Creating a Strong Security Culture: A Guide for CISOs & CIOs
Whether you’re a CIO or a CISO, you would undoubtedly like to see your organization embrace a stronger security culture.
Every business today, after all, is entirely dependent on its software. This makes software a potential single point of failure: a serious breach can bring any business to a grinding halt.
Whether you’re a CIO or a CISO, you would undoubtedly like to see your organization embrace a stronger security culture. Every business today, after all, is entirely dependent on its software. This makes software a potential single point of failure: a serious breach can bring any business to a grinding halt.
“The first at-scale corporation virus attacks that I can remember at least, were things like the ILOVEYOU virus, where someone clicked on it, forwarded it and it blew out people’s mailboxes”
Given this backdrop, if they want to be in a position to know that no attack is capable of bringing their business to a halt, CIOs and CISOs today must be able to properly answer the following questions.
- Do we know with certainty all of the software that our business is running, good or bad?
- Is all of this software current, patched, & secure?
- Are we confident that during an incident our teams are able to respond immediately and remediate fully, at scale?
Why do these questions matter? Because today data is at the centre of the digital transformation project. “As long as you have good data and good technology,” adds Peterscheck, “you continue to exist… It’s the information that really drives any business.” Protecting that data, then, is of paramount importance.
For most organizations, these remain very difficult questions to answer.
“The majority of our workforce needs devices in order to do their daily tasks,” says Peterscheck. “So, the real difficulty of cyberattacks, even putting aside the attempt to steal your data or penetrate your network, comes down to collateral damage. Attacks might target one group but hit fifteen different corporations and bring them down. The ability to respond quickly, get information quickly and react almost instantly is critically important to just controlling the threat.” (our emphasis)
Often the inability to do this is connected to a lack of proper technology and tools. However, it’s frequently also rooted in “corporate culture.” Happily, this means that there are also “cultural” ways you can better secure your organization. We will examine five steps you can take to improve this here.
1. Security starts at the top: educating the board
If there’s a widespread lack of board-level awareness around cybersecurity, and a corresponding lack of board-level discussion, the reasons are easy to understand. After all, cyberattacks has evolved over recent decades from a potential inconvenience to an existential threat.
“Maintaining a good relationship between IT Operations and IT Security is critical for the business. The last thing the business wants to see is for there to be conflict or disorder or difficulties between its different IT functions.”
Some forward-looking organizations do report their progress against frameworks such as the National Institute of Standards and Technology (NIST) cybersecurity framework, but there’s little-to-no uniformity around cybersecurity compliance. At the board-level, discussion often begins and ends with a CIO being asked “Are we safe?” Unsurprisingly, subsequent discussions tend to be low on detail: we didn’t get breached last year, so we’ll assume that things are working.
In most organizations, if the board addresses cybersecurity at all, it’s subsumed with other IT-related issues. This is often a by-product of a common reporting chain in which a CISO reports in to the CIO. The CIO then presents to the board of a range of what – to them – are more or less equivalent priorities: digital transformation, the move to the cloud, cost controls, innovation, business efficiency or countless other important IT related topics. Cybersecurity can easily end up an also-ran.
Today, most would agree that this fails to give security its due. Increasingly, cybersecurity constitutes the biggest external threat to your organization’s bottom line. The potential implications of a breach to the CISO or CIO don’t need spelling out. It’s in everyone’s interests – across the business – that cybersecurity gets the attention it deserves from the board down.
This often hinges upon the position, influence, and personality of an organization’s CISO.
The future of the CISO
Many companies have taken the step of having the CISO report to the board. Regardless of the reporting chain, however, the nature of the CISO’s role is something that must evolve. The ability to be in sync with the wider business, and to communicate effectively to it, is vital.
Broadly speaking, we encounter three types of CISOs today:
1. The deep-tech CISO
Perhaps the most frequently encountered remains the cybersecurity expert that has risen through the ranks of the organization’s IT team, acquiring an increasingly specialized skillset. These people are steeped in cybersecurity tech, and in possession of invaluable security knowledge the business definitely needs, however this specialism may also serve to have isolated them from the wider business narrative. If given the chance to communicate directly to the board, they might struggle to properly enable a CIO to do so on their behalf. This CISO type needs to think about further equipping themselves, so that they can communicate with (as well as protect) their organization.
2. The business-facing CISO
Our second CISO is one that has also come up through the IT ranks but has successfully established a deeper connection to those wider business needs and narratives. However technical this second CISO type’s background may be, they’ve added to it. Perhaps they’ve had some experience working at the business-IT interface before, or have simply grasped the changing requirements of the role. These are of course better positioned to inform the CIO or even address the board directly.
3. The business CISO
Finally, we have the type that is arguably the most indicative of the future CISO role. These frequently arrive from the business side itself (whether they’re promoted internally or brought in from elsewhere), and view security as a factor inextricably connected to the wider strategic agenda. These tend to be the best equipped to communicate at board-level. If the business has already sought out this type of CISO, it is likely already addressing cybersecurity at the board level. A CIO that seeks out a CISO with this outlook can only strengthen their hand.
For those organizations that continue to allow cybersecurity to be neglected as a board-level concern, the consequences will be a lack of scrutiny and transparency. Encouraging and facilitating board-level engagement with cybersecurity is perhaps the most important thing any CIO or CISO can hope to do to improve an organization’s security culture at large.
Most significantly, the organization will more likely become conscious as to whether it suffers from what is probably the gravest cultural threat to organizational security – a dislocation between its IT and Security functions.
2. Solving the IT Security/Operations rift: a deeper awareness
When it comes to cybersecurity, it’s worth reiterating the same commonly overlooked statement of fact: that your business, every business, runs on software. The paradox of digital transformation is that, as well as being the most crucial asset to your business (the thing without which it would be impossible to work), this software also doubles as a potential attack vector.
“Through 2021, 99% of vulnerabilities exploited will be ones known by security and IT professionals for at least one year.”
We know the principal reason for these long periods of known, un -remediated vulnerabilities, too. In the vast majority of organizations, Security is not in charge of deploying patches, updates, upgrades, and fixes.
Sometimes it’s a matter of formal separations of duties, sometimes of silos of control around technology. The resulting chasm, however, yawns wide, and is founded upon (or serves to perpetuate) differences in outlook.
IT Operations is keen to support the business agenda. We can look at this as simply “keeping the lights on”, or more grandly as “facilitating digital transformation” – the reason they’re ultimately one and the same points back to our earlier point about every organization being a software business. On the other hand, IT Security is focused solely on identifying and mitigating risks in order to keep the organization secure.
Nothing could be more “cultural” than this. At a macro level, we can see how the tension between these outlooks is at the heart of the digital transformation process. The more digital organizations become, the more digital risk proliferates.
A good example of this? Patching. “90% in thirty days” is a claim often made, and proudly, by organizations we talk to. However, the average time between a vulnerability being announced and attacks launched to exploit that vulnerability is only 7.72 days. Combine that with the fact that hitting 90% success rate leaves 10% unpatched – and a door that’s 90% closed is still open. Bad actors only need to breach one device to gain initial entry. Taking pride in hitting 90% can only be born of a “good enough” mentality with regard to security, again rooted in cultural factors.
“The last thing the business wants to see is for there to be conflict or disorder or difficulties between its different IT functions.”
In many ways, what needs to happen here mirrors what needs to happen at the board level.
Just as the forward-thinking board, and the forward-thinking CIO, must be careful to give cybersecurity its proper due, today’s IT Operations teams must embrace their sizable security responsibilities in turn.
As long as they see their security responsibilities as merely a matter of helping to execute priorities of others, rather than a fundamental duty of their own (a key aspect of keeping the lights on, in fact, since nothing interferes with day-to-day business priorities like a security breach), these responsibilities will not be taken sufficiently seriously, and the shortcomings in their execution will be merely tolerated, if noticed at all.
This isn’t only down to IT Operations, however. Just as the forward-thinking CISO must seek to better understand the needs and narratives of the wider business, and to communicate with it, IT Security must realize the impact to its own needs (and products) can have on the day-to-day running of the business. This too can be a question of communication, of not just throwing alerts over the wall for Operations to worry about, but helping them to prioritize between different degrees of threat and reaction. It is, however, true that such collaboration can only go so far.
The advances made by organizations careful to bridge the SecOps divide are striking.
4. Adopt a post-breach mindset: from prevention to cure
A caveat to all advice concerning the prevention of a breach (here and elsewhere) should be that – whatever lengths you go to in order to educate your organization, and however much you invest in security – with the average enterprise fielding over 4,000 attacks per day, and the average employee at any of these enterprises being (after all) a human being, a breach will remain an inevitability.
“There was a time when it was ok to wait a week or two. I think today real-time information makes all the difference.”
It is perhaps at this critical moment, with a successful breach underway, that an organization with siloed Security and Operations teams suffers most.
At this point, the preceding lack of collaboration and communication in a siloed organization naturally spills into the crisis. All too often, we see siloed organizations waste the opportunity to make a significant positive difference to a breach’s final bill of damage by bickering, playing the blame game, and generally sticking their heads deep into the sand.
What could they be doing instead? Well, according to the Ponemon Institute, organizations able to contain a breach to within thirty days will save a million dollars as opposed to those that don’t. And with the right SecOps alignment in place, organizations can expect to respond much, much quicker than one month!
The stakes are hardly small, and in some circumstances, could spell the difference between your organization’s survival and extinction.
What are the main three steps that you need to do?
Security and Operations need to form a collective plan
The opposite of passing the buck, of course, is having a shared, crystal-clear understanding of precisely what your responsibilities are in a crisis scenario. These will inevitably involve Security and Operations teams having to work together. In most organizations, the dynamic is often the same as in vulnerabilities – Security identifies, Operations remediates.
The organization must empower Operations to react
Once the organization acknowledges the importance of the collaborative model, it will quickly become clear what Operations requires in order to react to a breach. It can ultimately be reduced down to those three core capabilities: Actionable Visibility (so they can see where the attack is taking place), Automation (so they can effortlessly extend the fix) and Real-time Response (so they can react quickly).
Of these, speed is increasingly celebrated by forward-thinking CIOs such as Signify CIO Kurt De Ruwe “Viruses and phishing attacks happen in the moment, so you need to be able to react quickly. There was a time when it OK to wait a week, two weeks before having the information, but today, real-time information makes all the difference.”
Extend funding to encompass a cure (as well as prevention)
We hear all the time in medicine about the priority of prevention over cure. In IT Security, a degree of reversal is taking place. It follows naturally that with a shift in mindset a shift or expansion of funding will follow.
“If Operations is not proactively helping Security to do their job, they’re going to be going around operations to do their job, and that really builds a lack of trust and problems – even during an emergency where the first thing people are doing isn’t acting on data but pointing fingers at one another saying ‘hey what are Operations doing?’ or ‘hey what are Security doing?’ At our organization, Security and Operations share information and tooling wherever possible – and it means we can respond much quicker to threats”
5. Embracing the penetration testing mindset
Penetration testing (pen testing for short) is basically a controlled cyberattack conducted either internally or by a third-party in an effort to highlight vulnerabilities within your business. Some organizations opt for a pen test for specific products before they bring them to market.
“Is your vendor going to quickly update/patch all of that third-party software when public vulnerabilities are discovered and exploits are released?” Neel asks. “The weakest link could be used to compromise your environment.”
For some, it may be a regulatory requirement. Others deploy a pen test to make sure their current security tools are functioning as they should. Regardless of the reasons why, the overall outcome is the star of the show: the vulnerabilities found guide you to make decisions which affect the future of your business or product.
It’s important to know that multiple perspectives can all still be correct. Business is built on being cheaper, faster, and better able to offer the customer more than they could get without your input. However, businesses can easily become very introverted, increasingly fixated on their own processes, personnel, and ideas. Penetration tests are asking someone with a different set of perspectives to help ensure you’re prepared for scenarios you don’t invite and might not otherwise be sure you can control.
The more scrupulous attitude can and should be extended to third-party tools as well. There’s no point embracing this kind of transparency and self-scrutiny without also looking for it in your partners and vendors.
Let’s take, as an interesting example, SecOps tools, the very tools meant to help secure your business and bridge the Security-Operations divide.
For instance, it has surprised many to learn that one well-known EDR tool’s basic functionality depends upon free and open source tools. It is essentially about supply-chain security. “Whether you like it or not, you must now be concerned about the security maturity of every vendor tied to every piece of third-party software within that environment,” explains PEN Consultants’ Robert Neel (a former exploitation expert with the NSA), in a recent analysis of the tool in question.
Conversely, in a show of its own adoption of the “penetration test mentality” security vendor 1E invited PEN Consultants to extensively test its own EDR tool, Tachyon. “Tachyon is without question, the most secure EDR solution we have tested,” Neel concluded. “1E obviously takes secure programming and development seriously.”
A further cultural way of bridging that Security-Operations divide, then, comes from thinking of more than just a tool’s utility when we purchase it – but of also thinking of its impact on security (yes, even a security tool!). Tools purchased with a view to providing greater security should also be weighed for their usability by Operations, whom will need to be depended upon if the tool is going to really make a difference.
“Viruses and phishing attacks happen in the moment, so you need to be able to react quickly”
Conclusion: where culture meets technology
Breaking down the cultural siloes between Security and Operations will of course impact the tool selection process for both.
“If Security is acting on its own in tool selection, product purchasing, they aren’t necessarily as effective as they could be, because they may not know all of the information they have access to, they may not know all the different endpoints, and they may not know everything going on in the organization,” explains our expert Director of End User Computing CIO Rob Peterscheck. “Typically speaking, Security still represents a small amount of Operations’ budget and workforce. They simply don’t have the human capacity Operations does in addition to budgetary constraints. For Security to be effective, they need operational people who understand their products and needs.”
Peterscheck emphasizes that the opposite is also true, however. “For Operations to be effective, we need to ensure we have good security tools and are also feeding Security all the information they need to make effective decisions,” he says.
When the two IT factions do work together in order to select the right tools to secure the business, we often see a fascinating thing take place: the tension between digital transformation and digital security is reversed, and organizations start to utilize solutions that increase rather than impede security – while making the organization more secure. In other words, if you empower IT Operations with the tools they need to help secure the business, the same tools help them to perform their other responsibilities more efficiently, delivering value for the business in ways that go beyond securing it.