How to put your CSO's mind at ease
Pity the poor CSO. Buffeted by an unending stream of increasingly sophisticated cyberattacks ranging from ransomware to spear phishing, supply chain attacks, and living-off-the-land exploits. Knowing that the average cost of a single cyberbreach was more than $3.8 million in 2018, according to the Ponemon Institute, an increase of 6.4 percent over last year. Having to protect an enterprise whose data and assets extend far beyond the firewall, out to the cloud, and into the smartphones of every one of its employees. And being in the crosshairs if there’s a successful attack.
No wonder so many CSOs have trouble sleeping at night.
It needn’t be that way, though. With the right staff and the right infrastructure and planning, CSOs can be assured that they’re doing everything possible to keep their enterprises safe. But what needs to be done by staff in the trenches to put their CSO's mind at ease? We asked the experts. Here’s what they had to say.
Follow the data
There’s an adage in investigative journalism about what to do when you want to get to the bottom of an issue: Follow the money. When it comes to deciding how to build the kind of secure infrastructure that will put your CSO’s mind at ease, there's a slightly different version: Follow the data.
That’s essentially the advice security consultant and four-time CISO Ernie Hayden gives when it comes to building the kind of secure infrastructure that will let CSOs sleep more easily at night.
“You really need to know where your data is and how it’s protected,” he says. “It’s a huge project and a lot more difficult to do than you might imagine, because data is now available in so many different places—the data center, the cloud, people’s cell phones, their laptops. Sometimes people will download massive databases for their work projects and maybe bring them home, so there’s a lot more unprotected data than you realize."
He adds, “Once you find out where all your data is, you can put together a model of the data lifecycle, showing every point from its creation to its destruction or archiving. And then you can decide how to protect it with tools like firewalls, intrusion detection, and more.”
It’s not just data that needs to be tracked throughout its entire lifecycle, Hayden says. So does network hardware, including servers. Supply chain attacks have become top of mind for CSOs. Hardware can be hacked and malware implanted somewhere between the manufacturer and an enterprise. So IT staff needs to track the supply chain as well.
But designing a secure infrastructure beginning all the way back in the supply chain isn’t enough, Hayden says. The people in the trenches must be given simple, explicit guidance about the most important parts of their job, Hayden says.
“At one of my jobs as a CISO, I put together a series of simple mantras that people could follow,” he explains. “And one of the most important ones was, ‘Your job is to protect the data.’ It sounds simplistic, but once people focused on that, they came up with many different ways to protect it that we hadn’t thought of. And that certainly helped me sleep more easily at night." Another mantra was, "The first line of defense is the individual employee." Sounds like an obvious one, but it reflects that ongoing employee education about threats is also a necessary piece of the puzzle.
Metrics, incident response plans, and machine learning
One of the most important things people in the trenches can do to ease a CIO’s mind is to establish a set of metrics with the CIO, and possibly the CEO and corporate board members. Such metrics should measure how well the company is doing in meeting security goals, says Seth Robinson, senior director, technology analysis, at CompTIA, a nonprofit technology trade association. Metrics can measure vital processes such as the percentage of systems regularly scanned for security problems.
“The metrics you choose have to be really important and can’t just be, ‘Well, nothing bad happened today, so we must be doing a good-enough job,’ says Robinson. “They have to measure things that really make a difference, so the CSO can get a good sense of how well-protected the infrastructure is.”
Examples of proactive metrics include the percentage of:
- Systems that have been upgraded to the latest version of an operating system
- Network traffic that has been analyzed for anomalous behavior
- Embedded systems updated to the business's current security model
Metrics alone aren’t enough, however. “Even with all those metrics in place, something bad can still happen. And so having a really solid incident response plan is important as well. It’s similar to the IT infrastructure team having a business continuity and disaster recovery plan. The plan has to be proactive and take active steps to protect the network and data,” Robinson says.
Staff should also have a well-thought-out, comprehensive security framework to follow, say experts. In that way, a CSO knows that security is taken care of at every level of the enterprise. A useful one, they say, is the Framework for Improving Critical Infrastructure Cybersecurity from the National Institute of Standards and Technology.
Also important is that staff explore the latest technologies and experiment to find which ones would be most suitable for security.
“They should be looking at emerging technologies for IT infrastructure that can also be used in IT security,” Robinson says. “For example, are there ways we can use artificial intelligence and automation so that staff can be freed to do more strategic work? Leveraging those emerging technologies, I think, is one really proactive thing that people in the trenches could do to try to stay on top of the game and look for any way to improve the security posture.”
An enterprise’s security is only as strong as its weakest link, but machine learning can be used to shore up the most vulnerable links, experts say. For example, it can automatically detect break-ins and quarantine the bad actors responsible for the attack. In that way, CIOs don’t need to rely only on their staff to keep the enterprise secure—machine learning and AI can do it as well.
The right culture and the right training
Experts say that in order for staff to do their jobs right—and put their CSO's mind at ease—the right culture and training must exist. And that starts, ultimately, with the CSO.
“People in the trenches need to feel empowered to speak up and report events that look anomalous that they don't understand. When in doubt, shout,” says Ben Banks, European security director for Ensono, a provider of hybrid IT services and governance. “They of course need to be well-trained, but from an organization’s point of view, they need to feel safe to speak up when they find things that need to be fixed.”
Hayden concurs, adding, “One of the things that most sets my mind at ease as a CSO is someone telling me that something doesn’t seem right, even if it turns out to be a false alarm. I’d rather deal with that than with someone assuming the security team already knows about a problem and so doesn’t bother to report it.”
He adds that having a well-trained staff with the right certifications will go a long way toward setting a CSO’s mind at ease.
“You want people with at least basic security qualifications,” he says. “If they’ve taken the courses and done self-study, that tells me at least they understand basic security. If you work at a hospital, one of the classes they teach you is how to wash your hands. It sounds elementary, but it's really critical for infection control. In the same way, I want my staff to have certificates that say that they know the equivalent of washing their hands when it comes to security.”
CompTIA’s Robinson says, “To create employees that are feeling enabled and empowered in their jobs, it’s important they get the bandwidth to do exploration. They shouldn’t be just be staring at a dashboard all day, looking at security notifications. They should be given the time for training and certification. Encouragement to build skills is one of the biggest things that technical workers are looking for. That leads to a well-trained and motivated staff, which is perhaps the most important way to set a CSO’s mind at ease.”
Hayden says there’s one more important thing that staff in the trenches should do: be broad thinkers.
“In other words, they shouldn’t stay exclusively focused on things like firewall rules. They should think about the broad implications their jobs have on the rest of the enterprise. CSOs already have to think that way. So if their staff does that as well, CSOs will be more likely to go to sleep at night with their minds at rest.”
How to put your CSO's mind at ease: Lessons for leaders
- Track down all your data and put together a model of the data lifecycle, showing every point from its creation to its destruction or archiving—and include how to protect it.
- Use metrics to track enterprise security and build an incident response plan if something goes awry.
- Use machine learning and artificial intelligence to automatically detect and respond to cyberattacks.
- Empower staff in the trenches to speak their minds and encourage them to gain security certifications.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.