3 cybersecurity 'truths' that every CISO must know
- By Ellen Sundra
- Apr 16, 2019
For government chief information security officers, today’s cybersecurity landscape continues to shift. As local, state and federal agencies launch digital transformation initiatives, they embrace a wealth of exciting new innovations. Yet in the process, they expand their attack surface and increase their threat risk, and that can get pretty scary. Especially for the CISOs.
In moderating a panel discussion titled “CISO & CIO Perspectives” during the recent RSA Conference’s “Public Sector Day” in San Francisco, I and audience members were able to learn new “truths” about the cybersecurity trends and challenges that agencies at all levels of government are facing, as presented by local, state and federal CISOs from across the country who participated in the session. We also talked about ways to address the challenges. Here are panel “truths” that stood out, along with response recommendations to make them, well, a little less intimidating:
1. The C-suite is getting more involved. In a recent Conference Board survey of CEOs and C-suite executives, cybersecurity ranked as the No. 1 external concern. As a result, we expect to see more involvement from these top leaders, as they ask their CISOs more questions about risks and request more metrics to demonstrate how their organization stacks up against malware, ransomware, breaches and other attacks. It’s critical for them to increase their participation as they pursue innovation such as mobility, the internet of things, artificial intelligence and robotic process automation -- and they must ensure that these initiatives are protected.
Interestingly enough, one panel participant -- a CISO from a large and wealthy suburban county in the Mid-Atlantic -- said he briefs his agency heads on whether a proposed IoT product meets the county government’s security requirements. If not, the head requesting the product signs off to agree to cover any resulting costs from an attack -- as opposed to holding IT financially responsible.
While the anecdote focuses on IoT, it remains relevant in all discussions about risk management and innovation, as this kind of policy-making and collaboration would benefit any government organization committed to a digital transformation. The county CISO was essentially saying, “Cybersecurity isn’t an IT thing. It’s a we thing. If you feel the reward factor of acquiring this product exceeds the risk -- and we subsequently suffer a breach -- you own the cost.”
Such policies apply risk assessment to the innovation equation, i.e., when confronted with the possible costs, decision-makers will consider cybersecurity as a higher priority. They may take a step back and ask, “Is this really the right tech investment for us? Is it worth it?” With greater due diligence, they may find solutions that bring similar or equivalent value, yet less potential for a compromise.
2. IoT is inescapable. Thanks to the widespread availability of commercial off-the-shelf tech products, there’s no putting the genie back into the bottle. IoT drives practically everything sold in the commercial world today -- from smart buildings to printers to refrigerators to thermostats to alarm systems to videoconferencing tools to virtually everything else that a public-sector organization uses.
To effectively secure the IoT ecosystem, agencies must establish optimal visibility and controls -- investing in these capabilities at the beginning of IoT acquisitions and deployments instead of figuring it out after the fact, “on the fly.” IoT manufacturers think “speed to market” first, with security as an afterthought (at best). Agencies are responsible for ensuring the products are secure when they connect to the network and remain secure while they are connected. The Department of Defense has a name for this principle: “Comply to Connect and Remain.”
3. It’s all about hygiene. We can discuss at length about how sophisticated the techniques of today’s cyber attackers have become, but ultimately, the vast majority of attacks are enabled by poor basic cyber hygiene. Without good basics, preferably guided by controls described by the National Institute of Standards and Technology, budget investment in the latest products won’t make a significant impact. This dilemma has been likened to outfitting a home with sophisticated, high-tech door locks, only to leave every window wide open.
NIST and CIS outline the basic cyber questions organizations should be able to answer:
- What are my IT assets and what missions do they support -- and where?
- What is on my network? What activity do I need to know about -- right now?
- What are my key apps/services and where are they located? How are we protecting them? By patching? Configuration management? By 24/7/365 monitoring? Automated threat analytics? Are these assets compliant with my policies?
These questions underscore the criticality of continuous visibility/monitoring and remediation. Through 2020, 99% of vulnerabilities exploited will be the ones known by security and IT professionals for at least one year, according to Gartner. The Equifax breach -- which exposed the Social Security numbers and other sensitive data of 143 million Americans -- was linked to a single software vulnerability for which a patch was available, but not installed, on a handful of servers that were not being managed because they had essentially been forgotten about.
But many enterprises don’t even do a very good job patching the IT assets they know about, let alone the many IT assets that are missed by traditional security tools. Without complete visibility and continuous monitoring, public-sector IT teams will never gain the enterprisewide view required to see all the assets that must be managed. As the Equifax situation illustrates, the smallest gap can lead to a massive compromise. With continuous monitoring, teams know at all times what activity is on their network, and what they have to do to defend data assets and comply with existing regulations. Most federal agencies are implementing such capabilities through the Continuous Diagnostics and Mitigation program, but there are some that have not taken this part of the mandate as seriously as they should.
Government CISOs are not hired to impede innovation. In essence, they are there to enhance it. They recognize that modern advances help employees better serve the public with “smarter, faster, better” tools. But they also realize that -- without effective cross-department collaboration, thorough risk assessment/management and complete visibility/continuous monitoring -- the consequences can not only undo the productive value of the tools, but can undermine the fundamental mission of the agency. When CISOs and agency heads commit fully to basics, especially visibility, the “truths” out there about threats don’t seem quite so scary.
Ellen Sundra is vice president of Americas, systems engineering, at Forescout Technologies Inc.