CISOs have come a long way, baby. From their roots in analyzing and addressing information security and controls, most CISOs have expanded their roles by hiring great talent and fighting incidents very well. Moreover, they are now firmly established at the board level now that cybersecurity is a top concern for boards and we are educating our leaders.
Now, information security is at a crossroads. The volume and complexity of threats are increasing, and we need to shift away from our historical response methods to more modern approaches.
One of the first things that CISOs can do differently – which is very easy – is to stop boiling the ocean. We have been focusing on the same security controls for more than 20 years. If our processes have not worked for this long, it is time we change.
For example, when network scanners first came out, I was an early adopter, running a tool called Cybercop and literally reading what the detected vulnerability meant. That was 20 years ago! Today, I am still sitting in vulnerability remediation meetings looking at thousands of vulnerabilities and if an IT professional is engaged, they end up looking perplexed at why these numbers do not change even though they patch.
Here’s another example of how things must change passwords. Password theft is still a primary way that environments are being compromised. CISOs have dealt with these issues by making passwords more complex, or use passphrase, and it keeps going on. I myself was using password-cracking tools in my early career! I pulled a book off my shelf the other day, copyrighted 1989 from Coopers and Lybrand referencing how to control passwords (see below). Today, we even have technology now where we do not use passwords (i.e. biometric authentication). Why are we not deploying this now?
Source: Coopers & Lybrand, 1989
My third example of what must change: software code vulnerabilities. It’s yet another example of a security issue that has continued to linger.
I tested two early code vulnerability scanners years ago: AppScan and WebInspect – and the top issues then were SQL Injection and cross-site scripting. Fast-forward today. I was reviewing the output from application code scanning recently and guess what the top issue was? Cross-site scripting.
These decades-old issues continue to endure.
There is a growth in vulnerabilities and a proliferation of new exploitation techniques. What is incredibly outstanding as well is the number of security technology vendors in the market. “The Threat Intelligence Handbook” by Recorded Futures states on page 47 that “Financial investment advisers Momentum Partners identified more than 1,700 companies in 2017 that specialize in cybersecurity technologies and services.” This number is even higher now.
Forward to the Future
So back to the question: what should a CISO do differently now?
I just gave examples on what they are doing, and those things are not working. Today’s CISO must simplify and focus on what is relevant. We are past reviewing scorecards of low-risk vulnerabilities that will not get remediated and likely not even be meaningful to the protection of the environment.
Let’s rethink the role and mission of the CISO. We all must become our own personal CISO within our own worlds and shift our thinking on how we protect those assets that are most important. We need to be informed of the impact of vulnerable systems - security is now no longer a corporate topic. It is a life topic. Work has blended with home and technological boundaries are evaporating.
The first responsibility of the CISO must be to focus on education and training. Expand beyond the security staff to the entire corporation, its customers and, yes, the public. Our solutions and products are used by the public, so the public must also be better educated.
Today’s corporate CISO must also simplify what’s meant by the term `security’ and focus on what is meaningful for the organization. What can actually be exploited? How are we truly protecting the data? How do we instill privacy for the information we are entrusted to protect?
In this vein, I have refocused how I think of security. I now structure it into three blocks.
- We must focus on identity – Identifying who is on our systems and what can they do on our systems. I have shared with you how we have been struggling with passwords for over 20 years. We now have options that provide better authentication and security than passwords. We have technology that can analyze the behavior of what a user does - and we can tell when that user deviates. Let’s begin using these technologies and let’s get rid of the password. Then we start really protecting ourselves.
- Vulnerabilities. These are the ways a bad actor/malware can get into the system if not through an authorized means of access. We must focus on those true vulnerabilities and address them head-on. We also must educate our developers to code securely and provide tools at the front end of software development to quickly detect vulnerabilities and address them. Vulnerabilities extend beyond what scanners show us - configuration weaknesses, lack of patching or poor code, etc. These include those weaknesses that are plainly evident - are we backing up data? Are we encrypting? If we are not doing the basics, then we have vulnerabilities.
- We must monitor and detect - What is trying to attack us? Can we see it? Are we doing what we are supposed to be doing to monitor and detect effectively in 2019? Are we sending out data that should not be sent?
Overlaying these three focus areas is a fundamental requirement - we must educate. Educate beyond technology to the entire organization and to our customers.
So, to recap: CISOs must simplify what we are doing, educate our users, use modern authentication tools, address true vulnerabilities and monitor for the true actions that can harm us. Once we begin doing all of these things, we and our organizations will be much better positioned.
Mignona Cote is a highly-distinguished security expert who has held high-level executive roles at companies such as AIG, Aetna, Bank of America, PepsiCo and Verizon. Most recently, Cote has been named HMG Strategy CISO Executive-in-Residence where she connects with fellow security leaders on the top opportunities and challenges they face in their roles and helps bring those discussions into the HMG community.