5 Critical Areas All CISOs Should be Focused On - CISO Web Panel: 3 October 2018
Donald J. Welch, Penn State, CISO
Anthony Cruz, Federal Energy Regulatory Commission, Cyber Thought Leader
Moderator: Neal Conlon, AppGuard Inc, VP Business Development
The CISO panel explored the challenges of 2018 and what remedies and priorities they consider important for 2019. Many enterprise cyber symptoms stem from inattention to basic blocking and tackling as well as under-utilization of existing tools. Flawed risk alignment contributes to these and other even greater issues. The panel also explored how the human factor affects cyber programs. They prescribed remedies to these matters that can be pursued in 2019 as well as shared what they expect to see next year.
Greater success could be attained by looking more within than without at big-bang answers. We are not patching systems, writing secure software, prioritizing human readiness, etc. These have persisted for 20 years and represent a great opportunity for across the board improvements. Similarly, the enterprise has under-invested in their tool investments, utilizing only one-fourth to one-third of their potential. Penn State’s recent SIEM implementation avoided the usual pitfalls and yielded very tangible gains. They did so by learning from the mistakes and successes of like organizations. They carefully defined and prioritized the use-cases that necessitated the SIEM, and they focused on preparing personnel before and after the tool was deployed.
Inadequately prioritizing and aligning risks with mitigations has also long persisted. They discussed the questions that organizations need to explore more thoroughly, such as: what are you doing with your data security, how are you protecting it, and how are you maintaining system integrity? Answers to questions such as ‘are we spending and deploying enough’ will always be imperfect because quantifying value and risk may never be precise or easy. Further, in many industries, extra money spent on security doesn’t necessarily give one a competitive advantage.
Risk alignment and prioritization wrestles with paradigms. One is equivalent to fighting with one arm tied behind one’s back. This comes stems from a harmful, false perception that cybersecurity is an IT problem rather than a business issue. Suboptimal resource allocations and poor use of staff result. Likewise, the panel explored how risk management must deal with the weakest link the supply chain because it affects all others. They also warned risk planners that over-focusing on home-run attacks exposes them to the same size harms from many, smaller base-hit attacks. Panelists also agreed that most firms should worry more about threats from cyber criminals than nation-states. Large and small firms, or links, all shape better priorities by characterizing their most important assets as well as those interdependencies between themselves and their supply chain. Otherwise, one may spend $5K on a lock for a $200 asset or be blind-sided. The panel also discussed cyber KPI’s and organizational structure.
With risk management ultimately striving to justify and allocate resources, particularly personnel, the panelists observed that the vast volumes of cyber defense data have exceeded the capacity for humans to synthesize. More and better big data automation is required to deal with the data. They expect that the characteristics sought in personnel will need to change whereby tool proficiency may be more valued than threat, tactics, and procedures excellence. Zero-trust approaches, on the other hand, can reduce the volume of data that must be analyzed.
Looking forward to 2019, panelists expect to “see more status quo”, including lingering problems with endpoint bloat and excessive attention to the perimeter. Focus must shift to business continuity and recovery, which has waned, and to user-behavior monitoring, with consideration of privacy concerns. Overall, all firms are inevitably becoming “tech” outfits regardless of industry. They must assume that cyber incidents will occur and be prepared to continue operations while the adversary is inside the perimeter.