The modern-day CIO, CISO and senior management team members engaged in information security are faced with a daunting task. Chris Roberts (@Sidragon1) posted a description of the CISO role which seems accurate for many organizations:
“Being a Chief Information Security Officer is easy. It’s like riding a bike. Except the bike is on fire, you’re on fire, everything is on fire and you’re in Hell.”
WHY IS THE ROLE OF CISO SO CHALLENGING?
The requirement of being compliant with a myriad of state, federal and international regulations, successfully passing the next information security audit and the ever-present threat from cybercriminals pulls the team in any number of directions. Perhaps the most difficult issue faced is reconciling the difference in running a secure business with achieving a pass on a compliance audit.
ONE OF THE BIGGEST MISCONCEPTIONS
One of the biggest misconceptions about achieving compliance is that certified companies are secure. Any number of organizations have been certified “PCI DSS compliant” only to fall victim to cybercriminal attacks and data breaches. It’s not for a lack of security technologies or even diligence on the part of the IT security staff. The adversary in cyberspace does not care if your business is compliant. If you have something of value behind your firewall, the incentive to steal it is as attractive as a jewel case – in both cases smash and grab is frequently successful.
In Fall of 2015, The New York Cyber Task Force was formed to try and address the issue of cyber defense. Their conclusion is that defense is possible, but only if the right approach identifies and prioritizes the right innovations. On the issue of compliance; the analysis was quite blunt:
‘While perhaps satisfying regulators, [compliance requirements] often force defenders to expend far more effort than it costs attackers to circumvent them. This was not always the case. Two decades ago, cybersecurity architectures were less complex and threats less varied, so defenses built on static checklists were more effective at keeping adversaries out. Check-the-box compliance has, in short, gone from essential to albatross. Once a game changer, it has over tim,e become a drain on the resources of defenders.’
Sadly, for many businesses, the operational security tool-set costs have increased at a compounding rate, as they attempt to stay - some would say unsuccessfully - ahead of the greater volume and sophistication of cybercriminal attacks. The 2017 “Internet Organized Crime Threat Assessment (IOCT)” from Europol succinctly outlined the security challenge when it comes to Ransomware:
‘Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen…Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.’
Both FedEx/TNT Global and Maersk have $300 Million-dollar post ransomware infection bills. That kind of loss is not something the chief executives want on their shareholder performance reviews.
THE DOLLAR OF DEFENSE
The excerpt from the IOCT executive summary is precisely why The New York Cyber Task Force responded by recommending a change in the tactics of the defenders with the following advice, “Any innovation by defenders must impose far greater costs on attackers. A “dollar of defense” (or hour or other measure of input) should not yield just a ‘dollar of attack,’ but should force attackers to spend considerably more to defeat it.”
Also Read: Data Breach Fire Detection
At near the top of the list of leveraging the dollar of defense is this conclusion:
‘Faster patching is one of the most critical ways enterprises can protect themselves. Software that automatically updates itself is of no use if the process is delayed by enterprise IT staff that needs to exhaustively test every new change. The WannaCry attack of May 2017 would have been stopped in its tracks if only enterprises had applied the existing Microsoft patch. Yet on average organizations take 12 weeks to patch, far longer than hackers need to turn vulnerabilities into exploits.’
RAPIDLY DEPLOY PATCHES
So, if you’re looking to leverage a security investment to meet compliance requirements and increase the difficulty on the cybercriminals, rapidly deploying patches is one of the strategic focuses required. The consensus opinion from the Task Force’s report, “Building a Defensible Cyberspace”, which included representatives from Microsoft, Time Warner, and PricewaterhouseCoopers, is advice well worth considering.