Information security is vastly complex, both technically and from a governance, risk and compliance (GRC) perspective. When workplace politics come into play, security best practices become more complicated and risk management is weakened significantly.
Security professionals commonly meet resistance when they attempt to implement IT initiatives that do not align with the organization’s political culture. Such an environment makes it extremely difficult to manage these initiatives. Security teams must recognize the obstacles they face and work to gain buy-in from key stakeholders.
The Problem With Organizational Politics
Denial can impede IT efforts — especially when C-suite executives are insulated from the realities of the security landscape. In many cases, when executives say that security is not in the budget, they simply mean that it is not on their radar and, therefore, doesn’t matter.
Other obstacles include hidden agendas and power struggles that prevent employees from sharing information with others. For example, some employees might withhold information as a tactic to ensure job security, while another staffer might use it as organizational currency to buy influence. Chief information security officers (CISOs) may encounter this behavior during red on blue exercises when red team members refuse to divulge vulnerability test results to the security operations center (SOC) team, or at the very least aren’t totally forthcoming about their exploits.
Pushing the Right Buttons
No department is immune to the effects of organizational politics. Security professionals must thoroughly understand the political landscape and devise more effective ways to communicate risks to C-level executives. This communication must occur in business terms with a focus on the end business goals.
To successfully navigate organizational politics, IT professionals must gain their colleagues’ trust, which takes time. Start by forming personal connections with fellow employees or subordinates. People have their own individual interests and concerns, and leveraging them can go a long way toward building positive rapport.
The bottom line is that if IT professionals have the organization’s best interest in mind, executives and other stakeholders are less likely to question their motives. This trust enables them to foster alliances and more effectively advocate for security. The CISO can take it a step further by acting as a mediator to help employees in other departments find common ground when disagreements arise.
Organizational politics require security professionals to be adaptable. As executives and employees come and go, the political landscape shifts accordingly. The key is to understand what you’re up against and use your experience to keep security top of mind throughout the enterprise.
In an ever-changing, dynamic threat landscape, a chief information security officer (CISO) in the health care sector must have knowledge in multiple areas and understand that data breaches have severe repercussions that affect employees, patients and the organization at large. To respond effectively to health care security risks, a CISO must possess well-rounded experience in several areas that go beyond privacy and security.
Health Care Security Risks on the Rise
Cybercriminals often target health care organizations because they are notoriously vulnerable to identity theft. Personal health information (PHI) is lucrative, and fraudsters relentlessly attack networks, systems and applications that have been misconfigured or poorly maintained. These threats can pose life-or-death situations if they target heart monitors, intravenous pumps or other hospital devices that can be disabled or altered.
Threat actors have also been known to inject fraudulent data or otherwise falsify patients’ health records. They might modify a record to show, for example, that a patient has a serious condition from which he or she does not suffer, or that the patient requires medication that could be dangerous.
Ransomware is one of the most dangerous threats to health care security because it can disable workstations, medical devices and critical record-keeping systems. Hospital employees are often too busy to apply patches and update applications, and workstations are typically operated by several different clinical staff members, all of whom are more focused on patient care than data security. This environment creates a virtually unlimited number of attack vectors for threat actors to exploit.
Most of these health care security challenges can be attributed to a lack of awareness. According to Harvard Business Review, the medical industry has been slow to adopt effective strategies to protect medical data stored on stolen or lost mobile devices. As a result, many health care workers are ignorant to security risks that threaten the integrity of patient data.
The increasing use of connected medical devices in home care and other medical services further complicates security. If compromised, these devices can potentially lead to widespread attacks and directly impact the individual’s physical well-being. Additionally, health care professionals may take medical data off the grid when they use personal devices to increase productivity.
Mitigating Threats to Health Care Security
To combat these health care security risks, the CISO must develop a holistic approach to security. The security leader should take a page out of the financial industry’s incident response playbook, which calls for a focus on information sharing, stronger authentication and education about cybersecurity risks.
Security professionals should also ensure that the organization’s security program is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), which continually update as new cybercriminal tactics targeting health care data emerge.
Of course, one of the most basic data security tactics is encryption. Health care security leaders should invest in strong encryption solutions and restrict privileges to employees who must access sensitive data to perform their jobs. The same goes for third-party vendors. Other effective health care security measures include multifactor or biometric authentication on workstations and mobile devices, chip cards to streamline patient identification and blockchain to verify recorded transactions between multiple parties.
The CISO is responsible for protecting patients’ health data, which requires collaboration across the organization and with business partners such as vendors and insurers. For the common good of the health care industry at large — which includes individual practitioners, third parties and, most importantly, patients — all health care organizations must invest in solutions and strategies to protect PHI and manage risks to critical systems.
In recent years, several high-profile breaches involving customer data have led to long and costly litigations. These events demonstrated that data protection is more than just a cybersecurity concern.
When responding to a data breach, legal teams have to work closely with the chief information security officer (CISO) to ensure that security policies, regulatory compliance and response plans are adequate to effectively protect sensitive data. Together, these departments can develop a sound incident response strategy that protects both the organization’s data and its legal interests in the event of a breach.
Potential Legal Repercussions
In addition to the obvious operational and financial repercussions, a data breach can result in class-action lawsuits from customers, federal and state government actions, and even international ramifications. For instance, the cost of the infamous Target breach of 2013 reached nearly $300 million after the company settled with 47 state governments.
Corporate data repositories continually grow and can be on-premises or in the cloud, which adds significant legal complexities, especially when crossing international boundaries or jurisdictions. The CISO must consider these risks with regard to data integrity.
Additionally, the CISO must work with legal counsel to negotiate with government agencies investigating a breach. Breach investigations often involve personnel policies, security policies, corporate governance, cyber liability insurance, breach scenarios, negative publicity and government inquiries. Failure to diligently address all of the above when responding to a breach can result in costlier litigation and reputational damage.
When responding to a data breach, privilege maintenance is crucial. Knowing the differences between a possible incident, an actual incident and a confirmed breach will determine the appropriate response. This requires working with attorneys to help design a response plan that determines who speaks to whom, when and about what. Remember that once a breach is confirmed, litigation will be filed immediately. This represents a high risk factor to consider when formulating a response plan.
For example, it is not enough for a CISO to simply say the organization is in compliance with best practices and regulatory requirements. The government will look at how well-prepared the organization is to detect and appropriately respond to an intrusion. Are the attacks registered? Is the data encrypted? It is critical for the government to treat the breached organization as a victim of the attack to determine whether it had adequate security programs in place.
The Battle in the Boardroom
The CISO must communicate the business benefits of a comprehensive and well-rehearsed incident response plan to the board. Many board members are unwilling to invest time and money without understanding the return on investment (ROI). A risk-based assessment program adequately explained to executives, along with the corporate attorney’s support, can help generate security awareness among board directors.
CISOs can demonstrate the importance of risk management by comparing the security investment with the potential for significant financial exposure should they neglect data protection. Security leaders can also remind business executives of their fiduciary responsibilities and accountability should a breach occur. For example, the Target breach exposed the company’s board to ramifications that led to the departure of its CEO and shareholder demands to drop other board members.
Collaboration Is Crucial When Responding to a Data Breach
The CISO and legal department must work as a team right from the start to develop an incident response plan. From a risk approach, the added focus on risk assessment and management are vital to protecting the organization in the event of a breach.
The planning should take into account the organization’s total protection in areas such as:
One of the most important steps is to know where your data repositories are and protect them. When a breach occurs and a crisis erupts, management and mitigation are critical. This can only be achieved by engaging all departments within the business to contain the leak, communicating with customers and implementing the proper procedures to limit any reputational and legal damage.
Rehearsals of the plan should include the legal, IT and security teams to ensure all are working together. They must reach the common goal to mitigate the breach as quickly as possible and establish lines of communication early on. In the event that an incident results in litigation, the corporate attorney must be involved at the onset, along with close cooperation from other teams, to minimize the risk. If evidence needs to be collected for an internal investigation, close cooperation with the corporate attorney can help organizations avoid costly delays.
Breaches affect the entire organization, so an effective response to a cyber incident requires interdepartmental cooperation. Support from the C-suite and board are vital — otherwise, the CISO is fighting a losing battle. Involving the legal department in security can help CISOs gain the executive support they need to adequately protect the organization from legal and reputational risks.
Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.
An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.
According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”
Common Behavioral Indicators
The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.
The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:
Downloading substantial amounts of data to external drives;
Accessing confidential data that is not relevant to a user’s role;
Emailing sensitive information to a personal account;
Attempts to bypass security controls;
Requests for clearance or higher-level access without need;
Frequently accessing the workspace outside of normal working hours;
Maintaining access to sensitive data after termination;
Using unauthorized external storage devices;
Visible disgruntlement toward employers or co-workers;
Chronic violation of organization policies;
Decline in work performance;
Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
Excessive use of printers and scanners;
Electronic communications containing excessive use of negative language;
Installing unapproved software;
Communication with high-risk current or former employees;
Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
Violation of corporate policies;
Network crawling, data hoarding or copying from internal repositories;
Anomalies in work hours;
Attempts to access restricted areas;
Indications of living beyond one’s means;
Discussions of resigning or new business ventures; and
Complaints of hostile, abnormal, unethical or illegal behaviors.
Remediation Pain Points
Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.
Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.
Steps to Combat Insider Threats
Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.
To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:
1. Information Governance
It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.
2. Advanced Forensic Data Analytics
User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.
3. Incident Response and Recovery
External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.
4. Legal Considerations
An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.
A Cross-Organizational Challenge
Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.
The chief information security officer (CISO) faces threats such as compromised users, negligent employees and malicious insiders. For this reason, one of the most important tools in the CISO’s arsenal is user behavior analytics (UBA), a solution that scans data from a security information and event management (SIEM) system, correlates it by user and builds a serialized timeline.
How UBA Works
Machine learning models build baselines of normal behavior for each user by looking at historical activity and comparing it to peer groups. Any abnormal events detected are aggregated through a scoring mechanism that generates a combined risk score for each user. Alerts from other security tools can be used in this process as well.
Users at high risk are flagged with information such as job title, department, manager and group membership to enable analysts to quickly investigate that particular user’s behavior in the context of his or her role within the organization. By combining all of a user’s data from disparate systems and utilizing artificial intelligence (AI) to gain insights, UBA empowers analysts with new threat hunting capabilities.
This technology is not new, but its application is new in the security environment. Many endpoint products offered today are cloud-based to provide seamless mobile device protection outside the organization. Given the evolving attack landscape and the new challenges faced by security teams, the application is growing rapidly, and it is quickly becoming the best practice for enterprise security teams.
Machine learning technology uses techniques that harness AI to learn and make judgments without being programmed explicitly for every scenario. It is different from static, signature-based products such as SIEM because it learns from data. The technology is capable of providing a probabilistic conclusion, which can then be converted into a binary signal. The likelihood of a decision being accurate can be interpreted as a measure of confidence in that conclusion. Security analysts can also validate these conclusions and investigate others that fall into gray areas.
The mathematic algorithms are complex and computer resource-intensive. Since there is no single model that applies to every attack technique, the selection of the model and data is crucial. This is one reason why these new, evolving endpoint products are based in the cloud and conceivably draw upon data globally from every industry.
Establishing a Behavioral Baseline
Among the advantages of this technology is the ability to quickly and easily distinguish anomalous events from malicious events. Employees change jobs, locations and work habits all the time. Machine learning alleviates the overwhelming volume of false positives and provides the behavioral baseline DNA of each user.
Machine learning also enables analysts to interpret subtle signals. Behavioral analytics can flag most attacks that pace themselves and act in small steps, but attackers know that analysts have tools to find telltale attack signatures. For instance, SIEM correlation rules that look for the signature attack behavior can be easily bypassed by signature deviation. A correlation rule may look for five failed logins in one minute as an indicator of an abnormal access attempt. An attacker could bypass the rule by deviating the attempt one second after a minute elapsed.
Finally, analysts can use machine learning to gain insights beyond individual events. Cyberattacks that have already infiltrated the network might slowly follow the kill chain of reconnaissance, infiltration, spread and detonation. AI pieces together the whole picture to make decisions and aid in incident response.
Evaluating Machine Learning Solutions
There is a lot of marketing noise associated with machine learning technology. Below are some useful approaches to evaluating AI-enabled security solutions.
Use case definitions: Determine what you want out of the solution and tailor it toward specifics such as spear phishing attacks, privileged users, malware, etc. This will help formulate a short list of solutions you’re targeting.
Pick organizational subsets: Scaling is often a consideration, but for a proof of concept (PoC), consider establishing a small group to evaluate two or three vendors.
Get source access: These solutions will need access to certain infrastructure, such as active directory log files, to operate. Ensure that the solution has all the appropriate access privileges it needs to function.
Understand the results: Machine learning solutions deliver probabilistic results based on a percentage. The solution must provide supporting evidence when it flags an event so that analysts can act on it.
Ensure classification accuracy: Evaluate the number of correct predictions as a ratio of all predictions made. This is the most common metric for classification problems — and also the most misused.
Evaluate logarithmic loss: Logarithmic loss is defined as a performance metric for evaluating the predictions of probabilities of membership to a given class. It can be a measure of confidence for a prediction by an algorithm, for example. Predictions that are correct or incorrect are flagged to the confidence of the prediction.
Determine who will own it: Common considerations include whether the tool will be a standalone solution or integrated with an SIEM. It can also be part of a security operations center (SOC) with red and blue teams harnessing it or another layer in the architecture where resources are tight.
Augmenting Human Intelligence
Always remember that these technologies are not silver bullets. Buyers of enterprise security products need to educate themselves on the basics of these technologies to avoid succumbing to the hype. Two standard deviations from the mean do not constitute machine learning, and five failed logins in one minute do not constitute artificial intelligence. In the absence of other information, there is no predictive value in seeing, for example, that an employee visited a website based in Russia.
These solutions provide a probability that a certain conclusion is accurate depending on its algorithm model. The real outcome is somewhere in the middle. Despite the hype surrounding artificial intelligence, all it does is provide mathematical suspicions, not confirmations. To maximize the effectiveness of artificial intelligence for cybersecurity, machine learning must be paired with savvy security analysts.
It’s common to hear the phrase “never leave security to chance” in business. Given the rapid advancement and persistence of cybercrime, chief information security officers (CISOs) need the ability to deploy offensive security measures to protect their networks. One way to do this is to employ a team of hackers to proactively protect the organization’s data and infrastructure.
A capable offensive hacking team can conduct advanced penetration testing and bug discovery within the organization and deliver technical leadership when executing tactical, comprehensive assessments. Members of this team of hackers should have an affinity for advanced attack techniques and a passion for spotting vulnerabilities.
Encouraging Information Sharing
In organizations that have a security operations center (SOC), a red team is deployed to continually prod the organization’s security posture. This can also be a specialized third-party entity tasked to emulate cybercriminal behaviors and techniques as realistically as possible. In return, the red team shares intelligence with the blue team, which defends against these mock attacks.
Due to the attitudes and practices inherent to each role, there are many challenges surrounding the relationship between red and blue teams. Here are a few examples:
Red and blue teams have ideological differences. Often, neither team is properly trained to share information with the other, thus defeating the purpose of the exercise. Moreover, blue teams tend to be risk-averse, while red teams are typically more reckless.
Red teams are absorbed within the organization and limited in their ability to conduct assessments, which diminishes their charter and value considerably.
Red on blue exercises are not always seen as integral to the organization’s ability to combat vulnerabilities. As a result, metrics are commonly not shared between the teams and management.
To address these challenges, security leaders should consider installing a purple team to act as a crucial bridge and facilitate information sharing between the red and blue teams.
Assembling the Right Team of Hackers
When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing in lieu of hiring a red team to go against your blue team defenses. CISOs should take the following steps to overcome these obstacles:
Chose teams members carefully. Candidates should be highly skilled in discovering vulnerabilities and defending against attacks. Above all, these team members must be willing to share information with their counterparts.
Get the teams together. At the onset, gather the team members to get consensus and buy into the overarching strategy. Instruct them to conduct a thorough analysis of risks and vulnerabilities and then devise a response plan. The overall goal is for the teams to practice discovering vulnerabilities and reporting metrics to management.
Spread awareness. People are the weakest links in any security program. Even with the strictest controls over your data, adversaries can exploit employees’ behaviors. Red teams should conduct unannounced exercises, such as staging phishing email campaigns to determine which users might click on a malicious link or open a malware-laden document.
Go beyond your perimeter. Cloud solutions introduce additional security challenges. It’s important to consider all the legal implications, such as service-level agreements (SLAs), to determine whether the red team has the right to test against the provider’s defenses.
Seasoned CISOs understand that information security is always a moving target. Adversaries are extremely sophisticated and will stop at nothing to breach your organization. Moreover, the organization’s network infrastructure, applications and employees are always changing and adding complexities to your security program. Each one of those changes presents a far different attack footprint, and teams of hackers are well-equipped to discover those vulnerabilities and predict unintended consequences before they can damage the organization.
Security is the primary focus of any government agency. One of the most obvious pitfalls of these agencies moving highly sensitive data to the cloud is that they surrender control to a third party. Moreover, nothing on the internet is truly secure, and all data is vulnerable to attacks and threats.
The exposure footprint to those threats is staggering under the best of circumstances. For example, the complexity of mobile devices poses a significant challenge when it comes to cloud security. In addition, data commonly flows from one cloud provider to the next and between national boundaries, which runs counter to the physical security measures every government agency should have in place.
Securing Government Data in the Cloud
A Cloud Security Alliance (CSA) survey found that many executives and IT managers have serious concerns about data security. According to the report, 73 percent of respondents indicated that these concerns were holding them back from adopting cloud computing. Additionally, 38 percent cited regulatory compliance as a major barrier to cloud adoption, and the same percentage of respondents expressed anxiety about the loss of control over IT services.
To help alleviate some of these concerns, the U.S. Department of Defense (DoD) released an unclassified document titled “Cloud Computing Security Requirements Guide (SRG)” that outlined essential components for secure cloud computing. The document is intended to simplify the security requirements for the DoD and cloud providers, who must attest, control, monitor and provide evidence of data separation.
This approach to cloud computing is based on “impact levels” that consolidate data records in accordance to their sensitivity. At the lowest level, nonsensitive, unclassified data, such as information available through the Freedom of Information Act or hosted on public-facing websites, can be stored in commercial clouds that meet the strict baseline standards under the Federal Risk and Authorization Management Program (FedRAMP), a system designed to protect cloud-based government data.
When the impact level is increased, the physical requirements for data security come into play. The rub is that once the data reaches a secret classification, a public cloud is not the right place. It must be on-premises or in private clouds that are not commercial but government owned.
Enclaves that transact sensitive data must also be a part of the security architecture. Personnel must be cleared by the government and restricted by tight physical access controls. These enclaves are physically separated within a data center that does not share hardware, applications or other resources the cloud provider would otherwise share with its tenants.
Physical Cloud Security
Most governments are risk averse when it comes cloud security and safeguarding highly confidential data within their networks. Some agencies air gap their computer systems, which physically separates a secured network from an unsecured one. Air-gapped systems can also be found in major financial institutions, stock exchanges and industrial control systems within nuclear power plants. These are all examples of physical security controls that prevent access from the outside world. However, they also complicate the transfer of data between unsecured and secured networks, requiring human intervention that is prone to errors.
Data diodes are common in environments. They provide a secure, one-way channel where data can pass in only one direction. This assures that secure data cannot be leaked back to the unsecured network. Data diodes are specialized, unidirectional devices that convert Transmission Control Protocol (TCP) connections to User Datagram Protocol (UDP). They then convert the connections back on the other side. This tells applications using the File Transfer Protocol (FTP) that a connection has been established, allowing users to transfer a file from the unsecured network to the secured one, but not in reverse.
The Road Ahead
The government sets regulations as a baseline, which is problematic because the security threat landscape constantly evolves. Government standards must be flexible to keep pace with emerging cyberthreats.
Major commercial cloud providers may not fully adhere to strict data security requirements. For example, identity and access management (IAM) in the cloud should be able to authenticate government users from one online location. In addition, the authentication credentials should seamlessly pass from one provider to the next.
Obviously, for the sake of national security, highly sensitive information will not be available in the cloud. Still, the overwhelming volume of attacks and threats across the globe takes a significant toll on the intelligence and military communities. This technology may provide a useful platform for intelligence sharing between nations with private, government-owned cloud storage solutions.
Given today’s unrelenting threat landscape, the chief information security officer (CISO) and his or her deputy CISO have arguably the toughest jobs on the organizational chart. Although it is a well-paid, respectable role, the CISO must be available to many different departments and remain savvy in all areas of cybersecurity due to the current IT skills shortage. Indeed, this professional’s role is extremely stressful and demands standards of security that are nearly impossible to deliver with 100 percent assurance.
The average security leader’s tenure is a mere two years. The CISO can be dismissed for a wide variety of reasons, such as an overlooked vulnerability, an insider attack or another type of data compromise. Furthermore, like any professional, a security leader may need to take temporary leave due to medical reasons or other unforeseen circumstances. To prepare for these events, organizations should appoint a deputy CISO and establish a clear succession plan to maintain smooth operations during a transition in security leadership.
Grooming the Deputy CISO
There is no question that high turnover rates constitute grave threats to organizations. Without a security leader, companies cannot withstand the continuous onslaught of cyberattacks. In many organizations, the CISO’s main role is to keep the company out of hot water — and that means dealing with the constant barrage of threats and maintaining compliance. However, the role is much more ambiguous than that. Candidates for the deputy CISO position should be evaluated based on their ability to navigate this complexity and juggle the CISO’s many responsibilities.
A deputy CISO must be able to:
Develop and cross-train future leaders in the department.
Ascertain the costs of developing future leaders.
Execute the security strategy consistently among all associates in the department.
Identify associates’ skills, capitalize on their strengths and improve upon weaknesses.
Planning a CISO Succession Strategy
An effective CISO succession plan should include four key elements to ensure a seamless transfer of authority.
1. Stakeholder Engagement
The succession plan should be presented to executives and board members on an annual basis. It’s critical to engage senior leadership in this process, and to empower the deputy CISO to develop the necessary skills and experience he or she need to be successful. This succession plan must be a living document and part of the overall security program.
2. Evaluation of Internal Staff
Favoritism should never be a criterion, so it is wise to hire an outside firm to evaluate deputy CISO candidates within your department. A third-party assessment could unearth a diamond in the rough from several layers down on your organizational chart. At the very least, it would help executives gauge the depth of the company’s talent pool.
3. Simulations and Stress Tests
Like any disaster recovery strategy, business continuity testing is an integral part a CISO succession plan. A security leader’s planned vacation, for example, can be a great opportunity to test the deputy CISO’s capabilities. However, impromptu, unannounced drills are also essential to develop an aspiring CISO’s ability to work under pressure.
4. Elevate the Deputy CISO
It takes many years to become a well-rounded security leader, and the incoming CISO must never be left to sink or swim. Instead, all senior executives and staff members should support the new CISO as he or she transitions into the role. The organization should also make other leaders, mentors and coaches available to help the security team adjust. A rich feedback environment is crucial to develop the executive presence that is lacking in many candidates.
Passing the Baton
A deputy CISO must be prepared to take over when the CISO passes the baton. He or she should also be comfortable being held accountable for security. The leader must be ready, capable and confident to lead the security team in dealing with challenges such as the cybersecurity skills gap and the increasing sophistication of threats. More importantly, this individual must possess the executive presence required to work with senior executives and facilitate a smooth transition of authority in the security space.
Depending on their specific goals and motivations, malicious external actors seek to blackmail individuals, organizations or security vendors to disrupt breach defenses or otherwise wreak havoc on IT operations. For security leaders tasked with defending against these threats, it’s hard to know who or what to believe. That challenge has only gotten worse as the spread of false information has become more prevalent.
Data Security in the Disinformation Era
Because of the vastness and anonymity of the internet, individuals can employ a variety of tools and techniques to manipulate the media and spread disinformation. Below are just a few of these methods.
The Social Subculture
Many special interest groups are highly networked, agile and able to assemble on the ground quickly for campaigns as needed. In many cases, participants on one side of an issue work together to gather and disseminate information to support their cause.
These actors are often recruited through online communities such as Reddit, Twitter, Facebook, Instagram and LinkedIn. On Twitter, users commonly collaborate to establish trending hashtags to support their causes and may create vast networks of fake accounts to spread it. Others hijack existing hashtags to prevent members of opposing groups from organizing.
Social bots are automated software that create content on social media sites and interact with people. Bots are commonly used to inflate the number of followers a public figure has, for example. State-sponsored adversaries from around the world use bots to spread propaganda, influence political discourse and collectively aggregate content. Governments and political elites also use bots to attack dissidents or encourage their constituents to manipulate news and support a certain ideology.
A meme is cultural idea or symbol that spreads rapidly over the internet. According to The New York Times, memes are designed to irritate the media, elicit negative reactions from public figures or comment on cultural topics, usually in a humorous way. Users post hundreds of memes on Twitter, Facebook and other social media to see what sticks and what doesn’t.
Memes often contain image macros that are used and shared on social media. These images can serve as propaganda for special interest groups to spread their ideologies or degrade others.
Actors are motivated to spread disinformation to express their views, perpetuate false news, garner support for specific ideologies or otherwise affect public opinion. Then again, some are merely trolls looking to create chaos.
Ideology is one of the most common factors that motivate individuals to disseminate disinformation. These actors transmit one-sided messages to influence the emotions, attitudes, opinions and actions of a specified target audience for their own political or commercial purposes. Ideological groups often hold contempt for opposing views. They typically use social media as their primary platform and sometimes even use those channels to spread conspiracy theories.
Another common motivator is money. Actors seeking to maintain their financial interests, for example, might launch advertisements designed to perpetuate inaccurate information about a competing entity. Similarly, some actors distribute false information to garner likes and shares and gain status within online communities. Finally, some actors spread skewed information to radicalize members of online communities — arguably the most dangerous result of this practice.
A Calamitous Vision Realized
In 1979, Chinese leader Deng Xiaoping stated that software, if properly weaponized, could be far more destructive than any nuclear arsenal. Given the calamities now unfolding before our eyes, it appears that his vision is becoming reality.
It’s up to security professionals to protect enterprise resources from becoming pawns in disinformation schemes and to make sure they are focusing on the true problems facing their organizations. Business executives, security leaders, IT professionals and media consumers around the world must learn to distinguish legitimate news from inaccurate, agenda-driven indoctrination. In the age of disinformation, this distinction is more critical — and blurrier — than ever.
Is there an oversupply of chief information security officers (CISOs) in the cybersecurity job market? According to an Indeed report, the answer is yes — but the study’s statistics don’t tell the whole story.
The economists behind the study found that employee interest in the CISO job market in the U.S. is more than double the actual demand for the position. Moreover, there is a vast pool of highly qualified but chronically underemployed security leaders in the U.S. Applicant interest in the position is driven mainly by the high salaries and prestige the position offers, Indeed said.
But economics is an imprecise science because it relies on “human behavior,” as the researchers stated in their disclosed methodology. And all the evidence I’ve seen in my experience and in countless industry articles indicate that CISOs are in very high demand, and there are few qualified candidates available. Perhaps more importantly, the job descriptions in the majority of CISO postings do not accurately reflect what the role entails.
The Ultra-Competitive CISO Job Market
The demand for CISOs has never been greater, and the main factor that drives up salaries is the law of supply and demand. A greater demand will push salaries upward and hurl employers into competition, scrambling to lure the best candidates.
It has become a seller’s market, which also drives skyrocketing salaries across the country. IT and cybersecurity recruiting firm SilverBull recently published salary figures in major metropolitan areas. The top six candidate locations by average salary are:
San Francisco ($249,000)
New York ($240,000)
San Jose ($240,000)
Washington, D.C. ($225,000)
Los Angeles ($223,000)
When CISO positions are elevated into the C-suite, it will undoubtedly move the salary ranges well past the $500,000 mark. Still, executive recruiting firms and chief information officers (CIOs) who play key roles in recruiting security leaders are having difficulties finding them, despite these justifiable high salaries.
A Highly Targeted Hiring Process
It is a long road to become a qualified, well-rounded CISO. It requires years of experience developing expertise not only in the technology that surrounds the discipline, but also in governance, compliance and risk. It is equally important to acquire the business savvy and executive presence to lead. Impeccable communication skills are also critical to drive execution within the business.
Employers hiring C-level positions usually seek proven candidates through referrals within the executive ranks, often conducting retained searches to find the right combination of knowledge, experience and cultural fit. The majority of the top CISO vacancies are conducted in this manner, with employers directly targeting candidates they want. For this reason, many job seekers see only a fraction of positions advertised on the job boards.
Clarifying the CISO Job Description
When I studied most of the vacancies that were posted on job boards, I noticed that companies were not bound to accurately describe the duties of a CISO. The job descriptions often misrepresented the true meaning of a C-suite position. Some required hands-on engineering responsibilities with a blend of many other skills that are not characteristic of executive leadership positions. Some emphasized program or policy management, governance, compliance or risk, while others specified operations, architecture or engineering without mentioning true leadership abilities that affect change.
Furthermore, a number of organizations are hiring their first CISOs. For a seasoned security executive, this is a red flag to approach with extreme caution or completely avoid. Businesses hiring security leaders for the first time may not comprehend the responsibilities and expectations the job entails. Many times, when a new executive begins instituting controls, complaints emerge and escalate upward. This dynamic carries an unacceptably high risk that the executive’s tenure will be short-lived.
A Resume for Success in the CISO Job Market
A seasoned CISO’s resume must tell a compelling story of achievements backed by concrete metrics that propelled previous employers to new heights. It must exhibit C-suite characteristics, such as vision, strategic thinking, execution, technological skills, team and relationship building, communication, presentation, integrity and change management, that demonstrate leadership abilities.
During the interview process, a CISO must be prepared to answer probing questions, such as:
How would you execute your vision of security?
How would you influence others and gain executive buy-in for security initiatives?
How would you sell security to leadership and the board?
How would you identify, prioritize and mitigate risks?
What are your thoughts on security convergence, IT reporting structure and organizational culture?
What are your greatest achievements, and how did you execute them?
What does the CISO role mean to you?
How would you describe your leadership style?
How would you relate to the CEO and the board of directors?
What is your breach prevention and mitigation strategy?
What are your thoughts on offensive security?
What methods do you use to keep up with the latest security trends and issues?
How would you act as the security spokesperson internally and externally?
What value will you bring to the organization?
When it’s all said and done, employers sum up candidates based on the overall value they can deliver. The last question is the kicker, analogous to an age-old HR question: Why should the organization hire you? It’s critical to present key traits that separate you from the rest of the pack.