Whether or not you’ve had the pleasure of visiting London, you are no doubt familiar with the famous warning given in the London Underground to “Mind The Gap.” The instruction is one of the most famous in the world, having found its way onto tee shirts, coffee mugs, keychains, and many other products.
In security, we also need to mind the gap. But by that I mean the stark communication and understanding gap that exists in many organizations between the Chief Information Security Officer (CISO) and the operators -- analysts, incident responders, engineers – in other words, the team doing the hands-on, day-to-day work.
What I find fascinating about these two distinct vantage points is that while each of them are formed by observing the same security program in the same organization, they reflect a very different perception of reality. This creates a communication and understanding gap between the CISO and the operators that we as a security community need to “mind” in order to ensure our organizations reach their full potential. In other words, the gap itself can often impede a security organization’s progress. I’ve highlighted a few of my thoughts on why minding the gap from both perspectives is so important:
Minding the Gap from the CISO Perspective
Culture: No one wants to be the one to break the news to the CISO that something isn’t working or has failed. But for a CISO to manage risk properly, he or she needs accurate information. The key is for the CISO to create a culture where members of the security organization feel comfortable identifying gaps and shortcomings, as well as potential solutions going forward.
Let’s use the procurement of a multi-million dollar system that isn’t meeting expectations as an example. Although it can be difficult, the CISO should be open to input around how and why the tool isn’t helping the team succeed and solicit potential solutions that will address the needs of the mission going forward. But how many times in my life have I heard the phrase, “Well, we spent $2M on that system, so it has to work.” That attitude isn’t going to help solve any problems, unfortunately.
Yeah, We Got That: When the CISO asks if a given capability exists, the overwhelming tendency is to say yes. But what if the capability is in its infancy? Or what if the capability has issues or is so immature that it does not mitigate the risk or address the challenges it is intended to? While it may be tempting to check the box, it’s better for the organization’s security posture to be honest. The CISO that pushes his or her team for more granular, detailed, and accurate information will do far better in the long run.
The Oversell: There is a famous quote that “everyone is in sales whether they know it or not.” This also applies to everyone in the security organization who reports to the CISO. Although it may seem advantageous in the near-term to overstate or oversell capabilities, in the longer-term, this introduces risk to the organization by leading the CISO to believe that certain risks are mitigated when, in truth, they may not be. A CISO needs to be conscious and aware of this tendency and not reward those who oversell.
Minding the Gap from the Operator Perspective
Prioritize Risk: First and foremost, security is about mitigating, managing, and minimizing risk. The first step to doing this is to understand the risks and threats facing an organization and then prioritize them accordingly. Input to this process comes from intelligence, the board, executives, key stakeholders, and the security team. All inputs need to come together collaboratively with the ultimate goal of mapping out the strategic direction of the security program. This makes it much easier for all sides to see clearly and explicitly where the program is currently and where it needs to go.
Have a Plan: No organization is perfect. When confronted with shortcomings, most CISOs I know would rather spell out a way forward than a read a list of complaints. This means having a plan that details what is needed to overcome challenges and build or mature a given capability to where it needs to be. The operator that comes prepared will likely be far more successful in achieving his or her goals.
Maturity Metrics: Rather than “yes, we have that capability” or “no, we don’t have that capability,” how about a matrix showing the maturity of each capability? The CISO’s ultimate goal is to mitigate risk to an acceptable level. I think most people understand that this isn’t a binary metric. A matrix mapping capabilities or initiatives to risks they mitigate and the relative maturity of each one can help the operator communicate the importance of each task, while allowing the CISO to more accurately and precisely evaluate and measure risk.
Turn Reporting on its Head: How many security organizations report the same types of metrics to the CISO each week? We created 400 tickets, re-imaged 50 laptops, saw 15,000 IDS alerts fire, etc. But what does that actually tell the CISO about mitigating risk and understanding what capabilities do or do not exist and what gaps may or may not exist? Take the prioritized list of risks and the associated strategic plan and leverage it to report relative metrics that will give the CISO a much better idea of how the security team is progressing against the strategic plan -- and narrow the gap.
There is no doubt that the CISO and the operator have different perspectives when it comes to security. Minding that gap helps organizations continually mature and stay on top of the constantly changing threat landscape. A good operator will work to communicate issues and challenges honestly and clearly to the CISO. In turn, a good CISO will appreciate the truth, as long as it comes with a plan for how to address any shortcomings. Both sides need to mind the gap and meet in the middle to ensure that a security program reaches its full potential.