Information Security in the Age of Disinformation

Published at Securityintelligence.com

Depending on their specific goals and motivations, malicious external actors seek to blackmail individuals, organizations or security vendors to disrupt breach defenses or otherwise wreak havoc on IT operations. For security leaders tasked with defending against these threats, it’s hard to know who or what to believe. That challenge has only gotten worse as the spread of false information has become more prevalent.

Data Security in the Disinformation Era

Because of the vastness and anonymity of the internet, individuals can employ a variety of tools and techniques to manipulate the media and spread disinformation. Below are just a few of these methods.

The Social Subculture

Many special interest groups are highly networked, agile and able to assemble on the ground quickly for campaigns as needed. In many cases, participants on one side of an issue work together to gather and disseminate information to support their cause.

These actors are often recruited through online communities such as Reddit, Twitter, Facebook, Instagram and LinkedIn. On Twitter, users commonly collaborate to establish trending hashtags to support their causes and may create vast networks of fake accounts to spread it. Others hijack existing hashtags to prevent members of opposing groups from organizing.

Bad Bots

Social bots are automated software that create content on social media sites and interact with people. Bots are commonly used to inflate the number of followers a public figure has, for example. State-sponsored adversaries from around the world use bots to spread propaganda, influence political discourse and collectively aggregate content. Governments and political elites also use bots to attack dissidents or encourage their constituents to manipulate news and support a certain ideology.

Multiplying Memes

A meme is cultural idea or symbol that spreads rapidly over the internet. According to The New York Times, memes are designed to irritate the media, elicit negative reactions from public figures or comment on cultural topics, usually in a humorous way. Users post hundreds of memes on Twitter, Facebook and other social media to see what sticks and what doesn’t.

Memes often contain image macros that are used and shared on social media. These images can serve as propaganda for special interest groups to spread their ideologies or degrade others.

Motivating Factors

Actors are motivated to spread disinformation to express their views, perpetuate false news, garner support for specific ideologies or otherwise affect public opinion. Then again, some are merely trolls looking to create chaos.

Ideology is one of the most common factors that motivate individuals to disseminate disinformation. These actors transmit one-sided messages to influence the emotions, attitudes, opinions and actions of a specified target audience for their own political or commercial purposes. Ideological groups often hold contempt for opposing views. They typically use social media as their primary platform and sometimes even use those channels to spread conspiracy theories.

Another common motivator is money. Actors seeking to maintain their financial interests, for example, might launch advertisements designed to perpetuate inaccurate information about a competing entity. Similarly, some actors distribute false information to garner likes and shares and gain status within online communities. Finally, some actors spread skewed information to radicalize members of online communities — arguably the most dangerous result of this practice.

A Calamitous Vision Realized

In 1979, Chinese leader Deng Xiaoping stated that software, if properly weaponized, could be far more destructive than any nuclear arsenal. Given the calamities now unfolding before our eyes, it appears that his vision is becoming reality.

It’s up to security professionals to protect enterprise resources from becoming pawns in disinformation schemes and to make sure they are focusing on the true problems facing their organizations. Business executives, security leaders, IT professionals and media consumers around the world must learn to distinguish legitimate news from inaccurate, agenda-driven indoctrination. In the age of disinformation, this distinction is more critical — and blurrier — than ever.

Is the CISO Job Market Overcrowded?

Published at Securityintelligence.com

Is there an oversupply of chief information security officers (CISOs) in the cybersecurity job market? According to an Indeed report, the answer is yes — but the study’s statistics don’t tell the whole story.

The economists behind the study found that employee interest in the CISO job market in the U.S. is more than double the actual demand for the position. Moreover, there is a vast pool of highly qualified but chronically underemployed security leaders in the U.S. Applicant interest in the position is driven mainly by the high salaries and prestige the position offers, Indeed said.

But economics is an imprecise science because it relies on “human behavior,” as the researchers stated in their disclosed methodology. And all the evidence I’ve seen in my experience and in countless industry articles indicate that CISOs are in very high demand, and there are few qualified candidates available. Perhaps more importantly, the job descriptions in the majority of CISO postings do not accurately reflect what the role entails.

The Ultra-Competitive CISO Job Market

The demand for CISOs has never been greater, and the main factor that drives up salaries is the law of supply and demand. A greater demand will push salaries upward and hurl employers into competition, scrambling to lure the best candidates.

It has become a seller’s market, which also drives skyrocketing salaries across the country. IT and cybersecurity recruiting firm SilverBull recently published salary figures in major metropolitan areas. The top six candidate locations by average salary are:

  1. San Francisco ($249,000)
  2. New York ($240,000)
  3. San Jose ($240,000)
  4. Washington, D.C. ($225,000)
  5. Los Angeles ($223,000)
  6. Chicago ($214,000)

When CISO positions are elevated into the C-suite, it will undoubtedly move the salary ranges well past the $500,000 mark. Still, executive recruiting firms and chief information officers (CIOs) who play key roles in recruiting security leaders are having difficulties finding them, despite these justifiable high salaries.

A Highly Targeted Hiring Process

It is a long road to become a qualified, well-rounded CISO. It requires years of experience developing expertise not only in the technology that surrounds the discipline, but also in governance, compliance and risk. It is equally important to acquire the business savvy and executive presence to lead. Impeccable communication skills are also critical to drive execution within the business.

Employers hiring C-level positions usually seek proven candidates through referrals within the executive ranks, often conducting retained searches to find the right combination of knowledge, experience and cultural fit. The majority of the top CISO vacancies are conducted in this manner, with employers directly targeting candidates they want. For this reason, many job seekers see only a fraction of positions advertised on the job boards.

Clarifying the CISO Job Description

When I studied most of the vacancies that were posted on job boards, I noticed that companies were not bound to accurately describe the duties of a CISO. The job descriptions often misrepresented the true meaning of a C-suite position. Some required hands-on engineering responsibilities with a blend of many other skills that are not characteristic of executive leadership positions. Some emphasized program or policy management, governance, compliance or risk, while others specified operations, architecture or engineering without mentioning true leadership abilities that affect change.

Furthermore, a number of organizations are hiring their first CISOs. For a seasoned security executive, this is a red flag to approach with extreme caution or completely avoid. Businesses hiring security leaders for the first time may not comprehend the responsibilities and expectations the job entails. Many times, when a new executive begins instituting controls, complaints emerge and escalate upward. This dynamic carries an unacceptably high risk that the executive’s tenure will be short-lived.

A Resume for Success in the CISO Job Market

A seasoned CISO’s resume must tell a compelling story of achievements backed by concrete metrics that propelled previous employers to new heights. It must exhibit C-suite characteristics, such as vision, strategic thinking, execution, technological skills, team and relationship building, communication, presentation, integrity and change management, that demonstrate leadership abilities.

During the interview process, a CISO must be prepared to answer probing questions, such as:

  • How would you execute your vision of security?
  • How would you influence others and gain executive buy-in for security initiatives?
  • How would you sell security to leadership and the board?
  • How would you identify, prioritize and mitigate risks?
  • How would you ensure that the organization maintains compliance with privacy regulations?
  • What are your thoughts on security convergence, IT reporting structure and organizational culture?
  • What are your greatest achievements, and how did you execute them?
  • What does the CISO role mean to you?
  • How would you describe your leadership style?
  • How would you relate to the CEO and the board of directors?
  • What is your breach prevention and mitigation strategy?
  • What are your thoughts on offensive security?
  • What methods do you use to keep up with the latest security trends and issues?
  • How would you act as the security spokesperson internally and externally?
  • What value will you bring to the organization?

When it’s all said and done, employers sum up candidates based on the overall value they can deliver. The last question is the kicker, analogous to an age-old HR question: Why should the organization hire you? It’s critical to present key traits that separate you from the rest of the pack.

Building an Effective CISO-CIO Partnership

Published at Securityintelligence.com

For many, the most common reporting structure in today’s business environment is overly complicated. The majority of security leaders around the world report directly to the chief information officer (CIO), which can cause an enormous amount of conflict. That reporting structure, however, is slowly changing for some companies. In those organizations, the chief information security officer (CISO) might report to the CEO, chief operating officer (COO), chief financial officer (CFO) or legal counsel. Still, the security industry has a long way to go to convince corporate boards and government leaders of the conflicting issues at hand.

Breaking Down the CISO-CIO Conflict

In most organizations, the CISO and CIO have totally different mindsets when it comes to IT operations. The CIO is focused on keeping things running. Moreover, when it comes to new technology acquisitions, the CIO is primarily concerned with return on investment (ROI).

The CISO, on the other hand, is focused on using security tools to reduce risk, which can be measured as return on risk (ROR). The rub is that risk reduction always takes a back seat to operations, and that gap is constantly increasing. As the two executives evolve in their respective specializations, the gap grows and ultimately leads to both disciplines becoming separate roles.

A structure that requires the security leader to report to the CIO can also create a power struggle. The importance of security often gets lost in the maelstrom of office politics and tight budgets, which can potentially lead to an adversarial relationship between the two IT executives. When a security breach occurs in this kind of environment, the CISO is often scapegoated, even if the incident is a consequence of the CIO’s decisions.

IT Roles Shifting in Government Agencies

In an August 2016 congressional report, the U.S. Government Accountability Office (GAO) detailed the concerns and outlined the authority of the security executive within federal agencies as defined under the Federal Information Security Modernization Act of 2014 (FISMA 2014). The report addressed the reporting hierarchy within government agencies and questioned their ability to deliver on their responsibilities. Moreover, security leaders reported challenges to their authority as a result of competing priorities between operations and security, such as:

  • Insufficient staff and inadequate budget to achieve compliance with many mandated security controls;
  • Inability to offer salaries that are competitive with the private sector for candidates with skills in high demand;
  • Lack of appropriate training opportunities in highly technical roles to ensure proper risk evaluation and support security infrastructure; and
  • Budgetary conflicts between security and operations executives that result in organizational failure to address security needs.

A congressional house bill, the HHS Data Protection Act, was a direct result of an investigative finding that originated from a series of current and previous network breaches against the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS). It revealed that the incidents were partly due to organizational structures that imperiled security to favor operations. The report advised the HHS to separate the IT executives, and the legislative bill will do exactly that.

Additionally, some private sector organizations have separated security from the CIO. Several of the “Big Four” consulting firms are actively advocating for this structural change.

A Healthy Rivalry

It is important to understand that the relationship between the CISO and CIO will always be somewhat adversarial, and that’s OK. A healthy rivalry is a good way to ensure checks and balances within the organization, which is one of the fundamental reasons why the security leader should never report to the CIO, but rather engage in a partnership.

Both positions have too much on their plates to begin with, so it makes sense to work in tandem. Both are responsible for leadership and vision where IT and security implementations are concerned. Both have critical roles to drive the business forward, and the CISO needs to provide insight and guidance to ensure that the security strategy is sound.

Information security leadership is beginning to gain board seats, building consensus to provide a security strategy that enables the business to move forward. What was once solely the CIO’s responsibility has now become a part of the security leader’s daily workload. It is important to set attainable metrics for business success to convey actions to the board, and for both executives work together to ensure that operations are conducted securely.

Building Trust

Trust is a key ingredient here because it affects the CIO-CISO partnership as well as the executives’ shared effort to unite all departments under a single security umbrella. It is a challenge to build that trust; both executives must be solid communicators who are able to evade conflicting tensions.

These two roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Together, they must build trust, formulate priorities and execute them.

Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.

How The Next-Generation CISO Will Lead Security Strategy

Published at Securityintelligence.com

The role of the chief information security officer (CISO) must continually evolve just as businesses do. The next-generation security leader has to grasp the various demands of the board, and communicate security risks and strategies in terms directors can understand. To protect the organization’s assets from the ever-changing threat landscape, this leader must posses a strong business acumen, a results-oriented mindset and various board-level skills.

Speak the Board’s Language

The security leader needs to be business-facing most of the time in relation to a technical role. This is where productivity gets stymied, since the CISO oversees technical environments with many tools and technologies implemented.

In a business environment, it is extremely important to convey technical details appropriately to a nontechnical audience. Next-generation CISOs must be able to communicate clearly to all executives and employees within their organizations. They must be visible, approachable and able to articulate security principles simply and concisely. They should also collaborate with contemporaries outside their organizations to gain a richer understanding of the CISO role.

It Takes All Kinds

The CISO role is all about leadership, like any other C-level position. The next-generation CISO must know how to delegate tasks based on skills that come from a variety of sources. You may have employees who are good at managing and leading a team, for example, and others who might excel at working with peers from various departments. Some employees might build leadership skills through their technical savvy as subject matter experts. A successful leader knows how to identify and harness these traits and these individuals to build a strong security program.

Aligning Security With Business Goals

It’s crucial for the CISO to be relevant to the business. This means taking on a more strategic role to pivot board conversations toward risk management. It also includes going beyond the negative consequences and explaining risk in terms of its positive effects, such as competitive advantage, business growth and revenue expansion.

Relentless passion and a results-oriented drive are essential to deliver upon business goals. CISOs must build strong teams of security professionals who buy into these goals. They must also be adept at problem-solving, managing the concerns and expectations of stakeholders, and formulating effective solutions to complex problems.

Empowering the Next-Generation CISO

Finally, security leaders must posses certain board-level skills. Of course, they must master the vital aspects of managing security technologies and protecting both digital and physical assets. CISOs should focus on establishing strong security policies and communicating risks in plain, relevant terms to executives. They need to drive discussions in board meetings to educate, engage and align stakeholders with respect to their security strategies and initiatives.

The key is to understand that business operations and information assets are crown jewels. That principle should influence CISOs to institute strategic governance that prioritizes information security investments and aligns with business goals.

CISO Complexity: A Role More Daunting Than Ever

Published at Securityintelligence.com

The role of the CISO is more complex than ever. One major factor contributing to this CISO complexity is the growing number of regulatory compliance requirements with which organizations must comply. There are also industry-specific standards muddying the water. Financial services, for example, are heavily regulated in the U.S. and the European Union (EU). These regulations are rapidly changing, and it is very difficult for CISOs to keep up with all mandates.

CISOs are often confronted with organizational business units that simply accept risk instead of attempting to mitigate it with regulatory and security compliance. It is difficult to justify this problem to regulators who often see it as a black-or-white issue — either you’re in compliance or you are not. CISOs have a tough time addressing this gap in the ever-changing regulatory environment.

Getting Executives on the Same Page

The heightened awareness of executives and boards of directors also contributes to CISO complexity. Through collaboration with other organizations, these executives are becoming more sensitive to the importance of security. They have seen other organizations suffer data breaches and heard of the masses losses, and they want to know that their own critical data is protected.

The seemingly insurmountable threat landscape adds even more complexity. Cybercriminals are becoming more sophisticated, and everything from state-sponsored attacks to organized criminal campaigns are occurring around the clock. Advanced defensive solutions can be helpful but may also be difficult to operate, adding yet another layer of difficulty.

Zooming In on the Big Picture

Complexity is not necessarily a bad thing, but understanding what causes it goes a long way toward dealing with it. CISOs must understand what creates complexity in their organizations. They should, for example, remove any tools that do not add value and delegate tasks to direct reports whenever possible.

Organizational complexity creates big obstacles that make it difficult to get things done. Executives and board directors often lack a realistic understanding of how information security and the related challenges actually affect their businesses. I’ve noticed that many leaders simply revert to past personal experiences to address security issues from a big picture perspective, yet they fail to understand or consider the consequences of that, especially as it relates to employees. It could result, for example, in inadequate processes and ambiguous role definitions.

What Drives CISO Complexity?

Security leaders must identify pockets of individual strength and weakness in their departments to effectively deal with these challenges. It is important to properly delegate work to individuals who can deal with delicate situations and also to train others to develop the required skills. This enables the CISO’s staff to create and use networks within organizations to build relationships. A team effort is required to overcome poor processes, manage complexity and bridge organizations silos.

Organizations have varying degrees of complexity due to both internal and external factors. To top it all off, security staff members view complexity differently than executives. Those stakeholders must recognize how their staff deals with complexity and develop an understanding of what drives it.

CISOs Are Constantly Confronted With Conflicts of Interest

Published at Securityintelligence.com

Corporations, government agencies or individuals may be quick to throw ethics out the window when there’s an extra buck to be made. Some of these conflicts of interest are overt, while others are difficult to recognize. CISOs are constantly challenged to identify patterns that might put them in a morally compromising position.

The most common conflict of interest arises when an employee working for one company freelances for a competitor. Another type of conflict results from nepotism, when one or more employees is related to a company manager or executive. These are the most obvious examples, but other instances, such as C-suite friction and negative publicity, are subtler and usually intrinsic.

Even innocent interactions between two people at a conference or on social media can lead to termination of employment or legal action if both parties are not careful. It’s difficult to keep track of every potential problem, but IT leaders can save themselves a lot of headaches by simply knowing what kinds of issues commonly lead to contention.

Stifling Whistleblowers With Gag Rules

Chief information security officers (CISOs) must manage conflicts of interest among their board of directors and other departments throughout the organization. Most employees blindly trust their CISO’s decision-making skills and don’t even think to challenge them. But consider the problems that might arise if a board member favors a particular vendor because he or she holds a stake in that company or stands to redeem an undisclosed incentive in the future. This is also why employees are often pressed to sign noncompete agreements.

Some companies go so far as to establish gag rules that prevent employees from publishing articles or books without explicit approval. A Google employee even filed a lawsuit claiming that the company breached California labor laws by using confidentiality agreements to run what essentially amounts to an internal “spying program.” The tech giant, according to the lawsuit, even forbid employees from writing novels about “someone working at a tech company in Silicon Valley.”

If Google is found guilty on all violations specified in the lawsuit, it could face fines up to $3.8 billion. The allegations illustrate how a company might use its confidentiality rules to prevent whistleblowers from disclosing illegal activities to regulators and law enforcement.

Corporate and Government Conflicts

CEOs are often motivated to engage in conflicts of interest with government agencies, and vice versa. For an example of this, look no further than the lobbies influencing federal, state and international lawmakers to bend legislation in their favor. Big Tobacco, for example, sits on the governing committee for tobacco control in the Philippines. Now, imagine how this conflict might negatively impact things like health care or product distribution.

Ironically, these global corporations typically have ethics and governance programs, yet turn a blind eye when these principles conflict with opportunities to establish dominance in the marketplace. For the CISO, naturally, this presents a moral quandary.

Managing Conflicts of Interest

A CISO should always consider the job from the outside looking in. Corporations don’t take conflicts of interest lightly, and it’s important for security leaders to make sure their actions align with the company’s business goals and code of ethics.

Restrictions relating to conflicts of interest vary from industry to industry. Independent contractors, for example, can use skills obtained elsewhere for personal gain because they are self-employed. In a corporate setting, however, employees are bound by the company’s stipulations related to conflicts of interest.

Before you engage with another organization or participate on social media, ask yourself:

  1. Are you treating specific co-workers, relatives or friends differently because of the nature of those relationships?
  2. Are you using skills you developed at work for personal gain outside the company?

If the answer to either of the above questions is yes, you may be in conflict with the interests of your company. Recognizing these situations will help you avoid them.

Increased Regulatory Compliance Is Choking the CISO

Published at Securityintelligence.com

Chief information security officers (CISOs) love to laugh at ridiculous compliance regulations. In the financial industry, for example, some organizations are forced to comply with Regulations Systems Compliance and Integrity (RegSCI), Commodity Futures Trading Commission (CFTC) rule 39.18, the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO) and Principles for Financial Market Infrastructure (PFMI) Principal 17.

The problem with regulatory compliance is not the rules that are self-evidently absurd, it’s the ones that sound reasonable on their own but impose a huge burden collectively. Federal, state and local governments are cramming thousands upon thousands of new compliance regulations down our throats each year, and that creates big problems for CISOs.

Drowning in Regulatory Compliance Requirements

Each regulator seems to think it can ensure its immortal legacy by issuing standards that are a bit different. Some security experts might argue that regulatory mandates help toe the line for corporations large and small, but it is becoming vastly overcomplicated, especially for small organizations that lack resources.

Consider the Dodd-Frank legislation that aimed to prevent another financial crisis. It’s purpose was to create transparency, stop banks from taking excessive risks, prevent abusive practices, and seize tottering, too-big-to-fail financial firms. That law spanned 843 pages — that’s 23 times longer than the Glass-Steagall law that followed the Wall Street crash of 1929. Dodd-Frank became outrageously demanding when regulators filled in further compliance details beyond its original purpose.

For example, the Cybersecurity Information Sharing Act of 2015 (CISA) is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Unfortunately, the law has no teeth. Many industries opposed it despite the fact that the idea of sharing intelligence surfaced frequently in discussions. The political climate often tears the best intentions along ideological lines, and that weakens legislation for an end result of not striking a proper balance with respect to security and privacy.

So small businesses are being choked by excessive compliance regulations and large, global firms are forced to increase resources to comply with regulations. The business environment is now so incredibly toxic that many leaders have simply given up trying to work within the system, and security pays the price.

The Role of the Compliance Auditor

Business leaders often complain that auditors advise how to be in compliance by dictating what to do without regard to the organizational context. This conflict commonly occurs when an inexperienced auditor fails to understand an organization’s resources, size and wherewithal to remediate findings efficiently. Small organizations may benefit from this gap since it may be easier to enact small positive changes or alter policy, but it can irritate leaders of large firms.

A compliant environment is not necessarily a secure one, and acheiving compliance is an unreliable method of reducing risk. This sometimes leads CISOs to challenge auditors, counting on management to support their views. Ironically, no individual can reasonably know how to comply with overcomplicated regulations such as Sarbanes-Oxley Act (30,470 words), the Affordable Care Act (400,038 words) or Dodd-Frank Act (377,491 words), let alone the many other rules and regulations applying to businesses today.

A Path Forward

Many of these complex regulations are redundant, with each placing a different spin on its meaning and wording. Security frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and others often overlap, so it’s important to map out specific regulations to address any redundancy.

Remember, a CISO’s focus, regardless of specific compliance requirements, is to safeguard corporate data and, in turn, protect employees, patients, vendors, customers and shareholders. Know the requirements of the regulations you must comply with. Read them, study them, and perform audits and assessments against them. Stay current on interpretations, rulings and news regarding these mandates.

When I headed the internal audit department with a previous employer, these data compliance audits were rarely scheduled. Most regulators prefer unannounced audits to make it harder for companies to sweep issues under the rug at the last minute. You have to be prepared.

In practice, audits can be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, third-party examiners, such as accounting firms acting under the oversight of a regulatory agency, may conduct compliance audits. It is therefore critical to work closely with internal auditors to prepare for these events should a breach trigger an unscheduled audit.

Predicting the Top Three Concerns for CISOs in 2017

Published at Securityintelligence.com

The CISO’s job is about to get even harder in 2017. According to my crystal ball, the new year will bring many new concerns for CISOs. The best way to proactively deal with these inevitable surprises is to analyze and anticipate failures from years past.

Yahoo suffered the biggest bombshell breach of 2016 — indeed, the most expansive in history — when it disclosed that 500 million accounts had been compromised since 2014. The technology company later discovered that more than 1 billion accounts had been compromised since 2013.

Predicting the Top Three Concerns for CISOs in 2017

This breach and dozens of other high-profile incidents stem from the unwillingness of executive management to focus on security. With this in mind, the top three concerns for CISOs today relate to alignment with business needs, the industrywide skills shortage and the increasing sophistication of cyberthreats.

1. Aligning Security With Business Objectives

One of the primary concerns for CISOs involves balancing security transformation with the daily tasks necessary to reach business goals. IT managers must map out the security infrastructure within the context of business objectives. This is a challenge due to the difficulty of obtaining buy-in from other executives to fund IT projects.

The CISO must be a tough decision-maker and relentless in his or her pursuit of IT investment. Each investment must address the business strategy objective to be successful. Moreover, every project endeavor must correspond directly to the business objectives that will motivate executives to jump aboard.

2. The IT Skills Shortage

CISOs are also challenged with finding individuals who possess both technical and soft skills. These candidates must be able to engage and understand the business, making the CISO’s job much easier. Addressing the skill shortage goes hand in hand with aligning security with the business. It is difficult to find business-savvy candidates to help the organization align with its objectives and move forward. Aside from technical skills, business skills come with experience, time and maturity. Soft-skill competency is becoming far more important than technical skills in today’s corporate environments and directly affects security performance.

Business executive leadership often sees IT as risk-averse and incapable of fully understanding business objectives. CISOs often struggle to align security with business objectives because senior managers try to circumvent it. To address this, IT teams should become consultative resources to the business side. This will serve to vastly improve the soft skills of their personnel.

3. Sophistication of Cyberthreats

The third concern involves combating cyberthreats and keeping up with increasingly sophisticated attack methods. The most problematic threats are invisible ones, such as zero-day vulnerabilities. CISOs must also beware of state-sponsored cybercrime groups and the extensive surveillance and research methods they employ. These groups may search for reckless, disgruntled employees or plant contractors to infiltrate the organization, gather intelligence about the company and exfiltrate sensitive data.

These advancements are worrisome because they impact the CISO’s ability to address them head-on. The escalation of cyberthreats is overwhelming and no companies of any sizes simply can keep up with every threat that surfaces. The CISO must consider adaptive countermeasures to proactively detect advanced cyberthreats before it’s too late. For example, tools such as security behavioral analytics can be used to detect internal threats.

Unfortunately, board members often consider security gaps as a cost of doing business. They may align with the presentation you deliver but fail to grasp the impact, believing it costs more to fix the gap than to leave it vulnerable. Board members must understand the long-term repercussions.

Building a Security Strategy for the New Year

CISOs will surely meet challenges when crafting strategies that align with business objectives, address the skills shortage and counter advanced cyberthreats. To sell such a strategy to senior management, CISOs must establish various sets of reporting metrics against which the chief information officer (CIO) and other executives can measure security performance. The metrics should always be value-focused, performance-based and improvement-oriented.

Five Signs of CISO Complacency

Published at Securityintelligence.com

Chief information security officers (CISOs) are constantly challenged to avoid complacency. The seemingly insurmountable pressures of balancing escalating threats and regulatory compliance mandates can be overwhelming. When conceiving big security projects, CISOs often talk about finding the risky pain points in processes and trying to correct them. That exercise is all about management skills, but it seems they haven’t realized the interaction between information security and the rest of the company.

Keeping CISO Complacency in Check

The majority of business leaders see security as an obstacle to getting things done. Most of the issues reside where business leaders want the CISO to simplify technology in business terms so they understand where to improve relations. Many think that IT should be outsourced by leveraging cloud technologies to do more with fewer resources. Business leaders want to concentrate on the business side, making it easier to work with existing personnel and, more importantly, focus on their customers.

On many occasions, efforts by security leaders to initiate action and obtain the required investments hit road blocks. Instead of measurable progress and moving projects forward, initiatives get caught up in the corporate politics that surround them. For the CISO, it is survival of the fittest. This drives complacency and erodes the CISO’s competitive edge within corporate leadership.

Today’s security-conscious organizations need a new breed of CISO who demands mental toughness and patience and is able to withstand the heavy demands of a corporate environment. The best leaders know the obstacles and have the agility to navigate the treacherous road. The job is not for the faint of heart and is often short-lived, with the average tenure lasting just a few years.

Five Signs of CISO Complacency

As industries evolve with the endless demands of government and industry regulations, the danger of CISO complacency increases. They are challenged to manage the ongoing dynamics of business in addition to implementing sound security programs, architecture, governance, risk and compliance in a way that effectively blends with corporate best practices.

CISO complacency often results when they reverse course and, instead of taking a step forward, stagnate or regress backward to a comfort zone. Corporations may then become vulnerable to the increasing sophistication of cyberthreats and lose strategic focus on effectively mitigating them. A CISO must, therefore, identify the signs of creeping complacency and adapt a different leadership approach.

The following are five common signs of CISO complacency:

1. Anxiety and Ambiguity

One sign of complacency is when leaders become afraid of what is required to move the agenda forward. For instance, many CISOs seek the path of the least resistance to avoid confronting the politics associated with necessary changes. They fear the potential backlash, but the lack of action leaves the organization exposed and vulnerable.

Anxiety increases with ambiguity. CISOs often fear uncertainty, but the antidote to it can become a powerful ally in the workplace, especially when security leaders anticipate the outcome, solve issues and don’t allow others determine their fate. The adversity might make or break a CISO, but it can also define one. Leaders must remember that their grasp and understanding of security far exceeds the knowledge of others in the organization. They have to be the ones calling the shots.

Anxiety and ambiguity result when employees don’t know the consequences of their actions. A complacent leader is often associated with an unpredictable corporate environment and an inability to control it. An effective CISO should be taking proactive steps to tackle risks, make decisions and anticipate the consequences of those actions.

2. Losing Focus of the Details

CISOs sometimes lose focus on the details as pressures mount. It’s critical to maintain focus on the details by managing operations effectively. Quality erodes, and it becomes obvious, especially when paired with inadequate preparation. People notice the lack of managing speed and poor time management. Cutting corners can lead to a negative impact to the organization.

3. Loss of Executive Presence

When team members notice the CISO cutting corners, tension begins to build. That’s when CISOs lose their executive presence. Mounting demands can lead to anger, job frustration and restlessness — and add significantly to CISO complacency.

Colleagues in the organization may begin to doubt the CISO’s leadership capabilities, which might lead to exclusion from executive decisions, budget cuts or more. In extreme cases, it could result in termination of employment. When CISOs become isolated from their peers in the C-suite, people begin to ignore or dance around their decrees, further inhibiting their ability to get the job done.

4. Too Easily Satisfied

When you are complacent, satisfaction comes from incremental growth. A small win might sound like a big one when, in fact, it is not. If your big win was implementing an identity and access management (IAM) system, it is time to reassess. Bare minimum security practices should be not be celebrated like proactive measures. Remember, a leader has to visualize and understand the big picture and see the forest instead of the individual trees.

5. Making Excuses

A complacent CISO is quick to make excuses as to why a goal or task can’t be accomplished. It is all too easy to hide behind these excuses and accept the status quo. The CISO should be able to execute his or her vision with a feasible and reasonable road map. Anticipating barriers provides CISOs with the insight to overcome them. They can bolster this effort by advising others of potential risks. In this way, excuses are no longer necessary — they are built into the road map where everyone knows about the challenges upfront.

The CISO’s Vision

An effective CISO in today’s demanding environment is motivated, proactive and able to manage the constant barrage of cyberthreats and compliance mandates. Complacency can prevent CISOs from establishing adequate security programs. The CISO has to be a driven, be a serious leader, always move forward and influence others to achieve a visionary goal.

An effective business leader must recognize and deal with complacency in any position. It is a people skill that can be taught to others to empower them to advocate and work toward the CISO’s vision.

Identity Management for the Internet of Things

Published at LinkedIn.com

The growth of interconnected devices is immense where published reports estimate by 2020, there will be well over 50 billion devices in use globally. What will be more profound is that the continued exponential growth will far exceed that estimate into the foreseeable future. How big will that figure be is anyone’s guess at the moment with the insatiable appetite to put all things connected to the internet. Without any question information security and privacy has become a significant challenge and is rapidly becoming so complex, that securing these devices may seem insurmountable with the attack surface footprint becoming infinite in size.

“Internet of Targets” Security Dilemma

The IoT opens a completely new aspect to security where the Internet meets the physical world. This has some serious implications on security as the attack threat moves from manipulating and exfiltrate information to controlling actuation – it is moving from the digital to the physical world. Consequently, it infinitely expands the attack surface from known threats and known devices, to additional security threats of new devices, protocols, and workflows. Many operational systems are moving from closed systems (e.g., SCADA, Modbus, CIP) into IP-based systems which further expands the attack surface. The IoT can be affected by various categories of security threats including the following:

  • Cyber terrorism: Nuclear plants (For example, Stuxnet virus), electrical grids, traffic monitoring, railways, airports/aircraft and all critical infrastructures.
  • “Script kiddies” or others targeting residential IoT: Unprotected webcams, stealing content, breaking into home control systems including smart meters.
  • Common worms jumping from ICT to IoT: Generally limited to things running consumer O/S: Windows, Linux, iOS, Android.
  • State sponsored and/or organized crime: Access to intellectual property, sabotage, and espionage.

For the layman, to better understand the sheer size, consider IPv4 which has now run out of usable IP addresses that can be assigned to a device. IPv4 has only 4,294,967,296 (4.3 billion) addresses since its inception in the 1980’s. This was a serious limitation and nobody thought the “Internet of Things” (IoT) would evolve and IPv4 could not scale to the astronomical numbers that are now occurring. The new IPv6 now being rolled out provides theoretically 3,400,000,000,000,000,000,000,000,000,000,000,000,000 (340 Undecillion) IP addresses. Think of it as every device made connected and controlled over the internet can have its own IP, an “identity artifact” equivalent to a DNA marker unique to every living organism’s chromosome. This is where the rubber meets the road which enables the IoT its explosive growth. Yet with the IoT, its not merely having enough IP addresses imaginable for every device and in addition have one for every human being on this planet, it is also about “machine to human”, “human to machine” and “machine to machine” communication. From a security perspective identity is one of the most critical and fundamental cornerstones towards securing the IoT.

I do stress that IPv6 enables each manufactured device globally the capability to have a uniquely assigned IP address and that can serve as one plausible identity marker yet the use of DHCP and proxies also masks the identity of the device to the owner or another object using it. Moreover, it can serve as an electronic tracking marker much like a serial number does today manually.

Identity Management (IdM) LifeCycle

In user identity management (Traditional IdM) we have rather long living lifecycles of an identity. In day to day service like e-mail, texting, telephone, etc. a user account exists for months, years or even a lifetime. In the IoT objects have very different lifetimes. This might range from years or decades down to days or minutes quite a broad range indeed, but that can also exist in the traditional sense. For example, a parcel might be shipped from one location to another. The parcel gets an RFID tag associated with an identifier (tracking number). It moves from logistic center to another, perhaps crossing borders, it is tracked, controlled and routed. As soon as it arrives the identity of the parcel disappears.

Ownership and identity relationships

Things or objects in the IoT often have a relationship to real persons and it many cases to other objects. These could be owners, manufacturers, users, administrators, or many other functions. A product might be owned by a manufacturer first and subsequently by a user who bought the product, later that owner sells it to another owner or disposes of it. The owner, user or administrator of an object might change over time. Ownership and identity relationships in the IoT have an impact on other identity related processes like e.g. authentication, authorization. The owner of a thing might be challenged for authentication or be asked for authorization policies.

Protection Mechanisms

In the classic identity management certain protection methods have been established over the years to protect an identity from abuse. We have authentication methods to proof identities, secure channels to transmit identity attributes and passwords and other data are stored encrypted. Security concepts like integrity, availability, authenticity, non-repudiation are built in classic identity protocols like SAML and OpenID. In the IoT the situation is different where many communication protocols are not based on the internet protocol. Many sensors or actuators have just restricted resources in terms of energy, bandwidth, and connectivity. Protocols like enOcean [www.enocean.com] or KNX [www.knx.org]  use only few bytes to send commands or receive values. There are profound limitations for encryption, challenge response procedure or other security mechanisms.

Authentication and Authorization

These classic mechanisms (user ID and password) may not directly work in the IoT. Many objects have to provide some sort of lightweight token or certificate for an authentication where no user (providing a password) is involved. For stronger authentication means of individuals we usually combine two or multiple factors. These factors are based on following proofs:

  1. Something that you have
  2. Something that you know
  3. Something that you are (e.g. biometry)

In the IoT the last two proofs are not applicable to objects anymore.

How to find/address Things in the IoT (DNS and IPv6 are not enough)

In this section I will get into the technical weeds a bit with the “identifiers”.

Various protocols

In the IoT objects will be connected with different technologies and protocols. Many of the protocols are non-HTTP (Web)-based and some are even not IP-based. As a consequence not all objects in the Internet of Things have an IP-address. Different protocols use different kind of identifiers.

Limitations of hardware addresses for routing purpose

Even in case devices have an IP-based address it is not a good idea to code this address hard in an application much like the user ID and password that never should be used in software code. The device or its interface might change and then all the software has to be corrected. That is the reason a hardware address is mapped to a domain specific identifier. For instance, header control software will rather access http://moraetes.com instead of 216.146.39.125 a DNS redirect to LinkedIn. That’s due to the fact that the LinkedIn service might change his hosting service or simply move to another server infrastructure. In this case the IP address might change from 216.146.39.125 to that of a cloud provider. DNS maps the domain name moraetes.com and will stay the same.  DNS can be configured to provide the new IP-address for the same domain name so the application will still work with the domain name but fail by using the IP address.

Object Identifiers in the IoT

Object Identifiers are names assigned to things.  The things that are named can include logical or physical objects, and names can be given either to “types of things” or to the “things” themselves.  We can call the first a “class identifier”, since it refers to a class (or type, or category) of things; the latter an “instance identifier”. These terms come from computer programming, there may be other terms from ontology or elsewhere that are more suitable.  In the case of an automobile, the VIN is the instance identifier, in a computer the serial number or a service tag as in all Dell computers while the make and model would be class identifiers.

On Object Identifiers vs ITU-T OIDs

The ITU-T defines a number of specifications pertaining to Object Identifiers (OIDs), but other implementations that are not ITU-T OIDs also can be considered Object Identifiers.  In this article I will use “OID” to refer to ITU-T OIDs, and “Object Identifier” to refer to the concept more broadly to make it easier to understand.

Types of Identifiers

  • Instances vs Class – refer to a thing or to a type of thing.
  • Unique vs non-unique – identifier issued to only one object or to many.
  • Synonyms vs no synonyms – objects permitted multiple synonymous identifiers.
  • Governance options – names registration and management where either one authority controls the entire namespace, or is there hierarchical management.
  • Human usable vs machine usable
  • Global vs local namespace
  • Types of Objects

The concept of object identification applies to numerous types of objects. Names can identify specific instances of objects or they can refer to classes of object – consider a network device, it is important to identify the specific network interface associated with that device, and it is also important to identify the type of device.

Physical Versus Logical

Physical Objects

Object Identifiers are applied to any number of things found in the physical world such as computing devices, mobile devices, servers, network infrastructure, meters, sensors, cameras, actuators, locks, medical implants, vehicles (and vehicle components) and more.  Each of those things can be referenced by an identifier, and additional identifying information can be conveyed regarding relationships to other objects.  For example a server may have a unique hostname, but also be assigned a number of IP addresses corresponding to its physical network interfaces.  The full identification of the system would include the name of the server, the IP address of each network interface and the association between the server and the network interfaces.

ITU-T OIDs can be used to refer to physical objects, prominently in the Management Information Base (MIBs) used by the Simple Network Management Protocol (SNMP).

Logical Objects

In addition to physical things, the area of identification of logical objects deserves consideration.  Logical objects include software, services, data and databases, documents and other digital objects, and more.  Identification of software is an area of considerable interest to a number of organizations, and approaches include Software ID Tags and the Common Platform Enumeration.  ITU-T OIDs can be used to refer to a number of logical objects.  Web services can be identified by the URL used to access them.  The Digital Object Identifier (DOI) standard is standardized as ISO 26324:2012, and provides a way of directly referencing digital objects as opposed to using a URL to identify how to access the document, which may not remain valid over time.

Governance of Object Data

Objects in the IoT produce data that might lead to personally identifiable information (PII) and Personal Health Information (PHI). A car for example is able to track GPS positions and to provide a complete movement profile of a certain person.

Transparency

Although these data are mainly used for maintenance or additional services in automotive user information and consent should be mandatory. Data minimization and data collection (in advance
Complex machines e.g. combine harvesters have hundreds of sensors that are able to produce tons of data. Data should not be collected if they are not used for a specific use-case.

The following are major considerations of IoT governance:

  • Data Ownership/Control
  • Who owns/controls data

In a combine harvester or vehicle (truck, automobile, motorcycle), is the data owned by?

  • The manufacturer
  • Dealer
  • Service provider (e.g., maintenance/repair shop)
  • Harvester/vehicle owner
  • Each harvester/vehicle user
  • Employees
  • Clients
  • Prospective buyers
  • Family members
  • Friends
  • Other passengers (e.g., others whose GPS locations also become known)
  • What happens when you pick up a stranger (hitch-hiker) or give a ride to the airport to an unknown colleague met at a conference
  • A third-party who provides the sensor to support a service, such as:
    • Disseminating aggregated data as a subscription service.
    • Collecting driver behavioral data to determine insurance rates.
    • From a data transaction that requires the interaction of multiple devices owned/controlled by multiple parties.
    • When a device is sold.
    • Consent

Whose consent will be required for interactions that involve numerous sensors, controllers, and reporting devices? For example, if an auto manufacturer owns data collected by a vehicle, will it require consent from the vehicle owner and service provider? Will each user be required to provide consent for data generated while they are driving?

Data Ownership, Control and Consent Contracts

The rationale is that current contracts (e.g., privacy policies, web site terms of use) are one-sided that the negotiation asymmetry may be considered unfair.

Identity Discovery

What attributes would an identity registry need to maintain to be of use to people or devices seeking sensor or controller devices to integrate into a solution. For example,

  • Weather sensors
  • Traffic sensors
  • Location tracking sensors
  • Security sensors
  • Weather alerts
  • Traffic alerts
  • Location tracking alerts
  • Security alerts
  • Will owners/users have the ability to prevent their devices from being discovered?
  • Will they have some selectivity about who can discover their devices?
  • Will they have some control over who can interrogate their devices?

Identity impersonation

  • How will devices preclude impersonation of the other devices with which they exchange data?
  • Will each device that might generate, process, or report on private, sensitive, or confidential data be required to provide its own IAM capabilities to prevent fraudulent use?
  • Will devices be required to develop usernames and passwords to interact with other devices? (How does my calendar system access a GPS system for my child’s school bus, to minimize her waiting in the cold on a snowy day when traffic is behind schedule?)
  • Who sets the username/password or other criteria?
  • How will this information be stored securely?
  • How will it be modified/updated?

 The Architecture

“Fog Computing” is an architecture specifically designed to process data and events from IoT devices closer to the source as opposed to a central data center or “Cloud”. Fog Computing is an expansion of the cloud paradigm, similar to cloud computing but closer to the ground. The Fog Computing architecture extends the cloud out into the physical world of things.

As I look upon it the IoT encompasses engineering data captured from information transmitted by these smart devices or objects with each one having a unique identity artifact an IP address and there are additional identity artifacts involved beyond the scope of this article. What must be understood is with the current state of the art adaptive and reactive technologies, which provides the enablement of embedded and distributed intelligence or “Fog Computing”. These technologies form the core architectural component of the IoT and for these primary limitations:

  • Network Capacity Preservation: It is well known network bandwidth can be limited and collecting data from a central point in the network always leads to using a large amount of the network capacity.
  • Centralized Data Collection: Centralized data collection and smart object or device management does not scale as required by the internet. For instance, managing several million sensors and actuators in an electrical “smart grid” network cannot efficiently be done using a centralized approach.
  • Closed Loop Functions: The IoT requires reduced reaction times. For instance, in the electrical smart grid sending an alarm via multiple hops from a sensor to a centralized system (which runs analytics) before relaying a response to an actuator would entail unacceptable delays. Consider detecting a breach on a device occurring where any delayed response would undermine the security and integrity of the network.

The Brains of IoT

The Service Management System (SMS) forms the basis of the IoT architecture. SMS interacts with intelligent databases that contain intellectual capital information, contact information, policy information, manufacturing and historical data. SMS also support image recognition technologies to identify objects, people, buildings, places, logos, land marks and anything else that have value to consumers and enterprises. Smartphones and tablets equipped with cameras have pushed this technology from mainly

Conclusion

Complexity is one of the largest barriers to effective security, and securing the Internet of Things is no doubt going to increase that complexity exponentially in organizations both large and small. You’re going to have to up your security game by doing more of it that is better, faster and cheaper than ever before. The time to be thinking about keeping the Internet of Things in check on your network and any other networks that are associated with your business is NOW. Get the right people on board and at least start with a policy update that outlines access privileges with all of these connected devices. Policies aren’t the magic solution to security they often do more harm than good by creating a false sense of security and compliance, remember that being in compliance is not being secure.