Today's chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.
This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization's defenses. By understanding an organization's compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.
As an example, there are very few security requirements in the Health Insurance Portability and Accountability Act (HIPAA), as the regulation is mainly focused on privacy and encryption. In fact, HIPAA and other compliance regulations don't adequately address the risk of an external cyber-threat actor breaching and gaining access to an organization.
Compliance requirements are also fairly static and do not routinely update or mandate security requirements beyond basic measures such as reactive signature-based detection, one of the most common techniques used to address software threats aimed at a computer. It's up to the CISO to move beyond compliance and layer in additional security for the organization to keep up with cyber-threat actors' innovations. Compliance-only security strategies aren't working, and CISOs should squarely focus on advancing detection and accelerating detection coupled with network segmentation to avoid catastrophic hacks, breaches, ransomware, or other negative impacts.
One of the most important metrics for evaluating such threats looks at mean "dwell-time," or the amount of time before an attack is detected. According to Booz Allen Hamilton, cybersecurity dwell times may last between 200 and 250 days before discovery. The SolarWinds attack and long dwell time is enough evidence that CISOs need to strengthen their threat-detection procedures and build mitigations for third-party risk.
The following are some key cybersecurity strategies to consider when moving beyond compliance-only security to create a stronger defense.
1. Reduce Triage Times
Every security operations center (SOC) is drowning in events, and improving prioritization and reducing triage times will help improve threat detection and dramatically limit attacker dwell times. Creating an efficient and accurate triage process will make the most of SOC analysts' time, reduce the time to respond to and address incidents, and ensure that only valid alerts are promoted to "investigation or incident" status. Leveraging tools that are not black boxes and provide rich context and automated correlation to analysts is a good start. Every part of the triage process must be performed with urgency, as every second counts when potential hackers have access to an organization's network. Establishing a workflow that divides tasks among responders is a good first step. Workflow tools that automate assigning tasks can also help with reassigning or rejecting tasks to streamline the triage process. Speeding up triage times gives attackers less time to infiltrate and steal important data.
2. Protect Critical Data
Not all data is created equally in an organization, and companies must understand what data needs critical protection. Identifying key assets in advance is paramount to successfully guarding an organization against imminent security threats. The key to any good cybersecurity defense is to reduce exposure and minimize attack surfaces, but organizations can't protect everything equally, so sensitive data, like credit card or personal employee data, needs to be isolated from the core business network.
3. Minimize Trust Relationships
Minimizing trust relationships across parts of your business or third-party partners will help organizations better protect key assets and limit collateral damage if there is a successful attack. While organizations strive to implement zero-trust practices, this is more difficult than most security teams realize.
The basic premise of zero trust is to not trust someone until certain criteria are met. Unfortunately, most organizations don't know how many computers or users are on their network and don't know what type of data is located within the network. Implementing zero trust at scale means security teams need to know everything simultaneously at scale across the entire company — a daunting task. A more achievable first step may be to have organizations limit trust relationships by segmenting parts of their network to ensure a compromise in one area doesn't impact the entire company's network and data, which, unfortunately, happens all too often.
4. Practice Good Cybersecurity Hygiene
Organizations must keep up with basic cybersecurity hygiene, such as regularly patching applications, conducting simulated attacks, and performing regular cybersecurity training for employees. Most companies following a compliance-only security strategy will keep up with implementing security patches, but CISOs must move beyond basic compliance and design an organization with layers of cyber resiliency. And it starts with investing in basic cybersecurity practices.
The Risk of Compliance-Only Security
Cybersecurity adversaries are both opportunistic and patient. Attackers will wait for the right time to strike, such as during a natural disaster, a holiday, or simply a job change at the CISO level (as in some high-profile attacks). Attackers will also often seek the path of least resistance, and compliance-only security strategies offer a clear path to attack. Just upholding minimum compliance requirements gives hackers access to an organization's security playbook, which dramatically increases the likelihood of a security breach.