Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/29/2017
07:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

First US Federal CISO Shares Security Lessons Learned

Greg Touhill's advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.

INSECURITY CONFERENCE - Washington, DC - Greg Touhill encouraged his audience of security leaders, whom he dubbed "the cyber neighborhood watch," to swap war stories and lessons learned during his keynote at Dark Reading's inaugural INSecurity conference, held this week in Washington, DC.

As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.

One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who "speak a different language than we do," he explained.

"I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff," said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.

One of Touhill's lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.

Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can't explain what it means or how much it's worth. It's tough to know where to prioritize security if you don't know which data is most valuable.

"Information is one of the most valuable assets any business, any operation has," Touhill emphasized. "Look at your infrastructure, look at how you architect. Know the value of your information and don't try to defend everything. Defend what you need to defend."

Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. "A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud," he pointed out.

Touhill's lessons extended to security employees. "Humans fail all the time," he said, but you can bring down the risk of catastrophic events by training people and making sure they're appropriately resourced. Hardening the workforce is "critically important."

"People are your weakest link but also your greatest assets," Touhill continued. It's up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to "think like a hacker" and "be very suspicious."

The sentiment extended to another lesson: have a zero-trust model. Most security pros haven't taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and "be skeptical." Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.

"We're raising a generation of folks who are freely surrendering their privacy - your privacy - by giving up information and not recognizing the value of it," Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren't mastering basics or being consistent. "How many times has someone gotten breached and left the backdoor open?" he asked, relating his advice back to thinking like a hacker.

Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they're not, they will take advantage of it.

Ultimately, along with protective measures and strategies, leaders must also "be prepared for a really bad day," he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don't.

In the best organizations, everyone participates in cyber exercises and drills - even the boards and the CISOs. "A bad day is going to come for each and every one of us," Touhill emphasized.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2017 | 8:32:12 PM
Re: Executives wait for "technologists" to lock their own front doors
@SchemaCzar: Not just executives -- even the very top executives. An MIT professor once told me a story of how a company sent out "fake" phishing emails to its employees as a test, and one of the people who clicked on the link was a C-suite executive. When asked why he clicked on the link, the C-suiter responded, "I wanted to see what would happen."
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
11/30/2017 | 9:32:07 AM
Executives wait for "technologists" to lock their own front doors
Reading security news and the general news, I conclude that Touhill needs to talk tougher to executives.  There are too many stories of executives who can't be bothered to follow the same security policies that must be followed by others in the organization.  They are the highest-value person targets in the organization, and they often feel they can dump their own security on an underling, or worse, that security is the organization's problem rather than their personal responsibility.  I recently heard of a high-level VP in a large, regulated business who flat-out refused to follow password change, or even password complexity policy.  This was before password change policies were brought into question, but long after secure password managers were available that make password change and complexity requirements manageable.

Touhill is right that these executives think cybersecurity is a technology problem.  So is the physical security of their own homes: a technology problem.  If they treated home security the way they do organizational security, they wouldn't even lock their own front doors.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2017 | 8:30:55 PM
Basics
Reminds me of that old reality show "To Catch a Thief," which demonstrated to people how easy it was for burglars to break in and steal them blind in a matter of about ten minutes. Almost all the time, there was an unlocked window or unlocked door.

Same thing in cybersecurity. The bad guys don't go right to sophisticated techniques. They go to basic, common passwords and they go to recently announced zero-days to check for a lack of a patch.
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8096
PUBLISHED: 2020-04-07
Untrusted Search Path vulnerability in Bitdefender High-Level Antimalware SDK for Windows allows an attacker to load third party code from a DLL library in the search path. This issue affects: Bitdefender High-Level Antimalware SDK for Windows versions prior to 3.0.1.204 .
CVE-2020-11586
PUBLISHED: 2020-04-06
An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request that contains malicious XML DTD data.
CVE-2020-11587
PUBLISHED: 2020-04-06
An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an API request and get the content of ETL Processes running on the server.
CVE-2020-11589
PUBLISHED: 2020-04-06
An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only.
CVE-2020-11590
PUBLISHED: 2020-04-06
An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to HealthPage.aspx and obtain the internal server name.