Speaking at a security conference just last week, Department of Homeland Security Secretary Kirstjen Nielsen said that the relationship between the government and private sector is improving, pointing to the popularity of DHS' Information Sharing and Analysis Centers (ISACs) and telling the crowd that DHS is preparing to make an announcement at the end of this month aimed at making the information sharing process even easier.
"The information sharing is greatly improved," she told a national-security focused crowd in Colorado. "We also continue to recognize that should the intel community ever have specific, credible threat information, about any particular sector or particular company, institution, we will share that information. We won’t let the bureaucracy of security clearances hold us up."
A delay of information sharing because the recipient of an attack did not have a proper security clearance, has been a sore point for years. Nielsen promised that the upcoming announcement will address ways to both understand the risks and share information real-time in a 'tailored and specific way'.
"The challenge over the years has been that some of the information sharing hasn’t been tailored," Nielsen told the crowd. "So I’m trying to move away from telling the private sector, ‘Hey, here’s a cyber threat’ to ‘Here is how the threat indicators will manifest within your systems, Here is how your system is configured incorrectly, given the latest malware', to try to help them really mitigate and respond to the threat.
Those likely would have been welcome comments at an annual gathering in D.C. last week of more than 35 CISOs from Fortune 100 companies. The annual CISO conference, sponsored by the National Technology Security Coalition (NTSC) put a focus on both threats and policy with the latest conversation focused on the need for uniform data breach notification law that is consistent, predictable, and feasible. Federal data breach legislation would reduce the complexities of complying with the breach notification laws of all 50 states, the District of Columbia, Puerto Rico and the Virgin Islands.
What follows is The Cipher Brief 'Members Only' guide for what CISOs need to keep top of mind, with high-level, expert advice from 10 professionals with both public and private sector backgrounds.
Rick Ledgett, Former Deputy Director, National Security Agency
"CISOs today have a lot on their plate, and it’s easy to lose sight of the forest because of all those darned trees. But there are three big picture things no CISO should ever forget."
- Have a cybersecurity plan, and make sure your management committee and board understand and support it. It’s helpful to have it tied to a framework, like the NIST Cyber Security Framework. In heavily regulated areas like banking and health, the NIST framework is almost mandatory. To ensure buy-in from management and board members, talk about your plan in terms with which they’re familiar, as a risk management function.
- Have internal monitoring and detection set up for when the bad guys do get in. Boundary and perimeter defenses are necessary, but not sufficient. Host, network, and behavior-based analytics (both device and human behaviors) are needed, because there’s no such thing as perfect security. A determined, well-resourced nation state or criminal enterprise will, if they devote their time and attention to it, get into your network, and you want to know when that happens. A side benefit of this type of system is its utility in detecting insider threats, by some measures the source of more than half of cyber breaches.
- Have a breach response plan and exercise it. Practice it with the IT / security team, with the management committee, and with the board itself. This is critical to being able to respond well in the event of an actual breach; the time to have difficult, convoluted technical, operational, legal, and policy discussions is before a breach, not during one. And practice makes things go much more smoothly in the event, giving you that most precious commodity - time - to use on the unforeseen things that pop up.
Chris Inglis, Former Deputy Director, National Security Agency
"The CISO’s strategy must start and end with the company’s business plan, not the creation and defense of digital infrastructure. Put another way, the CISO’s job is to enable the company to execute its business plan, not simply to defend its digital infrastructure and data."
"The digital infrastructure on and through which the company executes its business is actually a meld of people, technology and procedures - and its weaknesses are most often found in the latter two. The CISO therefore needs to consider and address all 3 components in the creation and execution of cyber strategy.
Security is not possible – Defense at net speed is the goal. The technology and systems involved are far too complex and dynamic to construct systems that can mitigate all risk and/or repel all attacks. Developing real-time awareness of the actions taking place on company digital infrastructure married with proactive application of human effort is the essential complement to defensible systems.
Companies must imagine and prepare for a breach of cyber defenses. The exercise must involve both operations and its various enablers, and will inform your defenses before attacks, and your muscle memory in the face of attacks. A CISO’s success or failure fundamentally depends on their ability to orchestrate and support the successful execution of business objectives in the face of adversarial action, not on the avoidance of risk."
Admiral James 'Sandy' Winnefeld, Former Vice Chairman, Joint Chiefs of Staff
"While Chief Information Officers manage the day-to-day grind of cyber security, there are several high level imperatives they should keep in mind."
First, They must treat security as a journey not a destination, as the threat will evolve every single day. This means energetically and diligently consuming every possible piece of information about the threat and how to handle it, including religiously keeping patches and other defenses up to date.
Second, they must continue to remember that humans—in the form of human error and insider threats—are the most immediate threat to business information security. The former means continual training and testing, and the latter means constant vigilance and connecting cyber security efforts to human relations.
Third, it is important to remember that, with the leakage of so many state-of-the-art tools, a patient lower-end threat is almost as dangerous as a high end, advanced persistent threat. But businesses should still try to make it as hard and expensive as possible for any threat to get in.
Fourth, don't forget the non-technical end of this business, to include readiness for when the worst occurs in terms of reporting and public affairs. Every business should be red-teaming what it will feel like to experience a breach.
Finally, remember that the government will not come to the rescue—it's just too hard for them, and in any event most businesses shy away from this once they understand what it might involve. But that doesn't mean that a business should not provide information on threats to the government entities charged with helping defend the nation against these threats.
Benjamin Powell, Partner, Wilmer Hale, Co-chair, Cybersecurity, Privacy and Communications Practice
"CISOs now need to understand how to secure critical corporate data in this complex cloud environment. This includes understanding encryption, access control, monitoring and other security features offered by cloud providers. In some cases, sophisticated providers of cloud services may offer security features that enhance protection of corporate data. But giving up some “control” to a third party of important data still gives many security professionals some pause."
"The rapid move of corporate data to cloud services is a critical trend confronting virtually all CISOs. While cloud services are not new, the cost, availability, technical, and other features now being offered by cloud vendors are resulting in a massive shift of critical data to large cloud providers. Indeed, reports indicate the U.S. government is now using certain cloud vendors to store classified data. CISOs need to understand, among other things, how cloud providers secure customer data, how security incidents will be communicated by cloud providers, how incidents will be investigated, and how liability will work in the case of an incident. The trend to increasing use of third party providers only appears to be accelerating – and with it greater complexity for CISOs.”
Robert Hannigan, Former Director, GCHQ
Former Director, GCHQ
“I meet a lot of CISOs and it’s hard to think of a more pressurised group these days: where a few years they might have struggled to get Board attention, today they sometimes have too much. But I find they worry about three broad challenges: how to quantify and measure cyber risk and its mitigation for their Boards; how to build and retain the right team; and how to cope with the avalanche of vendors."
"On the first, I would say the most effective CISOs I see are finding meaningful metrics for their Boards which quantify risks that are real threats to the business rather than simply cyber compliance: they are pitching at the right level of detail without burying non-technical colleagues with information. They area also looking to others, sometimes the Risk function, to mark their homework.
On building the team, this is a huge problem for everyone. The pipeline needs to get better and most large companies are doing their best. But they should also look internally at staff with aptitude and the ability to learn who may not be in the ‘cyber’ or technical areas. Identifying and developing this generation of talent holds out the best possibility of bridging the skills gap in the medium term. On vendors, CISO fatigue is a problem. Good CISOs know that they need to keep looking at new solutions or they will end up just about winning the last war but defenceless against rapidly developing threats. Carving out the time to look at innovation is essential.
Equally, they need to get better at buying solutions based on measurement of real value to the business: lots of cyber companies, big and small, talk a good game but they need testing for results and impact on the bottom line.”
Jill Singer, Vice President, National Security, AT&T Public Sector
"It should come as no surprise to anyone that cybersecurity technologies and practices need to constantly evolve to help organizations defend against persistent and increasingly malicious cyberthreats."
"At AT&T, we secure more connections than any communications company in North America. With more than 200 petabytes of data crossing our network every day, we analyze approximately 686 billion flows of network data, representing nearly 19 petabytes of data per day.
The biggest shift we’re seeing currently is a decline in the volume of ransomware attacks and an increase in cryptocurrency hacks. Organizational victims are increasingly drawing the line on paying ransoms, so money-incentived attackers are injecting malware into businesses’ systems to use those systems to mine for cryptocurrency.
As organizations modernize and transform, cybersecurity protections need to be central to every technology decision they make.
According to our studies, key areas of cybersecurity risk for CISOs to focus on include:
- Supply Chain - 85% of companies share access to data with business partners yet only 28% have security standards for doing so.
- Underestimating the overall risk – Two-thirds of organizations say their in-house cybersecurity capabilities are adequate to protect against cyberthreats, yet nearly 80% say they have been breached within the past year.
- Underestimating the internal risk - more than half of companies surveyed admit to breaches from employee mobile devices infected with malware.
Cybersecurity risk remains a constant and growing problem. For CISOs today, the wise move is to focus on threat prevention and detection. According to a recent study from IBM, mega data breaches can cost between $40 and $350 million. Our studies show that 1 in 4 companies are spending their cybersecurity budgets on cyber insurance, instead of prevention."
Michael Daly, CTO, Cybersecurity and Special Missions, Chief Security Engineer, DOMino
"CISOs, especially those for critical infrastructure or government services, should know that they are the active targets of sophisticated actors around the globe. A key aspect of resiliency in the face of such advanced persistent threats is not a technical mitigation, but a fiscal one."
"As we saw with the “SamSam” ransomware attack that caused massive digital disruption in Atlanta’s local government this past March, the city’s ability to respond to the attack was greatly improved by the fact that they had procured cybersecurity insurance prior to the incident.
The other thing for CISOs to consider this year is the importance of insider threat monitoring. It may have been excusable in prior years not to have an active, robust program - but that time has past. According to Raytheon’s 2018 Global Megatrends in Cybersecurity study, 36 percent of CISOs identified malicious or criminal insiders as a top cyber threat, yet less than half have a formal insider program in place."
Randy Sabett, Special Counsel in Cyber/Data/Privacy Practice, Cooley LLP
Special Counsel, Cyber/Data/Privacy Practice at Cooley LLP
"They may not characterize it quite this may, but many CISOs are concerned with the eroding reliability of conventional authentication mechanisms. This manifests itself in different ways.
Despite years of warning, companies are falling for spearphishing and business email compromise (BEC) in greater numbers than ever."
- Authentication concerns
o According to the FBI, BEC resulted in the highest reported losses of any crimes, with more than $676 million lost across a pool of 15,690 victims. These attacks often depend on trust without verification. In the stereotypical case, an employee gets an email purportedly from the CFO and wires money, without realizing that the email actually isn't from the CFO.
o Many companies are doing a good job at training people to recognize these scams. A more recent and even more insidious derivative of BEC is causing more significant problems. In this newer form called account takeover, the attacker invisibly takes control the email account of a person at company A and sends emails to a person at business partner B. Frequently, the email directs the person at Company B to change certain banking information. Without checking, the person at company B makes the changes.
o One additional authentication-related concern that CISOs need to keep in mind depends less on human fallibility and more on inherently weak machine trust. CISOs increasingly worry about interconnections with business partners or suppliers as leading to vulnerabilities that can be compromised. When weakly authenticated APIs or protocols are used in ways that allow an attacker in, it can often be difficult to quickly fix or ferret out problems. Stronger machine-to-machine authentication needs to be made a priority, particularly as the nascent but growing use of machine learning technology by attackers is making their attacks faster and evolve more quickly.
- Resource concerns
o For many years, CISOs complained of not being given a big enough budget to adequately do their job. In many situations, CISOs had to endure "doing more with less." Over the past decade, however, we've seen purse strings loosening as cyber has become a more significant issue. That has led to a different resource issue - the cyber talent shortage. I have run into numerous situations where CISOs have the ability to hire but cannot find the right talent to fill the positions. While schools are turning out many new cybersecurity graduates, the talent pool for positions requiring greater (or more specific) experience dwindles quickly.
o The CISOs most successful at dealing with this issue seem to do at least one of the following three things: (1) project hiring needs well in advance, (2) be flexible with candidates (i.e., if the candidate is not a perfect fit but is reasonably close, figure out other ways of dealing with the shortfall, and (3) for the right talent, be ready to meet quirky demands (e.g., if a person with the right appsec skill comes along but doesn't live near a company office and is not willing to move, figure out how that person can work remotely).
Overall, the life of a CISO in 2018 can be overwhelming. The combination of new attack vectors brought on by things like IoT technology, machine learning, email account takeover, and ransomware (just to name a few), together with a shortage of skilled cyber professionals means that it is difficult to stay ahead of the curve. Armed with knowledge of what's happening now and coming on the horizon, however, a CISO can maintain at some semblance of order.
Neal Pollard, Partner, Pricewaterhouse Coopers
"CISOs must keep top of mind their stakeholders and their needs/expectations. These stakeholders can range from C-level executives, board members, business associates, customers, supplier, regulators, and their own team members. They should be mindful of the information and communication needs of each and develop a plane to engage each stakeholder in the style that works best for them."
"Top challenges for CISOs today include staying ahead of the external threat landscape, deciding how much to spend and how best to spend it, and growing/retaining a talented team in an every competitive war for talent.
CISO should also be mindful of their adversaries: who might be targeting their company, why, for what purposes, what data benefits them, and how will they attack today? Businesses deliver product and services via the internet, but some of the activity on the internet is there intentionally to harm the company. Threat actors are clever, they're adaptive, they're ingenious at figuring out ways to benefit from a company's data at the company's expense (in ways the company often doesn't anticipate), and they change their tactics, techniques, and procedures rapidly, sometimes weekly.
Finally, CISOs also should keep in mind the evolution of their roles, which places new responsibilities on their shoulders - either explicitly, or by default once their c-suite and Board starts asking the difficult questions. The CISO will find himself or herself eventually answering to the board on the question "how safe are we in cyberspace?" or even worse, "how did this cyber disaster cost us that much money?" CISOs are less technologists now, and more risk managers: they must understand the technology and the engineering behind doing business connected to the Internet, but also understand the business risks of doing so, and translate those risks into terms that a non-technical executive suite can understand and help manage. They also must navigate the fine conflict-of-interest line between guiding and implementing corporate investments in IT, and independently challenging the security standards and practices that accompany that investment. Not only does this cast the CISO as part of the risk management team, it expands the skill set a CISO needs to be effective - expertise in technology and cybersecurity to be sure, but also expertise in risk management, how their corporation manages the spectrum of business risk, and how to prioritize among technology investments and business imperatives."
Oren J. Falkowitz, Co-founder and CEO, Area 1 Security
"Despite billions spent on cybersecurity, we continue to suffer debilitating and expensive breaches. The goals of cyber campaigns have moved from data theft and website defacement to include data manipulation, data loss, and societal instability."
"CISOs must take a direct and comprehensive approach to phishing. Phishing remains the root cause of damages in over 95% of cyber attacks worldwide. Approaches that include anti-spam, user awareness and training have had no impact on changing outcomes. Successful executives will embrace the transitions to the cloud by reducing the total cost of ownership for security throughout their organization while addressing an expanding attack surface area. Key to this transition is demanding accountability and performance-based solutions that they pay for only when and if they successfully consume business value."
