Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/25/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Mind The Gap: CISOs Versus 'Operators'

How open communication among security execs and analysts, incidents responders, and engineers can help organizations stay on top of the constantly changing threat landscape.

Whether or not you’ve had the pleasure of visiting London, you are no doubt familiar with the famous warning given in the London Underground to “Mind The Gap.” The instruction is one of the most famous in the world, having found its way onto tee shirts, coffee mugs, keychains, and many other products. 

In security, we also need to mind the gap. But by that I mean the stark communication and understanding gap that exists in many organizations between the Chief Information Security Officer (CISO) and the operators -- analysts, incident responders, engineers – in other words, the team doing the hands-on, day-to-day work.

 

What I find fascinating about these two distinct vantage points is that while each of them are formed by observing the same security program in the same organization, they reflect a very different perception of reality. This creates a communication and understanding gap between the CISO and the operators that we as a security community need to “mind” in order to ensure our organizations reach their full potential. In other words, the gap itself can often impede a security organization’s progress. I’ve highlighted a few of my thoughts on why minding the gap from both perspectives is so important:

Minding the Gap from the CISO Perspective

Culture: No one wants to be the one to break the news to the CISO that something isn’t working or has failed. But for a CISO to manage risk properly, he or she needs accurate information. The key is for the CISO to create a culture where members of the security organization feel comfortable identifying gaps and shortcomings, as well as potential solutions going forward. 

Let’s use the procurement of a multi-million dollar system that isn’t meeting expectations as an example. Although it can be difficult, the CISO should be open to input around how and why the tool isn’t helping the team succeed and solicit potential solutions that will address the needs of the mission going forward. But how many times in my life have I heard the phrase, “Well, we spent $2M on that system, so it has to work.”  That attitude isn’t going to help solve any problems, unfortunately.

Yeah, We Got That: When the CISO asks if a given capability exists, the overwhelming tendency is to say yes. But what if the capability is in its infancy? Or what if the capability has issues or is so immature that it does not mitigate the risk or address the challenges it is intended to? While it may be tempting to check the box, it’s better for the organization’s security posture to be honest. The CISO that pushes his or her team for more granular, detailed, and accurate information will do far better in the long run.

The Oversell: There is a famous quote that “everyone is in sales whether they know it or not.”  This also applies to everyone in the security organization who reports to the CISO. Although it may seem advantageous in the near-term to overstate or oversell capabilities, in the longer-term, this introduces risk to the organization by leading the CISO to believe that certain risks are mitigated when, in truth, they may not be. A CISO needs to be conscious and aware of this tendency and not reward those who oversell.

Minding the Gap from the Operator Perspective

Prioritize Risk: First and foremost, security is about mitigating, managing, and minimizing risk. The first step to doing this is to understand the risks and threats facing an organization and then prioritize them accordingly. Input to this process comes from intelligence, the board, executives, key stakeholders, and the security team. All inputs need to come together collaboratively with the ultimate goal of mapping out the strategic direction of the security program. This makes it much easier for all sides to see clearly and explicitly where the program is currently and where it needs to go.

Have a Plan: No organization is perfect. When confronted with shortcomings, most CISOs I know would rather spell out a way forward than a read a list of complaints. This means having a plan that details what is needed to overcome challenges and build or mature a given capability to where it needs to be. The operator that comes prepared will likely be far more successful in achieving his or her goals.

Maturity Metrics:  Rather than “yes, we have that capability” or “no, we don’t have that capability,” how about a matrix showing the maturity of each capability? The CISO’s ultimate goal is to mitigate risk to an acceptable level. I think most people understand that this isn’t a binary metric. A matrix mapping capabilities or initiatives to risks they mitigate and the relative maturity of each one can help the operator communicate the importance of each task, while allowing the CISO to more accurately and precisely evaluate and measure risk.

Turn Reporting on its Head:  How many security organizations report the same types of metrics to the CISO each week? We created 400 tickets, re-imaged 50 laptops, saw 15,000 IDS alerts fire, etc. But what does that actually tell the CISO about mitigating risk and understanding what capabilities do or do not exist and what gaps may or may not exist? Take the prioritized list of risks and the associated strategic plan and leverage it to report relative metrics that will give the CISO a much better idea of how the security team is progressing against the strategic plan -- and narrow the gap.

There is no doubt that the CISO and the operator have different perspectives when it comes to security. Minding that gap helps organizations continually mature and stay on top of the constantly changing threat landscape. A good operator will work to communicate issues and challenges honestly and clearly to the CISO. In turn, a good CISO will appreciate the truth, as long as it comes with a plan for how to address any shortcomings. Both sides need to mind the gap and meet in the middle to ensure that a security program reaches its full potential.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Related Content: 

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.