Two weeks ago CCSI held its first annual CISO Roundtable to discuss cybersecurity trends, issues and solutions. The conversation was focused on how local CISO’s are currently handling security from an executive level. In attendance were ten cybersecurity leaders on Long Island who brought years of experience and expertise to the discussion. The attendees were spread out through multiple industries, which brought a unique perspective to the dialogue, but in the end everyone was focused on how to improve the security posture of their organizations. Even though we all sat at the table focused on different verticals, we were all part of the same community. Community is built when a group of likeminded people share similar attributes and are looking to expand their knowledge or strength by organizing with others of a shared affinity. This wasn’t just a time of networking, but of community building.
During the roundtable I moderated the discussion through a list of agenda items which I was personally curious to see how these leaders were handling. Throughout the agenda there were items that were unanimously agreed upon and others that the attendees approached from a different perspective. In the end, they were all focused on building their cybersecurity posture and shared ways they’ve succeeded in doing so.
Education is Key
As the conversation continued it became apparent we as security leaders need to educate our business leaders that every organization has valuable information. From management’s standpoint they might not view themselves as a business with much at risk from an adversary looking to do them harm. The truth of the matter is everyone has something of value. Whether it’s sensitive data (e.g PCI, HIPAA, PII, etc), trade secrets, customer information, or just from a pure competitive or reputational standpoint. Every organizations have something of value to an attacker. The trick now becomes how to convince management to take cybersecurity seriously. One of the main deterrents that was spoken about when building a cybersecurity program was cost. According to our panelists this hurdle was one that could be handled when framing the presentation of your argument appropriately. In order to garner more attention and trust from upper management it bodes you well not to paint a doomsday scenario on why you need more budget for cybersecurity. By cultivating relationships with management and other adjacent business units works to create security as part of the culture of the organization, not an afterthought. When that mindset is established it’s easier to present your cybersecurity concerns from a risk based approach that upper management will be able to comprehend. These business units aren’t in technology and by discussing the terms of vulnerability management, technical debit, and risk in a concise matter helps get their point across without confusion. Also, being able to present on similar incidents within your industry helps paint a visual on how similar risks can impact their business.
Metrics, Metrics, Metrics
When speaking about ways to improve visibility and trust with upper management the topic of security metrics was raised. It’s difficult to manage what you can’t measure and that was confirmed by the CISO’s in the room. By being able to show trends in your environment, either positive or negative, allows for security leaders to highlight improvements or target areas with additional focus. While discussing metrics in general the standard patching, vulnerability management, login failures, etc were brought up, but after reviewing my notes on this the following day, it became clear to me that there were a few common themes in the metrics being discussed: Velocity, Automation and Positive Controls. With these broad theme’s the discussion was around how fast, or the velocity, of a particular metric was being achieved (e.g Releasing latest patch, responding/mitigating incidents, etc). Other metrics were being used to show which tools were being used to automate issues within these controls, this also directly affected the metrics based on velocity. Some of the last metrics that were spoken about were focused on showing positive metrics. Positive metrics are able to show improvements in your organization and can be used to show management of successful forward progress in your posture. By calling out business units who you’re working with successfully was also a way of building a closer affiliation with peers outside of the security group and building a stronger culture of security. I thought this was awesome.
After discussing ways to build a program and work with the business side of the organization we spoke about the most pressing risks they think the industry is struggling with right now. There was the expected patching and user awareness training, which is still a legitimate concern and one I don’t see going anywhere anytime soon. There were also concerns outside of these that focused on efficiency, business, and technology. One of the main concerns was the changing compliance scene and how additional layers of compliance were being pushed down within particular industries. An example of this was the recent promulgation of 23 NYCRR 500 and GDPR to an already heavily regulated market. There are nuances within these regulations, especially GDPR, but it was recommended to pick a framework or standard to adhere too, like ISO or NIST, so organizations could map their industry towards them and assist with meeting many of today’s compliance standards (since most are based off them in many ways). There was also conversation on how the industry is pushing tools to defend your organization, but that it could leave their team with multiple consoles, sometimes dozens, to filter and triage an incident. This makes metrics difficult to obtain and causes alert fatigue with analyst. The recommendation was to use orchestration and automation tools or SIEMS so tools can have consoles and technology integrated into each other to keep the MTTR (mean time to respond) and MTTD (mean time to detect) threats down. One of the last issues we spoke about for some time was how to handle third party vendors. This area is consistently in motion and needs to be taken up with the business and other areas of IT within the organization. By creating a process with the business to limit who can onboard a new vendors and reviewing them for risk before they’re in your organization is ideal. This isn’t always feasible and the discussion of segmentation and mitigating controls were discussed to limit the damage done while a process is currently worked out within the business. There were suggestions of working with your legal team to include items within vendor contracts like, “The right to audit the vendor as needed” and “entering remediation requests for open issues”.
The last topic that we spoke about revolved around cloud security. This was by far the liveliest topic of the night and it brought up many interesting ideas on how and when organizations should be using cloud technology. During the conversation it was brought up that many organizations are now embracing the cloud if there business needs can be justified. By using a CapEx model for particular projects and being able to justify cost allows them to save money when done correctly. It also allows them to remove the technical debit of legacy systems plaguing a network that’s looking to offload this responsibility to a cloud service provider. The cloud was also being used to increase disaster recovery and scalability when it came to deploying systems and the ability to have configuration management done easier and at a larger scale. There were concerns about putting critical infrastructure and assets in the cloud, or attempting to run applications that aren’t cloud friendly at this time and the group fully agreed on performing a risk assessment to determine if the asset was secure in the cloud. Throughout the conversation it was deemed a hybrid environment is very attractive to most enterprises and very common today in organizations of every size. Many were also looking into methods to further move into the cloud with containers and improve their scalability, but at the same time increase if not done properly. This made following security procedures and frameworks, like the Cloud Security Alliance (CSA) to guide their security posture while in the cloud even that more important.
These were just snippets of our conversation, which went on for close to two hours, but the general consensus was that by creating a culture of security executives on Long Island was something everyone was interested in participating. After the roundtable we all got to know each other on a more personal level and many spent the next couple hours networking. This strengthened the bonds between the group and each now has the contact information of the group and how to reach each other moving forward. That’s the advantage of having a geographically close community. CCSI is also creating a CISO slack channel so we can keep the conversation going between everyone in the group as well as recording more “CISO podcasts” to help learn from Long Island security executives in our area.
We need strong community leaders in cybersecurity, honestly we need more community on Long Island in general, and this is just the start of things we have planned for this year to strengthen these bonds. Are you a security leader? Would you like to attend our next roundtable? We’d love to learn from you and continue to build our local group. Let me know, we’d love to hear from you.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate, Security Blogger, and is the Cybersecurity Practice Manager at CCSI. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org.