CISOs: It’s time to get back to security basics
The post-pandemic world will see cybersecurity addressed differently, said panelists during an online webinar hosted by ReliaQuest Wednesday.
The cyber threat landscape has become more dangerous over the past year and the C-suite is paying greater attention—but all the tools in the world won’t help until organizations home in on good cyber hygiene. That was one of the messages from CISOs who participated in a virtual think tank webinar hosted by ReliaQuest Wednesday.
“The fundamentals of being good at cyber hygiene is the most neglected” aspect of cybersecurity, said Chris Hatter, CISO of Nielsen. “If you’re not good at the very basics and making sure you understand the basics on your network—like patching and remote monitoring—you’re not set up for success.”
Dave Summit, who recently stepped down as the CISO of Moffitt Cancer Research Institute, agreed, saying that “the fundamentals are key to a successful program. If you don’t have the fundamentals down … you’re missing everything else.”
SEE: COVID-19 workplace policy (TechRepublic Premium)
Another neglected area is dealing with legacy systems not getting replaced fast enough, added Summit, who is now a fellow at the think tank Institute for Critical Infrastructure Technology. “We have security company after security company coming out of the woodwork and everyone seems to offer the right solution for all your problems and we all know that’s not the case.”
Alert fatigue is another issue, Summit said. “We haven’t gotten to a good place of understanding what events mean and how to properly filter them to know what they mean to your organization. That’s a big one that takes cyber down quickly.”
Moderator Jon Oltsik, senior principal analyst at ESG, said he’d add training as a most neglected area. Additionally, “in terms of risk, how do you improve or work on maximizing risk identification and really understanding cyber risk as they relate to mission-critical applications?” Oltsik said.
Not only have cyber threats grown more sophisticated, but the number of malicious actors has grown—they are more persistent and better able to communicate and collaborate with each other, said Oltsik.
“They communicate better than they do on the provider side,” Oltsik said. “Pandemic-influenced remote workers has increased and the cybersecurity skills shortage” are other factors.
“It’s not getting any better and the skills shortage is often misinterpreted as we don’t have enough people, but we also don’t have the right skills,” Oltsik said.
Other pain points for CISOs are that the security tech stack has grown complex and they have to keep up with innovation, changing technologies and different vendor landscapes, he said.
When it comes to cybersecurity decision-making, today there is a lot more involvement from boards—and a lot more being asked of security teams, said Joe Partlow, CTO of ReliaQuest.
The ability to understand risk is one of the skillsets Summit said he believes is lacking now. For quite a while, cybersecurity was more focused on day-to-day technical operations and now it has moved into the managerial space, he said.
“Risk management is very much a team sport—you really can’t do this in a vacuum,” agreed Hatter. Sometimes business units don’t feel that any of their data is private or sensitive, and organizations need to have a process for defining risk “in ways that make sense to a particular business unit,” he said. When risk is clearly defined, IT can get into deeper metrics to find out what systems are vulnerable and mitigate any that have been compromised, Hatter said.
The goal of cybersecurity used to be protecting data and people’s privacy, Summit said. There has been a major shift in that thinking.
“It’s one thing to lose a patient’s data, which is extremely important to protect, but when you start interrupting” people’s ability to travel or the food supply chain, “you have a whole different level of problems … It’s not just about protecting data but your operations. That’s where major changes are starting to occur.”
Summit added that he has long said if companies were making cybersecurity a high priority long before now, “we wouldn’t be in this position” and facing government scrutiny.
The cybersecurity field is “incredibly dynamic,” Hatter said, and CISOs don’t have the luxury of planning out three to five years. “We want to create and deploy a strategy that’s sound and solid. But market forces demand; we recalibrate what we do and COVID-19 was a great example of that.” CISOs now have to have as resilient a strategy as possible but be prepared to make changes.
Managed security service providers can help, Summit said, but CISOs are still feeling overwhelmed. “I feel we’ve been inundated with attacks, and everyone’s taking notice and asking questions and security teams are overloaded with alert fatigues from tools,” he said. “Now, people are asking the right questions, [but] that takes away time from addressing problems.”
Making threat detection more efficient
ESG research has shown that 88% of enterprises are going to invest more in threat detection this year, Oltsik said. He asked the panelists what can be done to make threat detection more efficient.
Improving threat protection is not isolated to making sure you have the best technologies, Hatter said. “You need to have an organizational commitment to a level of standardization in IT that sets you up for success, and visibility to detect problems.”
Without a commitment to standards, IT and security professionals will be in “a constant state of running after unmanaged assets,” he said.
Summit said he believes the industry is going to see greater separation of cyber teams from IT and that “it’s long overdue.” The reason is the majority of cybersecurity problems are about misconfigurations and improper use of assets, he said.
“To me, that’s the priority of IT. If you’re doing the fundamentals correctly … you’re lowering your risk level already. Then cyber teams can be focused on something different than looking for misconfigurations.” They can spend their time looking at what’s coming into the environment and being exfiltrated out and focus on what the real threats are, he said.
Tools, tools and more tools
Partlow said ReliaQuest sees an average of 30 to 40 tools in an enterprise, “and more often than not, that’s just adding to the confusion and noise.” Many are also not used to their full ability, he said.
“The number one thing that makes threat detection hard is not having visibility into the full [network] environment,” he said. “You can’t secure what you can’t see.” The best way to improve threat detection is to get that visibility and reduce the noise, Partlow said.
Hatter said he thinks vendors need to reconsider their pricing models “to give us more support to allow us to ingest more data and create more sophisticated rule sets. That’s a pain point for me and other CISOs I’ve talked to.”
Because IT teams already have alert fatigue, Summit suggested they speak to their MSSPs before they invest in more tools. “If you have a managed partner, take advantage of their experience. They’re working for a wide range of clients and have a lot of valuable information that can help you decide what to look at.”
He also made a plug for utilizing organizations like ISAC. “I can’t stress enough how important they were to us” when he was at Moffitt, because of the ability to share information and learn the pros and cons of different toolsets.
“We learned a lot and that’s how we selected a lot of our tools. I never recommend any team be isolated. Use a wide range of people out there.”