Bishop Fox’s Vincent Liu sat down recently with GE Healthcare Cybersecurity and Privacy General Manager Richard Seiersen in a wide-ranging chat about security decision making, how useful threat intelligence is, critical infrastructure, the Internet of Things, and his new book on measuring cybersecurity risk. We excerpt highlights below. You can read the full text here.
Fourth in a series of interviews with cybersecurity experts by cybersecurity experts.
Vincent Liu: How has decision making played a part in your role as a security leader?
Richard Seiersen: Most prominently, it’s led me to the realization that we have more data than we think and need less than we think when managing risk. In fact, you can manage risk with nearly zero empirical data. In my new book “How to Measure Anything in Cybersecurity Risk,” we call this “sparse data analytics.” I also like to refer to it as “small data.” Sparse analytics are the foundation of our security analytics maturity model.
The other end is what we term “prescriptive analytics.” When we assess risk with near zero empirical data, we still have data, which we call “beliefs.”
Consider the example of threat modeling. When we threat model an architecture, we are also modeling our beliefs about threats. We can abstract this practice of modeling beliefs to examine a whole portfolio of risk as well. We take what limited empirical data we have and combine it with our subject matter experts’ beliefs to quickly comprehend risk.
VL: If you’re starting out as a leader, and you want to be more “decision” or “measurement” oriented, what would be a few first steps down this road?
RS: Remove the junk that prevents you from answering key questions. I prefer to circumvent highs, mediums, or lows of any sort, what we call in the book “useless decompositions.” Instead, I try to keep decisions to on-and-off choices. When you have too much variation, risk can be amplified. Most readers have probably heard of threat actor capability. This can be decomposed into things like nation-state, organized crime, etc. We label these “useless decomposition” when used out of context.
Juxtapose these to useful decompositions, which are based on observable evidence. For example, “Have we or anyone else witnessed this vulnerability being exploited?” More to the point, what is the likelihood of this vulnerability being exploited in a given time frame? If you have zero evidence of exploitability anywhere, your degree of belief would be closer to zero.
And when we talk about likelihood, we are really talking about probability. When real math enters the situation, most reactions are, “Where did you get your probability?” My answer is usually something like, “Where do you get your 4 on a 1-to-5 scale, or your ‘high’ on a low, medium, high, critical scale?” A percentage retains our uncertainty. Scales are placebos that make you feel as if you have measured something when you actually haven’t. This type of risk management based on ordinal scales can be worse than doing nothing.
VL: My takeaway is the more straightforward and simple things are, the better. The more we can make a decision binary, the better. Take CVSS (Common Vulnerability Scoring System). You have several numbers that become an aggregate number that winds up devoid of context.
RS: The problem with CVSS is it contains so many useless decompositions. The more we start adding in these ordinal scales, the more we enter this arbitrary gray area. When it comes to things like CVSS and OWASP, the problem also lies with how they do their math. Ordinal scales are not actually numbers. For example, let’s say I am a doctor in a burn unit. I can return home at night when the average burn intensity is less than 5 on a 1-to-10 ordinal scale. If I have three patients with burns that each rank a 1, 3, and 10 respectively, my average is less than a 5. Of course, I have one person nearing death, but it’s quitting time and I am out of there! That makes absolutely no sense, but it is exactly how most industry frameworks and vendor implement security risk management. This is a real problem. That approach falls flat when you scale out to managing portfolios of risk.
VL: How useful is threat intelligence, then?
RS: We have to ask—and not to be mystical here—what threat intelligence means. If you’re telling me it is an early warning system that lets me know a bad guy is trying to steal my shorts, that’s fine. It allows me to prepare myself and fortify my defenses (e.g., wear a belt) at a relatively sustainable cost. What I fear is that most threat intelligence data is probably very expensive, and oftentimes redundant noise.
VL: Where would you focus your energy then?
RS: For my money, I would focus on how I design, develop, and deploy products that persist and transmit or manage treasure. Concentrate on the treasure; the bad guys have their eyes on it, and you should have your eyes directed there, too. This starts in design, and not enough of us who make products focus enough on design. Of course, if you are dealing with the integration of legacy “critical infrastructure”-based technology, you don’t always have the tabula rasa of design from scratch.
VL: You mean the integration of critical infrastructure with emerging Internet of Things technology, is that correct?
RS: Yes; we need to be thoughtful and incorporate the best design practices here. Also, due to the realities of legacy infrastructure, we need to consider the “testing in” of security. Ironically, practices like threat modeling can help us focus our testing efforts when it comes to legacy. I constantly find myself returning to concepts like the principle of least privilege, removing unnecessary software and services. In short, focusing on reducing attack surface where it counts most. Oldies, but goodies!
VL: When you’re installing an alarm system, you want to ensure it is properly set up before you worry about where you might be attacked. Reduce attack surface, implement secure design, execute secure deployments. Once you’ve finished those fundamentals, then consider the attackers’ origin.
RS: Exactly! As far as the industrial IoT (IIoT) or IoT is concerned, I have been considering the future of risk as it relates to economic drivers... Connectivity, and hence attack surface, will naturally increase due to a multitude of economic drivers. That was true even when we lived in analog days before electricity. Now we have more devices, there are more users per device, and there are more application interactions per device per user. This is an exponential growth in attack surface.
VL: And the more attack surface signals more room for breach.
RS: As a security professional, I consider what it means to create a device with minimal attack surface but that plays well with others. I would like to add [that] threat awareness should be more pervasive individually and collectively.
Minimal attack surface means less local functionality exposed to the bad guy and possibly less compute on the endpoint as well. Push things that change, and or need regular updates, to the cloud. Plays well with others means making services available for use and consumption; this can include monitoring from a security perspective. These two goals seem at odds with one another. Necessity then becomes the mother of invention. There will be a flood of innovation coming from the security marketplace to address the future of breach caused by a massive growth in attack surface.
First career interest: Originally a classical musician who transitioned into teaching music.
Start in security: My master’s degree capstone project was focused on decision analysis. It was through this study that I landed an internship at a company called TriNet, which was then a startup. My internship soon evolved into a risk management role with plenty of development and business intelligence.
Best decision-making advice for security leaders: Remove the junk that prevents you from answering key questions.
Most unusual academic credential: Earned a Master in Counseling with an emphasis on decision making ages ago. I focused on a framework that combined deep linguistics analysis with goal-setting to model effective decision making. You could call it “agile counseling” as opposed to open-ended soft counseling. More recently, I started a Master of Science in Predictive Analytics. My former degree has affected how I frame decisions and the latter brings in more math to address uncertainty. Together they are a powerful duo, particularly when you throw programming into the mix.
Number one priority since joining GE: A talent-first approach in building a global team that spans device to cloud security.
Bio: Richard Seiersen is a technology executive with nearly 20 years of experience in information security, risk management, and product development. Currently he is the general manager of cybersecurity and privacy for GE Healthcare. Richard now lives with his family of string players in the San Francisco Bay Area. In his limited spare time he is slowly working through his MS in predictive analytics at Northwestern. He should be done just in time to retire. He thinks that will be the perfect time to take up classical guitar again.