7 Assumptions CIOs Make that Impact Cybersecurity

Scott Braus, Director of Cybersecurity Operations, Consumer Financial Protection Bureau

We’ve all heard the question “what keeps you up at night?” And of course every vendor and consultant has exactly what’s needed let us get some much needed shut-eye. All of their technologies and strategies play a role in the concepts below. Seasoned CIOs will look at this list and see them as obvious. Unfortunately, many assume these happen in their organization when reality may be different. Here are seven basic assumptions that a CIO should double-check to better manage risk:

Every member of the IT and cybersecurity teams know where the crown jewels are

Just because the CIO and senior IT staff know it, that doesn’t mean the incident response analysts, application developers, and helpdesk technicians do - these are the pros on the front lines and are in the best position to detect a breach early, or prevent it altogether. Answering these three questions for them can fill that knowledge gap (just remember that even though everyone knows where the jewels are, they don’t necessarily need access):

• Where are the priority systems? Think through the entire ecosystem of user’s interaction with those systems. For example, key servers, databases, applications, core routers, or dedicated VPN to your Cloud Services Provider. Consider even your endpoints and mobile devices–since these are commodity technologies, enable users to easily and securely backup and retrieve their critical local working files in case the hardware needs to be unexpectedly replaced.

• Where are critical/sensitive data warehoused? Many Security Operations Centers, and in particular managed security services providers, monitor networks with only a vague notion about how to prioritize and triage incidents. They are prioritizing based on the severity of the event as defined in default settings that do not weigh potential impact since there’s no context about the affected data. Most SIEMs can easily apply these weightings so ensure your team uses them properly.

• How to track intellectual property? Several tools allow organizations to identify controlled information in transit and at rest. Digital watermarks, file hashes, header/footer strings, and DLP are a few options to do just that. Additionally, consider the impact of cloud storage like Amazon S3, Box, Google Docs, or DropBox. If your organization uses these, deliberately apply the security settings available. For cloud services you don’t leverage, keep an eye on (or even restrict) their use from inside your organization.

Good operations and maintenance just happens

The recent Equifax breach was just the latest in a long string of examples where routine O&M would have been worth the savings in time, money, and reputation. If your IT shop full of heroes that constantly tackle break/fix tasks, that’s a strong indicator that change management is subpar. Put time in your team’s project schedule to handle the inevitable O&M tasks. How much time you ask? Just look into how late the last few major projects were or how long lower priority projects got shifted to the right.

 Security should be fully integrated into the overall design from the onset    

Operational teams have visibility

Unify visibility wherever practical. Consider integration of ticketing systems and IT workflow orchestration. The field has improved over the years, but all the operational stakeholders must be part of the selection. Key data fields can make or break an orchestration solution, and your organization’s various operational teams can tell you what their unique need for those fields are. Achieving unification is particularly challenging for organizations going through mergers. If the company is one that regularly buys smaller companies, it’s best to invest in security or IT Service management tools that offer a wide range of integration capabilities.

Most cybersecurity organizations segregate security systems from the production systems. Over time, there’s an increased cost to maintain a separate security infrastructure, Active Directory domain, and hardware or VMs. Depending on the risk profile of the systems being monitored, there may be opportunities to separate these logically with the right ability to control access, monitor, and respond.

Professional development is thoughtfully invested

Sending someone to NewStuffCon because they did a great job isn’t the best value. If you don’t know where to start, NIST maintains the National Initiative for Cybersecurity Education (NICE) framework that can help you structure a comprehensive education plan.  Some progressive vendors are bundling specialized cybersecurity training with other services like phishing exercises. Finally, cross training IT personnel can give your team exposure to cybersecurity skills they can apply to their specific areas of expertise.

Real cybersecurity incidents are used to review plans

Cybersecurity incidents are inevitable. Your incident response team should periodically select key incidents, particularly those that got leadership attention, and review how the event happened and how it was identified, analyzed, contained, remediated, and communicated. Analyze activities that deviated from the plan. Real life experiences are always more effectively internalized than the best laid plans.

Adequate time and effort go into planning

Security is an integral part of IT architecture, and the converse of that is true as well. Too often, organizations develop system designs, send off the final draft diagrams for security to review, and then become frustrated at the numerous changes. Security should be fully integrated into the overall design from the onset.

Developing requirements is worth the time and effort. If a requirement is defined as a specific technology, keep clarifying until the requirement is spelled out as an expected design function and/or outcome. Consider the risk tolerance of the organization and risk profile of the system. Don’t develop security requirements that exceed the needs of the system (for example, encrypting data that’s publicly shared anyway.)

Managers know the difference between “best practices” and opinion

This is usually synonymous with, “this is the way we’ve always done it”. A true best practice will be documented in guidelines from reputable professional organizations and will have implementation standards. There is a reason why they are endorsed by large constituencies within a profession. The individual opinions of key team members are valuable but people must be able to articulate their reasoning, not necessary on the spot during a heated meeting but at least over many discussions with colleagues during planning.


Read Also

Why the C-Suite Must Embrace Cybersecurity

Chris Riley, President of U.S. Operations, SSH Communications Security

3 things CIOs and CISOs Need to Know to Keep their Company Secure

Malcolm Harkins, Chief Security and Trust Officer, Cylance


Ronald Mehring, CISO, Texas Health