Vulnerabilities / Threats

6/25/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Mind The Gap: CISOs Versus 'Operators'

How open communication among security execs and analysts, incidents responders, and engineers can help organizations stay on top of the constantly changing threat landscape.

Whether or not you’ve had the pleasure of visiting London, you are no doubt familiar with the famous warning given in the London Underground to “Mind The Gap.” The instruction is one of the most famous in the world, having found its way onto tee shirts, coffee mugs, keychains, and many other products. 

In security, we also need to mind the gap. But by that I mean the stark communication and understanding gap that exists in many organizations between the Chief Information Security Officer (CISO) and the operators -- analysts, incident responders, engineers – in other words, the team doing the hands-on, day-to-day work.

 

Source: Wikipedia
Source: Wikipedia

What I find fascinating about these two distinct vantage points is that while each of them are formed by observing the same security program in the same organization, they reflect a very different perception of reality. This creates a communication and understanding gap between the CISO and the operators that we as a security community need to “mind” in order to ensure our organizations reach their full potential. In other words, the gap itself can often impede a security organization’s progress. I’ve highlighted a few of my thoughts on why minding the gap from both perspectives is so important:

Minding the Gap from the CISO Perspective

Culture: No one wants to be the one to break the news to the CISO that something isn’t working or has failed. But for a CISO to manage risk properly, he or she needs accurate information. The key is for the CISO to create a culture where members of the security organization feel comfortable identifying gaps and shortcomings, as well as potential solutions going forward. 

Let’s use the procurement of a multi-million dollar system that isn’t meeting expectations as an example. Although it can be difficult, the CISO should be open to input around how and why the tool isn’t helping the team succeed and solicit potential solutions that will address the needs of the mission going forward. But how many times in my life have I heard the phrase, “Well, we spent $2M on that system, so it has to work.”  That attitude isn’t going to help solve any problems, unfortunately.

Yeah, We Got That: When the CISO asks if a given capability exists, the overwhelming tendency is to say yes. But what if the capability is in its infancy? Or what if the capability has issues or is so immature that it does not mitigate the risk or address the challenges it is intended to? While it may be tempting to check the box, it’s better for the organization’s security posture to be honest. The CISO that pushes his or her team for more granular, detailed, and accurate information will do far better in the long run.

The Oversell: There is a famous quote that “everyone is in sales whether they know it or not.”  This also applies to everyone in the security organization who reports to the CISO. Although it may seem advantageous in the near-term to overstate or oversell capabilities, in the longer-term, this introduces risk to the organization by leading the CISO to believe that certain risks are mitigated when, in truth, they may not be. A CISO needs to be conscious and aware of this tendency and not reward those who oversell.

Minding the Gap from the Operator Perspective

Prioritize Risk: First and foremost, security is about mitigating, managing, and minimizing risk. The first step to doing this is to understand the risks and threats facing an organization and then prioritize them accordingly. Input to this process comes from intelligence, the board, executives, key stakeholders, and the security team. All inputs need to come together collaboratively with the ultimate goal of mapping out the strategic direction of the security program. This makes it much easier for all sides to see clearly and explicitly where the program is currently and where it needs to go.

Have a Plan: No organization is perfect. When confronted with shortcomings, most CISOs I know would rather spell out a way forward than a read a list of complaints. This means having a plan that details what is needed to overcome challenges and build or mature a given capability to where it needs to be. The operator that comes prepared will likely be far more successful in achieving his or her goals.

Maturity Metrics:  Rather than “yes, we have that capability” or “no, we don’t have that capability,” how about a matrix showing the maturity of each capability? The CISO’s ultimate goal is to mitigate risk to an acceptable level. I think most people understand that this isn’t a binary metric. A matrix mapping capabilities or initiatives to risks they mitigate and the relative maturity of each one can help the operator communicate the importance of each task, while allowing the CISO to more accurately and precisely evaluate and measure risk.

Turn Reporting on its Head:  How many security organizations report the same types of metrics to the CISO each week? We created 400 tickets, re-imaged 50 laptops, saw 15,000 IDS alerts fire, etc. But what does that actually tell the CISO about mitigating risk and understanding what capabilities do or do not exist and what gaps may or may not exist? Take the prioritized list of risks and the associated strategic plan and leverage it to report relative metrics that will give the CISO a much better idea of how the security team is progressing against the strategic plan -- and narrow the gap.

There is no doubt that the CISO and the operator have different perspectives when it comes to security. Minding that gap helps organizations continually mature and stay on top of the constantly changing threat landscape. A good operator will work to communicate issues and challenges honestly and clearly to the CISO. In turn, a good CISO will appreciate the truth, as long as it comes with a plan for how to address any shortcomings. Both sides need to mind the gap and meet in the middle to ensure that a security program reaches its full potential.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Related Content: 

 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.