>> 2. Pick your sources carefully.
Confirmation bias doesn't stop at which threat to prioritize but often extends to which vendor or threat information source to listen to. Everyone wants to be the go-to resource, but consider motivation. If a CISO has a good relationship with a sales rep, for example, that vendor may get most of the security team's attention. In fact, vendors are, by far, the No. 1 source of trusted information among the CISOs we spoke with--a situation that, frankly, amazes us given all the top-notch security communities and conferences and the fact that partnering with the wrong vendor can waste a lot of money and time. A few CISOs we spoke with told horror stories of ripping and replacing gear from vendors that provided bad information. This does nothing to increase the CFO's view of IT's business savvy.
When we probed deeper about trusted information sources, we found that security engineers often talk about successes and failures with security engineers from other companies, but CISOs and directors of security don't share well. Fortunately, this trend seems to be changing, as many of the CISOs we spoke with had dedicated time and travel budget to participate in a peer group in 2011.
Robert Allen, CISO at CNA Insurance, recently participated in a CISO summit in Chicago. While he notes that conferences are never perfect, Allen was able to gather ideas that will shape his security plans.
>> 3. Embrace transparency.
"Awareness builds trust, and trust allows us to have an open and honest conversation with the business so the threats that are urgent and important are addressed," Allen says. His advice: Focus on the present--not on what could be but on what is. Continually measure and monitor your risk profile and the current threat level to reduce the chance of making a gut decision.
Of course, the only way to reduce threat noise is to filter it. GRC (governance, risk, and compliance) tools from companies such as Archer and Relational Security can help risk assessment and mitigation based on your reality, and thus can also support transparency, but don't get caught in the weeds of managing such a system. The data is what's important, not the GRC product's bells and whistles.
>> 4. Always test new threats to figure out if you have compensating controls.
Once you identify a threat, evaluate the real-world risk to your organization. Don't just listen to the risk assessment team and accept the probability and impact they suggest. Use Metasploit, or run the virus in a VM and see what happens. You may be surprised that the effect on your network is much different from what the vendor, analyst, or article says it will be. Got an emergency, where your team is running around in a panic? That's the best time to stop and think. We've seen countless instances where a team forgot or ignored compensating controls when assessing a risk during a perceived crisis.
>> 5. Don't wait for a crisis to set goals.
The best way to prioritize is to be proactive. However, it's human nature to dither when we have no time pressures. Adding to the malaise for CISOs is the fear we'll make a bad decision. So instead, we end up with paralysis by analysis. Should we buy DLP or IPS? Focus on hardening our servers or on policies and documenting processes? Every CISO we talked with had a war story of wasting resources on a technology that didn't help with the problem at hand. Many times, business leaders forced them to choose product X because of price; other times, they admit they got sold on it by vendor Y. Risk management and resource prioritization aren't sexy. But listening to your gut just isn't effective. There are too many variables, and attackers are too wily, numerous, and adaptive.
Test. Put processes in place. Accept transparency because it will increase collaboration with business leaders, which will then enable better prioritization of risks. Only once risks are identified and ranked should you look to external resources. It's your only hope to avoid security information overload.