Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/25/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Mind The Gap: CISOs Versus 'Operators'

How open communication among security execs and analysts, incidents responders, and engineers can help organizations stay on top of the constantly changing threat landscape.

Whether or not you’ve had the pleasure of visiting London, you are no doubt familiar with the famous warning given in the London Underground to “Mind The Gap.” The instruction is one of the most famous in the world, having found its way onto tee shirts, coffee mugs, keychains, and many other products. 

In security, we also need to mind the gap. But by that I mean the stark communication and understanding gap that exists in many organizations between the Chief Information Security Officer (CISO) and the operators -- analysts, incident responders, engineers – in other words, the team doing the hands-on, day-to-day work.

 

What I find fascinating about these two distinct vantage points is that while each of them are formed by observing the same security program in the same organization, they reflect a very different perception of reality. This creates a communication and understanding gap between the CISO and the operators that we as a security community need to “mind” in order to ensure our organizations reach their full potential. In other words, the gap itself can often impede a security organization’s progress. I’ve highlighted a few of my thoughts on why minding the gap from both perspectives is so important:

Minding the Gap from the CISO Perspective

Culture: No one wants to be the one to break the news to the CISO that something isn’t working or has failed. But for a CISO to manage risk properly, he or she needs accurate information. The key is for the CISO to create a culture where members of the security organization feel comfortable identifying gaps and shortcomings, as well as potential solutions going forward. 

Let’s use the procurement of a multi-million dollar system that isn’t meeting expectations as an example. Although it can be difficult, the CISO should be open to input around how and why the tool isn’t helping the team succeed and solicit potential solutions that will address the needs of the mission going forward. But how many times in my life have I heard the phrase, “Well, we spent $2M on that system, so it has to work.”  That attitude isn’t going to help solve any problems, unfortunately.

Yeah, We Got That: When the CISO asks if a given capability exists, the overwhelming tendency is to say yes. But what if the capability is in its infancy? Or what if the capability has issues or is so immature that it does not mitigate the risk or address the challenges it is intended to? While it may be tempting to check the box, it’s better for the organization’s security posture to be honest. The CISO that pushes his or her team for more granular, detailed, and accurate information will do far better in the long run.

The Oversell: There is a famous quote that “everyone is in sales whether they know it or not.”  This also applies to everyone in the security organization who reports to the CISO. Although it may seem advantageous in the near-term to overstate or oversell capabilities, in the longer-term, this introduces risk to the organization by leading the CISO to believe that certain risks are mitigated when, in truth, they may not be. A CISO needs to be conscious and aware of this tendency and not reward those who oversell.

Minding the Gap from the Operator Perspective

Prioritize Risk: First and foremost, security is about mitigating, managing, and minimizing risk. The first step to doing this is to understand the risks and threats facing an organization and then prioritize them accordingly. Input to this process comes from intelligence, the board, executives, key stakeholders, and the security team. All inputs need to come together collaboratively with the ultimate goal of mapping out the strategic direction of the security program. This makes it much easier for all sides to see clearly and explicitly where the program is currently and where it needs to go.

Have a Plan: No organization is perfect. When confronted with shortcomings, most CISOs I know would rather spell out a way forward than a read a list of complaints. This means having a plan that details what is needed to overcome challenges and build or mature a given capability to where it needs to be. The operator that comes prepared will likely be far more successful in achieving his or her goals.

Maturity Metrics:  Rather than “yes, we have that capability” or “no, we don’t have that capability,” how about a matrix showing the maturity of each capability? The CISO’s ultimate goal is to mitigate risk to an acceptable level. I think most people understand that this isn’t a binary metric. A matrix mapping capabilities or initiatives to risks they mitigate and the relative maturity of each one can help the operator communicate the importance of each task, while allowing the CISO to more accurately and precisely evaluate and measure risk.

Turn Reporting on its Head:  How many security organizations report the same types of metrics to the CISO each week? We created 400 tickets, re-imaged 50 laptops, saw 15,000 IDS alerts fire, etc. But what does that actually tell the CISO about mitigating risk and understanding what capabilities do or do not exist and what gaps may or may not exist? Take the prioritized list of risks and the associated strategic plan and leverage it to report relative metrics that will give the CISO a much better idea of how the security team is progressing against the strategic plan -- and narrow the gap.

There is no doubt that the CISO and the operator have different perspectives when it comes to security. Minding that gap helps organizations continually mature and stay on top of the constantly changing threat landscape. A good operator will work to communicate issues and challenges honestly and clearly to the CISO. In turn, a good CISO will appreciate the truth, as long as it comes with a plan for how to address any shortcomings. Both sides need to mind the gap and meet in the middle to ensure that a security program reaches its full potential.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Related Content: 

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...