Recently I had the opportunity to sync up with two of my colleagues at EVOTEK, Paul Ferraro and Amir Fouladgar. Paul curates an outstanding technology podcast and we had the opportunity to discuss the state of security and some observations as we head into the new year. I wanted to outline what I think are important priorities that will shape not only our security programs, but most importantly, the overall resiliency of our organizations.
1. We should be passionate about automation and orchestration. Our profession is filled with highly talented individuals doing critical work manually. This must change. As security leaders, we need to empower our teams and given them the tools they need to respond to adversaries that move at network speed. Our adversaries are competent, well-resourced, and frequently more automated in their techniques then we are at defending our own organizations. Let’s make 2020 the year where automation of mundane tasks and the orchestration of more responses becomes the norm, not the exception. I am bullish that SOAR will be part of the modern security architecture. For this to occur, however, we need vendors to focus on interoperability and more reliable API-integration between and among security applications.
2. Alert fatigue is real. Security analysts are inundated with tickets and alerts that are too frequently false positives. This status quo puts our organizations at significant risk. Analysts who face never ending alert queues and the manual investigation that follows, will miss things. They will also leave our organizations for greener pastures…companies with more modern security architectures. Let’s empower our teams. I’m a huge fan of using deception to focus on real threats that have bypassed existing security controls and traditional security monitoring. Deception is a game changer. The adversary now must worry whether they are interacting with decoy assets (be they credentials, servers, or otherwise). The use of deception technologies offers high-fidelity alerts and greater insights into adversarial TTPs. Deception allows us to effectively push the adversary back on their toes.
3. Data governance and privacy are driving greater alignment between security practices and the business and its operations. CISOs should consider their colleagues in privacy as natural advocates for good security practices. As the saying goes, ‘you can have security without privacy, but you cannot have privacy without security.’ To reduce data breaches, we need to understand data flows from a business perspective. Privacy Impact Assessments (PIAs) are useful not only to our colleagues in privacy but to our security efforts. They can help outline where trust boundaries should occur, where data validation should be enacted, and where and how data and sensitive information enters the organization and where it’s shared with third parties. With the California Consumer Privacy Act (CCPA) coming into effect, there’s never been a better time to take a data centric or information centric view of security. I’ll be overseeing a track on data governance and security leadership at EVOTEK’s upcoming security conference where we’ll be addressing best practices for data protection and data governance.
4. Let’s give back to our profession and help new entrants succeed. When I was an analyst at Gartner, I had the opportunity to collaborate on some important research that my former colleague and still friend Sam Olyaei was doing on the cyber skills shortage. This problem is larger than any organization. Collectively we can help mitigate the skills gap by helping new entrants to the cybersecurity profession gain requisite skills and find mentors who can help them with their careers. As a case in point, our local San Diego ISACA chapter sponsors student memberships into the organization. Let’s find ways to be there for those just beginning their careers in cybersecurity.
5. The value of collaboration and sharing cannot be overstated. I remain grateful to the San Diego CISO Round Table for engendering a collaborative security community. This collaborative spirit was foundational to Gary Hayslip, Bill Bonney and I working on the CISO Desk Reference Guide. Our books on the role of the CISO would not have been possible had it not been for this collaborative environment. Kudos to Macy Dennis and the other board members for maintaining this community. There are outstanding organizations including other regional CISO Round Tables, ISACA, OWASP, InfraGard, and ISSA that offer fantastic opportunities to share best practices and find creative ways to deal with the many challenges that cross our desks every day. Collectively and collaboratively, we’re stronger.
6. Let’s not overlook some of the outstanding work that’s being done in security today. Our security architectures are getting better – sadly, so too are the adversary’s techniques. The work being done by MITRE with the ATT@CK Framework is truly second to none. When the ATT@CK Framework is coupled with threat modeling and the use of deception, our adversary’s will face real obstacles and our organizations will become more resilient. Kudos as well to NIST. I love seeing the continued progress and adoption of NIST’s Cybersecurity Framework (NIST CSF).
7. We will likely see greater consensus on ‘reasonable’ security coming into 2020. The CCPA will drive this discussion forward. I’m fortunate that I’ll have an opportunity to speak on this topic at the upcoming Wall Street Journal Cybersecurity Symposium (https://cybersecurity.wsj.com/symposium/san-diego/) with an outstanding advocate for privacy and reasonable security practices, Justine Phillips, from Sheppard Mullin. As a quick aside, kudos to Justine and the extended team at the University of San Diego for hosting the second annual, and outstanding, Cyber Law, Risk and Policy Symposium earlier this year. The Symposium has become a must-attend conference on the important intersections that now bridge the legal, privacy and security professions.
Given that the topic of ‘reasonable’ security is top of mind for security and business leaders alike, I’d like to offer the following definition to start the dialogue (this is certainly not a legal definition):
“Reasonable security is that level of security capability that meets the organization’s agreed-to risk tolerances while fulfilling regulatory requirements and contractual obligations of the organization.”
I’d like to wish everyone the best coming into 2020. Here’s to a more resilient future.
Happy New Year!