Every organization wants a robust security practice, a deep understanding of their risk profile, and processes in place to handle any attacks…but the reality is, many companies don’t have the infrastructure to support a mature security operations center or even a dedicated security team. This has led to a fairly common story in IT: security roles filled by individuals who lack a strong security operations background. I see it at the practitioner level, where network engineers double as security analysts, all the way up to IT operations leaders moving into CISO roles.
This crossing of the streams isn’t necessarily a bad thing, considering that what IT considers “the environment” is what SecOps calls “the attack surface,” but for new CISOs without a well-established structure in place, there is a lot of (avoidable) room for error.
Here are three things every new CISO should do in order to build out a good security practice from the top down and bottom up:
1. Understand your assets.
Security is all about risk management. In order to calculate risk you need to understand your assets and their value, which is easy to say and difficult to achieve. Generally, we compute risk by multiplying value times probability of a compromise. However, the probability of an attack on any given asset can be next to nothing up until that asset is attacked, and suddenly it’s 100 percent—which permanently skews your calculations for next time. This makes it difficult to quantitatively define risk, so truly understanding your risk profile requires much more than a grid of assets and statistical likelihoods.
As a defender, your surface area is huge. Attackers will come at you with the goal of chaining together small vulnerabilities in order to achieve an otherwise impossible exploit, and you need to think of your assets the same way. It’s not enough to list which assets exist in your environment—you also need to understand how they interact with one another, and who has access to what. This deeper knowledge will enable you to compartmentalize your assets according to how they fit together and where vulnerabilities might be linked, which is the only way to build out layers of security that overlap where necessary.
Only when you understand how your infrastructure works together and which paths an attacker might take to reach your most critical assets (personal data, financial records, etc.) can you confidently map out a risk profile and communicate the risk and mitigations in place to your general counsel and your board of directors.
2. Know your keys—not just the cryptographic ones.
The word “key” has a few uses. In all cases, keys are valuable. Protecting your key assets (which may or may not be cryptographic keys) is your most important function. Specificity is good here, but so is a flexible definition of what’s actually critical to your business from a security perspective. Cryptographic keys are important, yes, but you also need to consider key systems, key partners, and key communication channels.
If you’re like me and you’re coming from a software development or IT background, your first instinct when under attack might be to find a technological solution. A well-executed technical response is important, but you’ll quickly learn that a CISO’s key assets include partnerships with, say, the Public Relations team—because in the event of an emergency, fast but effective communication is just as critical as the backend response. There are plenty of other key departments in the company with whom you will want to cultivate a relationship, such as the legal department. They will often have best practices already defined for some of your playbooks.
Many of your best friends won’t be IT assets, they’ll be physical assets like building access logs or human partners like your company’s general counsel. Invest in your relationships with these key systems and partners and you’ll be in a much stronger position when you are in a crucial response situation.
3. Conduct tabletop exercises.
There will be key systems you won’t think about until an emergency crops up. The number one best way to figure out what those might be is to conduct a tabletop exercise and work through the problem step by step, including but not limited to the obvious cybersecurity emergencies. That means asking questions like: “How do we communicate if the email server is down?” and “Who do we call if the building is locked and we can’t wait for Monday?”
Document every scenario and the methods you took to resolve the problem, and build yourself a library of templatized action plans. Call trees and paper printouts are still useful in 2019, as are backup plans for who is responsible for which aspect of communication when the fat hits the fryer.
Some of these points may seem obvious when you don’t have an emergency bearing down on you, but going back to my previous point—many CISOs today are not coming from a background of emergency management. When their organizations put them in charge of handling security, that means far more than responding to breaches on the network. Knowledge of key systems, strong relationships and communication channels, and templatized response plans can be the difference between an unmitigated disaster and a smart path forward.