I have included six specific recommendations with the recent publication of CISO MindMap. This article is to further elaborate on these recommendations, why these matter, and what actions information security leaders can take. The objective of this article is to provide context for these recommendations and a starting point to take some actions. The actual strategy will vary for each organization depending upon how their IT environment and networks are designed and implemented.
Recommendation 1
Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
Why it matters:
- Ransomware is widespread and will continue to be in the near future, as it provides a quick monetization path to attackers. In many industry sectors, it also touches human life and safety (energy, healthcare, manufacturing, shipping, etc.) making it even more impactful.
- Ransomware attacks have high visibility among corporate boards and executive leadership.
What to do:
- Perform business impact analysis with an objective of identifying critical assets, processes, applications and data.
- Evaluate security controls to protect these assets. Buy insurance.
- Test online and offline backups to ensure backups can be reliably restored within recovery windows.
- Evaluate your capabilities of dealing with ransomware attacks by mock drills and tabletop exercises.
Recommendation 2
Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
Why it matters:
- A Ponemon study shows that the InfoSec teams have an average of 47 tools. Also, 53% of leaders are not sure if these tools are working.
- More tools need more staff, more cost, more probability of becoming shelfware.
- Fewer tools that are properly configured and fully utilized, actually work better in managing and optimizing risk.
What to do:
- Take an inventory of all security tools and their features.
- Identify feature overlap and eliminate redundancy.
- Eliminate shelfware (tools that are purchased but never used).
- Explore use of Cloud based subscription services. These are relatively easy to maintain over time.
- Simplify!
Recommendation 3
To serve your business better, train staff on business acumen, value creation, influencing and human experience.
Why it matters:
- Studies from organizations like ISACA show that “soft skills” is the largest gap among infosec professionals.
- Work of infosec professionals impacts other fields in technology and business. Ability to effectively communicate and influence others is crucial to the success of your work.
- Security must become a business differentiator!
What to do:
- Create a body of “essential business skills” that serves as curriculum for InfoSec professionals (refer to some of my work at my blog site rafeeqrehman.com)
- Train team on key business concepts: value creation, negotiation, conflict management, influencing, effective communication, human experience, listening, collaboration, KPI (Key Performance Indicators), NPS (Net Promoters Score) and others.
- Add a column to security controls databases/spreadsheets to monitor impact of a control on human experience (both +ve and -ve).
Recommendation 4
Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
Why it matters:
- Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
- Many commercial software vendors use open source components but don’t properly disclose it.
- Recent vulnerabilities (e.g. log4j) have far reaching impact.
What to do:
- It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
- Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
- Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.
Recommendation 5
Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
Why it matters:
- Business enablement requires InfoSec professionals to be on the forefront of innovation and provide guidance on how to utilize emerging technologies (or risk being a roadblock for innovation).
- Security professionals must learn new technologies, identify use of these technologies inside their organizations, and proactively build policies and standards for the use of these technologies.
What to do:
- As an InfoSec leader, Identify emerging technologies relevant to your business and encourage your teams to build expertise.
- Allocate budget for training or incentives for self-learning.
- Some technology areas are a must for every security team. These include basic understanding of machine learning (ML) models, how ML models are trained, modern Cloud application architecture, service mesh, containers, and DevOps.
Recommendation 6
Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
Why it matters:
- Risk management is a key component of any reasonable security management program, yet many organizations don’t have a good idea about their overall risk.
- Corporate boards and business leadership need InfoSec leaders to get better at communicating Cyber risk.
- Cyber insurance companies’ demands for better risk management practices are only going to increase.
What to do:
- While proper quantification of risk is a great aspirational goal, many organizations can start with simple methods to track risk.
- Account for all major areas (technology, insider threat, process gaps, third parties, skill gaps in security teams, compliance, use of open source software) and adopt a consistent methodology for risk identification, assessment, prioritization and treatment.
References
- Download CISO MindMap 2022
- 2022 ISACA Report on State of Cybersecurity
- Managing Cybersecurity Program Cost
- Ponemon Report: The Cybersecurity Illusions, The Emperor Has No Clothes.
- CISA National Risk Management Center (NRMC)
- Verizon Data Breach Investigations Report (DBIR)
- CISA Stop Ransomware website
- Blog post: Why we need to redefine CIA triad
- Blog post: What is service mesh and why should anybody care
- AWS Publication: Ransomware Risk Management on AWS using NIST Cyber Security Framework (CSF)
Disclaimer
Recommendations provided here are not professional advice. Cybersecurity is a complicated matter and actions may differ significantly based upon how the overall ICT networks and applications are designed and implemented. A thorough assessment of network and applications is necessary for specific recommendations.