Missing the Forest for the Trees: Top 5 CISO Pitfalls in Cybersecurity
There is a lack of focus in cyber security. This rarely stems from lack of hard work, desire, technical ability or aspiration. Many cybersecurity leaders and teams voice concern around lack of funding, minimal executive support and share all too common stories of burnout at all levels of the organization (including the CISO). However, these are often symptoms rather than root causes. Without understanding the root causes, cyber security leaders can miss the forest for the trees — with the company’s true security risk reduction suffering for it.
Following are recommended actions CISOs can take to avoid five common pitfalls. Subsequent articles will get into more depth on each.
1. Prioritize business risk
Many cybersecurity programs are attempting to boil the ocean rather than focusing on or starting with what’s most important for business. If you knew that 20% of the information, business processes, and operations were what mattered most to your business, wouldn’t you put more effort into protecting that 20%?
There are some legacy methodologies companies use to attempt this. Some companies have focused on traditional information classification frameworks to identify the most critical data and assets to protect, which is not a bad place to start. However, it tends to be heavily weighted on data theft (confidentiality), leaving integrity and availability concerns disconnected. Business continuity and IT disaster recovery programs and plans traditionally work to ensure that they are able to react to availability issues from any type of outage. That said, in many cases, these efforts are disjointed and data integrity risks are largely left to be managed by a quality or compliance department.
What to do: CISOs can help their companies connect deeply with their business and understand worst-case scenarios for information theft, manipulation or operational disruption, not limiting thinking to IT systems. If you narrow your focus to securing the elements most critical to your business, you can build speed and depth to protect what matters most for your company’s livelihood.
Think about it this way: If your company has 1,000 IT systems and 10 different functional areas, comprising 500 business processes, then where do you start? How far do you go? Is everything critical? I’ve seen companies fail to answer this question and stall or significantly slow their efforts on a critical control or focus only on one risk dimension (e.g. compliance, or data theft).
You can identify your most critical business risks by imagining what a CEO would be most concerned about if a cyber attack hit at 3 a.m. on a Saturday. The CEO won’t be thinking about the technical details or what strain of malware is the most likely: The focus will be on business risk and operational impact. Keep this in mind when you choose where to focus your information security program.
2. Avoid getting caught up in the media’s fascination with reporting on breaches
Media distractions are on the rise. Due to mostly privacy-driven data breach reporting laws, media attention tends to focus on customer breaches and exposed personal information. This reporting bias doesn’t account for all of the internal and external attack types and the companies’ true risk impact profile. When you’re inundated with stories of cybersecurity breaches, it’s easy for your company’s executives to get into a reactive mindset or to start exhibiting confirmation bias that may or may not be applicable or top risks within an organization’s sector. This kind of thinking can point you away from your company’s biggest risks.
What to do: While you can’t control the articles your company executives read, there is a strategy to avoid whipsaw reactions to specific vulnerability and breach-related news. You can leverage news media in a way that provides isolated value instead of distraction by getting deeply involved in threat intelligence and sharing with other companies (especially within the same industry or sector). Evaluate the input from the media against your business-driven risk management processes so that you can rationalize what you should react to and act upon.
3. Be strategic about your cyber tool plays
Judging from the social media backlash about the “vendor circus” at major security conferences and events, there is some recognition and reflection about the cyber tool sprawl. When it comes to AI, machine learning and blockchain, we are often promised silver bullets – and told that we’re going to need them. This creates a sense that, if you don’t deploy a vendor’s magical new solution, then you face an imminent failure to protect your company.
I recently learned of a smaller organization’s security leader who was proud to have acquired seven marquee threat detection tools, but when asked about how he had the ability to leverage them all effectively, he responded with, “I focus on the one that is giving me the most actionable data.” In other words, he was only actually using one threat detection tool at a time. The other six were still running and producing logs and alerts, but no one was looking at them.
What to do: Don’t expect your strategic architecture practices to start out fully mature. Bring a deeply experienced, big picture security architect on board to develop an ecosystem of cyber security tools that work together and are appropriately scalable. CISOs need to look past initial funding for “cool” tools toward more comprehensive total cost of ownership (for both internal and external resources), linkages to business scope, ability to drive down risk and plans for appropriate scale.
4. Solidify the basics
The basics matter. It is difficult to achieve comprehensive risk reduction if you don’t have the fundamental concepts nailed down. The Center for Internet Security Critical Security Controls (CIS CSC) lists inventory and control of hardware, inventory and control of software, continuous vulnerability management and controlled use of administrative privileges as the top four basic controls. However, many companies report incomplete or ineffective efforts in all four of these fundamental efforts. Meanwhile, investments may be focused more on the “sexy” tools and controls that are popular in the market.
What to do: The solution is not to completely stop everything to catch up on the basics, but it does call for some ruthless prioritization and the rekindling of core efforts to ensure you team isn’t spread so thin working on shiny new tools that it obstructs progress on critical building blocks.
The CIS CSC provides a robust and periodically updated playbook. They even recently segmented the first six controls into a grouping of Basic CIS Controls. They include hardware and software inventory, vulnerability management, controlling admin privileges, secure configuration (hardware/software) and maintenance and monitoring of logs. While they all seem essential for any security program, far too many companies do not have solid progress and maturity towards these.
Connecting the dots between prioritizing business risk and solidifying the basics, does your company leverage business risk to drive privileged access management programs? Are the biggest risks being dealt with first or are you using a first come, first serve model that may not be most effective for your organization?
5. Get tools and capabilities to the appropriate scale
Buying a tool and not implementing it at scale to protect your business information assets does not drive risk reduction. Far too often, a company will buy a tool (or 10), have some wins implementing some of the features and then either move on to the next thing or realize they don’t have resources to execute to scale or to support the tool after the initial investment money runs out.
What to do: Getting to the appropriate scale with these efforts is the only way to fully achieve the risk reduction efforts that your money, time and effort will have costed you.
Scaling is hard. It can be grueling at times. However, it is where the magic happens with risk reduction. Remember, “scale” doesn’t have to mean “turn it on everywhere.” In fact, “appropriate scale” connects directly back for the business risks you are intending to reduce.
Companies that achieve appropriate scale leverage solid and consistent project management and measurement methodologies. They think proactively about total cost to achieve desired risk reduction and they don’t cut and run when they see the next shiny object or tool their peer company decided to implement. Since many CISOs only have a 17-24-month CISO tenure, they may not be focusing on long-haul solutions at scale.
The flip-side precaution is that proven leaders (if they are using measurement tools) know when something is not working or performing to the desired outcomes. In this case, cutting a project or capability may be warranted. However, if this is the case, cut the entire capability and solution; don’t leave it running with a skeleton team keeping it alive. This will cost in more ways than one in the long run.