all the breaches we continue to see that it will not be the last, whether or not you live in New York.

One of the big differentiators in 23 NYCRR is the requirement for covered entities to develop a Cybersecurity Program. Other regulations require risk assessments and information security policies, but I am not familiar with any that have specifically require a cybersecurity program.

You can think of your cybersecurity program as your security strategy, which is important for the same reasons a business plan, a map, or an architectural blueprint is important. Without any of these you don’t know where you are going or how you are going to get there.

I’m here to let you in on a little secret. It’s not that a security strategy is difficult to create, it’s just that you, the organizational executive has never had to create one before. Everyone you talk to about cyber keeps throwing acronyms and technical terms around that you don’t understand and that has kept you largely at arms length from this topic. Because I don’t think you should be responsible for becoming a security expert I want to break down the mystery of a security strategy so that you can see it is doable and necessary.

Policies and Procedures

It all starts with policies and procedures. You already have these for so many areas of your business, it’s a matter of adding those applicable to security and then training your employees and continuing to make them aware. ComputerWeekly reported that a recent survey conducted at Black Hat Security Conference in Las Vegas revealed that 84% of respondents whose company has suffered a cyber attack attribute it, at least in part, to human error. Policies and procedures could have helped stop a large number of those. Sometimes people just don’t know what to do and with a lack of guidance will do what they think is best.

Risk Assessment

You have to know what your risks are to know what to protect and how to protect it and you do this through a risk assessment. This is required in every best practice framework and regulation I have ever seen.

A risk assessment asks a lot of questions to identify risks, severity, and likelihood. Questions like: What sensitive data do we have, How is the data transmitted and stored? What systems are used to host the data,? How are those systems accessible inside and outside your network? Do those systems have all critical security patches applied? Who are your third parties that access your data? How well are you employees and vendors trained? Who are your adversaries?

Most of this can be assessed through interviews with the people who interact with the data or manage your systems and through automated tools like vulnerability scanners. There is also a professional service called penetration testing where ethical hackers mimic what malicious hackers would do so that you truly understand your security posture and risks from the outside and inside of your network.

Risk Management

Prioritize prioritize prioritize, this will become your new mantra. Once you have completed your risk assessment you will be left with a list of low, medium, high, and critical items to remediate and manage. That can be overwhelming and you can’t fix it all at once so don’t try; the answer is the same whether you are trying to remediate your vulnerabilities or eat an elephant – one bite at a time. It’s a matter of understanding what the highest risks are, the easiest to fix first and those that are less important or more long term to solve for. This is where your security team and security executive is there to help. If you don’t have this team or person in place to run security then you bring in a third party to help with remediation and retesting.

Food for thought – The same ComputerWorld article said “Nearly 55% of more than 130 attendees of the 2017 Black Hat security conference in Las Vegas admitted their organizations had been hit by cyber attacks.” The reason I say that is very common to hear “it won’t happen to me.” Risk management is how you help ensure that it won’t happen to you.

Continuous Monitoring

Continuous monitoring, regular control testing, and at least annual risk assessments is how you keep this going. It is not a one and done project. This becomes an operational part of your business just like keeping the lights on. Whether it’s your internal team or third party consultants that help you achieve this, it must become part of your daily culture of security.

This includes implementing and maintaining technologies that can prevent a cybersecurity event and the processes and technologies for detecting cybersecurity events, responding to events and mitigating risks, and recovery from events.

If you are still wondering “how will I accomplish all this?”, don’t worry I understand that is a real question and concern. In my next article in this series I will discuss resources with you and the how you will do this. I want to make this as simple as possible because your organization, people, and customers need to be protected from malicious individuals and from costly errors. Please note I said simple, not easy; with the right people creating the strategy is simple, but it will take time and resources along with a culture of security to make it happen.

***

If you don’t want to wait for the next article email sharon@c-suiteresults.com to start discussing the resource or strategy questions you have now. Sharon provides virtual Chief Information Security Officer (vCISO) services, consults with clients on security strategies, writes policies, and helps organizations of all sizes become and maintain secure and compliant.

After a decade as an information security (a.k.a. cybersecurity) consultant, I had seen too many people who were just hanging in there or counting down the days till Friday. I started to take a great interest in company culture and employee engagement and I wanted to figure out how to solve this problem, especially as it related to the security professional.

Just like company culture and employee engagement can make or break an organization, as in, are employees happy to come to work and engaged or are looking for their next opportunity, the culture of security or lack thereof can make or break an organization in terms of whether they stay in business or lose everything to a hacker, security breach, or internal error.

One unpatched desktop or one phishing email is all it takes for the hacker to get started in successfully breaching an organization. How easy or difficult this is has to do with the culture of security. The intent of this article is not a scare tactic, it is purely a reminder or maybe a new way to think about the importance of having a culture of security.

There is an old Chinese proverb that I believe really says a lot about culture (of any kind), “the fish rots from the head.” If the top leaders in an organization are not serious about security or do not understand its importance, how can anyone else in the organization take it seriously?

Here are three questions you can start with to determine whether you have a culture of security, if you can answer yes you have started the process towards creating a culture of security and if you say no, well then you know where to start if you want to create this culture.

1. Have you set and regularly communicate clear expectations that security is a priority and non-negotiable?
2. Do you expect your executives to stop projects, even the important ones, if security is not implemented?
3. Do your employees at all levels, know what to do in different scenarios, such as how to recognize a possible breach, attack, or error and how to report it?

I have seen projects implemented without security because the project was a high priority initiative from the C-Suite or the board. I’ve seen the business side win over the security side again and again where the security side had to compromise because the business was not going to budge. The fact that I’m even putting these two groups on sides shows that in many organizations there is no culture of security, because if there were, they would be working together to ensure that the business had what it needed while at the same time doing it in a way that is secure.

Part of a culture of security is having the best team possible, showing the organization that this is important by bringing in the best and not understaffing the department. It is also having a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) that reports to the CEO and not to the Chief Information Officer (CIO).  Too many organizations still have the CISO reporting to the CIO, and if the CISO does not have the same importance as the CIO, what message is that sending? Plus, if the CIO does not like what the CISO is saying because it could negatively impact a project, how easy is it to stop the security concern from going further up the chain of command?

The culture also includes a way to report security incidents or suspicions without repercussion. If someone thinks there is an insider threat, they need to have a way to communicate that for follow-up. If someone clicked on the wrong link and thinks they are the victim of a Phishing attack they need to be able to report that without fear of reprisal.

Does the CISO have the team he or she needs to offensively and defensively protect the network? How about the team outside of security; are the developers trained in secure coding and do project managers have enough information to know when to get help from security and who to talk to? Are there enough resources for the security team to do their job properly? This is an ever changing landscape and the hackers have unlimited resources while organizations do not. However, there has to be some budget for the security team to stay sharp and up on the latest trends.

Hiring great security people is a challenge because there are more security positions than qualified people right now and it is a field filled with adversity. Security professionals only get recognized when there is a problem; and that recognition is not positive. When the Security team does its job well, which means there has been no security violation or breach no one notices, it seems like “business as usual”  to everyone else. As a result, Security professionals often don’t get any praise or recognition for what they are doing well and only get the spotlight when something has gone wrong.

That is not a great frame of mind for most people to work in, and after time, after putting out fires, racing against the clock, and doing everything to protect the network, there is no recognition. Security professionals are getting burned out and they are ready to move on when they do not feel that there is a strong culture of security. That combined with the current gap in qualified professionals and number of positions available makes it even harder to maintain security for organizations.

Culture, any type of culture, starts at the top. If you are responsible at any level for the success of your organization and have not given the culture of security much thought before that’s OK, it’s not too late. And if you need help or want to discuss your specific situation or you are looking for additional resources email sharon@c-suiteresults.com.

When you watch Ocean’s Eleven you know that breaking in is only half the battle; you also have to get out unnoticed or undetected. The same thing that is true for bank robbers and cat burglars also holds true for hackers.

If you are a business owner or executive responsible for keeping your customers or your corporate data secure and you think it’s all about stopping the bad guys (and gals) from accessing your data, you are missing what might be the biggest point of failure: their escape.

Over the years we have seen that many breaches are not noticed or identified for months and sometimes even years, which means not only did the bad guy get away with it, he (or she) was then able to unload their loot or start using the data without worry that they would be noticed. That’s good news for them, but not so good for you.

In order to fully discuss the escape portion of the breach, the part that most people forget to talk about or protect against, let’s look at the three main players or threat actors in this scenario. Going forward I will use the common term “hacker” to mean any of these threat actors.

1. The external hacker with no authorized access to your network: These are the people who sit behind their computers anywhere in the world and try to find networks that are open or system vulnerabilities just waiting to be exploited. Open networks are typically those that do not have good firewall rules, have publicly facing systems that should not be publicly accessible, or have exploitable web application vulnerabilities. It only takes one bad line of code, one misconfigured firewall rule, or one forgotten system on the perimeter to leave your organization exposed.  Once you are exposed and they are in your network, that is where their fun begins.
2. The third party vendor or partner who has direct access to your network (usually via VPN): These are the organizations outside of yours that you do business with and need access to your network. They might provide you data or receive data from you, they might monitor another system that you manage, or do a number of legitimate activities. However if you don’t know how secure their networks are, which you never truly will, or you don’t know who they employ, you have opened up your network to their network and their people. If they are hacked and that hacker finds the access to your network – boom, they are in.
3. The trusted employee: Your employees are not going to harm you right? Most of them will not and even the ones that do are often not trying to harm you. But even those employees who mean no harm cause errors or misuse their credentials, which lead to breaches and data loss.

Once the data has been gathered by the hacker they need to get it out of your network and into their control, the escape. Allowing the escape is where many organizations fail by making this too easy or allowing the hacker to get out undetected. You must know all your outbound connections, they must all have a legitimate business need, they must be reviewed on a regular frequency to ensure they are still needed, and they must be monitored.

You may think this sounds like a lot of work, but if setup properly with the right tools and processes it does not have to be cumbersome going forward. If not built right the first time, it can take some time to put in place, but honestly the pain of discipline in this scenario is going to be much better than the pain of regret later.

If you are reading this and thinking, “I have no idea if data can get out of my network unnoticed,” start asking these questions to the people who work for you that manage your infrastructure. Here is the question you can ask, the answer you want to hear, and the next step if the answer is not what you are looking for. The Next Steps are high level and might require outside assistance or third party tools and vendors.

If no one can answer these questions or you are not happy with the answers, take a deep breath and start a new conversation. No finger pointing and no yelling, but an open and honest conversation with your staff about why this is important and how things are going to have to change in order to keep the data secure.

Lastly remember that tools do not solve all problems and only work when implemented correctly. There is no silver bullet no matter what a vendor tells you. Ensure you have the right people asking the right questions of the vendors if you are bringing in a tool or managed service offering to monitor your network.

This is of course just the start of the conversation and the beginning of what needs to be done. If this is overwhelming and you don’t know where to start or what to do next, I can answer your questions. Email sharon@c-suiteresults.com to discuss your questions or concerns on this topic. I am a 12-year security veteran and have seen 100s of different networks and situations and I am happy to discuss your situation with you.

Since 2005 I have been in the Information Security consultant and today I consult and coach security executives on strategy, compliance, messaging, and teams, so today I am going to talk about something that is critical to any organizational leader: information security. More specifically, the myth that security equates to insurance.

Many people in the security industry have used the security analogy for a very long time to explain the importance of security to an executive or client who has said,  “Why do I need security? It’s expensive and nothing has happened to my network; my company’s data is fine.”

The response often provided has been “for the same reason you need car insurance or medical insurance, you never know when there will be a problem.” Using a real-world situation to help explain something that is not always clear makes sense, but this analogy is not correct.

The reason it’s not a good analogy is because security is not insurance. Insurance attempts to make you whole again. It is there to replace your car, rebuild your house, allow you to replace lost or stolen items, or help you regain your health. Security on the other hand does not make you whole; once your data is stolen, your network breached, or your systems locked up with Ransomware it is not security that will make you whole again. There is insurance you can purchase to use when the hacker on the other end of the phone says we want 20 Million Dollars to unlock your systems, but that really is insurance.

If we are going to use analogies, then security is your force protection, it is proactive. You know the guys (or gals) at the perimeter with the big guns that are going to keep the bad guys (or gals) out in the first place. When I used to work at the Pentagon, there were armed guards with very big guns making sure only the people with the proper access could enter the building. Then there were locked doors within the building that could only be accessed by another select group of people. That is security! We don’t call them insurance guards we call them security guards (or in this case military police).

The same is true for access to your computer systems, network, and data. Your Information Security or Cyber Security (if you are using that term) team is the armed guards; it is their responsibility to keep the bad people out, to monitor for intrusions, and to react if or when a breach is observed. If you are treating this group as insurance you are not giving them the level of importance they deserve, the funding they need, or the authority they require.

For small organizations, you might think, “Who wants my data? I’m good till we get bigger; the hackers are out there looking for the big guys to steal from.” But that is not true at all. It’s like the burglar who will just move on to the next house when they see the ADT sign in your neighbors yard. If your neighbors are the bigger companies with the fancy security and armed guards it is your network the hackers are after because they know it will be easier.

But you want to say “I don’t have anything worth taking” and that might be true at the data level, but you do have something worth taking. It is your resources, your connection to other networks, and it is the fertile playground you are giving them to practice their craft. By allowing your network to go unprotected, you are allowing hackers to practice, to find vulnerabilities they can use against other networks, and to potentially use your network to launch an attack on another organization.

I am writing this so that we can stop equating security with insurance. Stop looking at this as a cost and start looking at is as a responsibility. You are not only protecting your data, your employees, and your customers; you are also protecting other organizations by putting the guards up around yours.

If you do not have a security team or strategy, don’t worry. It’s not too late and it does not have to be scary. There are lots of great consultants out there who can help. As a 12-year veteran of the information security and compliance space,  I invite you to send me an email at sharon@c-suiteresults.com or reach out via LinkedIn https://www.linkedin.com/in/smithsharonj/ to ask any questions you might have on this topic.