Cyber threats are becoming more widespread and nefarious. 6.4 billion fake emails are being sent each day, according to EY. Meanwhile, 1.9 billion personal and sensitive data records have been compromised between January 2017 and March 2018 at an average cost of $3.62 million per organization.
For cyber teams that are in the crosshairs of these attacks, a recommended calibration point for protecting the enterprise is the need to pay attention to the fundamentals.
HMG Strategy recently caught up with Thomas Watson, Global CISO and VP, Global Infrastructure Services at Sealed Air Corporation, to get his take on why it makes sense to focus on the essentials.
HMG Strategy: Why is it so important for CISOs to focus on 'the basics'?
Thomas Watson: My general statement is to “Win with the basics.” Focus on simple things that are a part of everyday hygiene much like understand your surroundings, locking your doors, brushing your teeth and changing the oil in your vehicle. Basic routine or maintenance-type items will protect you from 90% or more of risk that a company or individual could face.
Oftentimes, CISOs are executives that grew into their position from within IT and typical IT staffs always want to have the latest and greatest technology that vendors and suppliers insist we need to protect our organizations. For years, we have acquired all of this sexy new technology, much of which sits on shelves or skills have left the company to support and all the while no one has taken the time to keep an eye on “the farm” -- systems go unpatched or continue to run on legacy operating systems. These situations are common in all industry verticals and, in my opinion, pose undue risk where simple hygiene or preventative maintenance could have helped.
What are some ways in which a focus on basic security measures (e.g. patch management) can guide a winning cyber strategy?
TW: As I mentioned, know your surroundings, understand your environment and take a risk-based approach to implementing cybersecurity. For instance, for Internet-facing systems it’s a no-brainer to ensure that your systems are running on an up-to-date, hardened and patched environment that is regularly scanned for vulnerabilities, default accounts are changed, and strong AAA practices are enforced, to name a few.
Multi-billion-dollar organizations have failed these basic tenets and have fallen to attacks. This level of scrutiny may not be necessary in a lab environment that is cordoned off behind a firewall or with other compensating measures to protect that area from attack. Essentially, invest your time and money wisely to protect the environment based on its risk potential and impact if compromised.
Another basic set of practices is to have a solid end-user awareness program. Don’t focus it just on mundane IT security items like strong passwords and handling spam, though these are important. Make it personal. People are being targeted with attacks preying on their emotions. Help them understand that what you are teaching them can be taken home and used in everyday life. For example, people push back sometimes about enforcing PIN’s on, say, a mobile device as it is cumbersome to manage. If you explain to them that a bad actor could easily get the individuals wife/husband/or daughter’s full contact information from an unsecured device, then they may see it differently.
How can effective execution on basic security measures contribute to execution on more complex tactics (e.g. proactive detection and response)?
TW: There is an unbelievable amount of noise that a security practitioner needs to sift through to be successful in identifying what is a true risk. Without basic security measures in place, security teams end up chasing red herrings that keep them from focusing on effective Red Team efforts and being proactive with log analysis rather than reactive to a poorly tuned set of systems.
Automation is key to this success as well. Take the time to properly tune SIEM, IDS/IPS and firewall systems early on to minimize the noise and continue to tune them as things change. These are not set-it-and-forget-it environments -- every day, customer requests require updates or configuration changes that essentially change the playing field. Which brings up another item regarding change control.
A rigid yet agile change control program is essential to the success of any IT program, including its security. It helps maintain effective checks and balances for organizations.
How have your own experience as a pilot contributed to your view as a CISO?
TW: By trade, I am an airplane/helicopter mechanic and fixed-wing pilot. I spent several years in aviation which I loved but stumbled upon IT back in the early 1990’s and have been hooked ever since. It’s been an interesting journey, learning how to use my technical and analytical skills to maintain a fleet of flight school planes, work on Army heavy lift helicopters or even create a flight plan with alternative routes based on wind direction, weather and fuel consumption.
I’d have to say some of my strongest skills are in the realm of troubleshooting, communication and reason. It’s important to be able to communicate at all levels, whether they are technical solutions or ways to communicate a potential security risk to the board.
Navigation while flying a plane is no different from navigating one’s way through maintaining an effective cybersecurity program. You go into the journey with a forecast of clear skies and smooth sailing. Along the way, you encounter turbulence and have to adjust course to minimize disruption and maintain a safe flight. In the end, your destination hasn’t changed, you’ve just had to make adjustments along the way to get there. Sometimes, you have to boost the throttle and go a little faster or pull back a bit to slow down and find smoother air at a lower altitude.
It’s all about knowing where you’re going and understanding that, in theory, the shortest distance to get there is a hard, straight line. But in reality, any good pilot or CISO for that matter need to be well-trained, seasoned and capable of making solid decisions under pressure and knowing when to change course.
For fellow CISOs, what other recommendations would you offer to help them succeed in their current cyber strategies?
TW: Keep it simple, stay on top of the latest trends and technologies but don’t get caught up in the hype. Most importantly, partner with fellow CISOs through collaboration and knowledge-sharing. Organizations like HMG Strategy, Information Systems Security Association (ISSA) and the CISO Executive Network are extremely important groups that bring CISOs together to sharpen steel on steel. I’d much rather learn from someone else’s mistakes than fall victim to them on my own.
We have a very unique craft that has developed wildly over the past 20+ years from something that was once an afterthought to something that has become a mission-critical part of the discussion when it comes to the success and security of an organization. I’m extremely proud of the (albeit bumpy) journey I’ve traveled, all that I have contributed and those I have mentored along the way. We have come a long way, but there are still many more opportunities to conquer. If you can get your program set up with a solid foundation by getting the basics done right, you will be able to focus your teams’ time and energy in areas that will add untold value.
Thomas Watson is an Advisory Board member for HMG Strategy’s 2019 New York CISO Executive Leadership Summit taking place on April 18 at the Grand Hyatt New York. To learn more about this summit and to register for the event, click here.