Introduction

In our last chapter, we review one of the core topics that all security and risk mitigation operations revolve around – the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain the requirements for specific processes, including who has the responsibility for process execution, and specify the resources required for mature operations. For many organizations, not having the correct policies in place can significantly impact its ability to defend itself against cyber criminals and can degrade the ability to recover from a cyber incident. It is the responsibility of the CISO and executive management to have the correct policies in place, ensure the organization follows the policies, and periodically update them as the business/technology environment changes.

In this chapter, we will provide insight into the recommended policies an organization should have in its portfolio and describe in detail the components of a corporate information security policy. The authors approach this subject from different viewpoints, and you can rightfully assume that their wealth of experience on this subject demonstrates the importance of security policy for the CISO.

Bill provides his viewpoint that information security policies are foundational to an organization. He discusses the relationship between policy, standards, guidelines, and procedures. Throughout, he notes how important it is to maintain the connection between business objectives and the organization’s policies. Finally, Bill asserts that “policy has a purpose,” that it is written for action, and he elaborates on the principles and steps for establishing an effective cybersecurity policy.

Matt states that CISOs use security policies to be effective in fulfilling the requirements of their position. He discusses the balance between creating a policy that has a specific objective, and that is actually used in the organization. Matt then articulates the core elements of a well-structured policy and provides recommendations for specific policies that he deems crucial for an organization and its cybersecurity/risk management programs.

Gary provides insight into the essential components of an organization’s information security policy. He then walks the reader through a step-by-step process for creating an incident response policy and describes how an organization should use it. He concludes his discussion by providing a list of recommended policies that a CISO should build and use to address the risks facing their organization. He makes the case that through the use of these policies and resulting work practices, the CISO can enable the organization to be more resilient to the risks it faces.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  In building the organization’s information security policy, what components should the CISO consider essential?

♦  Does the organization have a formal, documented incident response policy and plan? If not, what best practices does the CISO need to consider to create them for the organization?

♦  In developing a mature cybersecurity program, what recommended policies should the CISO develop to increase his/her security program’s effectiveness?

Security Policies – Stamper

Many CISOs may feel that our titles don’t reflect what we do on a daily basis. It may seem that we are the CPO (Chief Policy Officer) of the organization and not the CISO. Our days are filled with writing, reviewing, and updating policies rather than deploying next-generation security tools, the fun stuff. Indeed, it can seem that there is no end to the number of new policies that we need to draft and disseminate within the organization. Having too many policies results in policy overload and policy fatigue among our colleagues. If we have too few, the commensurate gap in procedures and practices could lead to operational blind spots that put our organizations at risk. There has to be a reasonable balance to ensure that we address the objectives of the policies, procedures, and practices without generating security apathy among our colleagues.

Just as significant as the right balance and number of policies is how we enforce them. We should not write policies that will only be shelfware. We should operationally translate policies into documented procedures and practices – to wit, the notion of P-cubed (policy, procedure, and practice). Policies without the associated guidance on the procedures and practices are incomplete. It’s easy to say that we should employ a least-privilege methodology, we should encrypt critical data, that we should have strong passwords, and on and on. However, without specific guidance on how we achieve these end states, there is too much room for ambiguity. As I noted earlier in this book, “Declare War on Ambiguity!” Procedural guidance should indicate how to perform the practices, how to conduct and show evidence of review and approval activities, as well as the documentation and systems used to complete a given procedure.

Structure Counts: Consistent Policy Design

One reason why so many policies are ineffective is that the actual structure of the policy has never been standardized within the organization. The consequence of this is that policies are incomplete and omit critical elements required for their successful implementation, notably management authorization and employee acknowledgment. A well-structured policy should at a minimum include the following core elements:

♦  Policy ownership – In the context of a RACI matrix, a policy requires someone to be accountable for the procedures and practices needed for the policy’s compliance. Note this individual or role as the policy’s owner.

♦  Review and approval – Policies should be reviewed and approved by executive management. This authorization should be formalized and include those executives who are impacted by the policy’s scope, including the formal approval of executives beyond traditional IT roles such asthe CIO or CISO.

♦  Employee acknowledgement and sanctions – For policies to be effective, they need to be read and acknowledged by employees and, in many cases, independent contractorsand vendors. A policy should include a formal acknowledgment section where employees confirm that they have read the policy and understand that failure to comply with the policy, unless duly authorized by management (and this would be an exception), could lead to disciplinary action up to and including employee dismissal. Ideally, once employees have signed the policy, these acknowledgment forms should be kept by human resources and maintained in each employee’s HR file.

♦  Effective date – Policies should have a clearly stated effective date. This formally conveys that the policy is in force and is part of the organization’s overall governance practices.

♦  Review date – Policies should be subject to review. Ideally, policies should be subject to an annual review where there may be updates to procedures and practices, scope, or policy ownership. Language indicating that the policy may be reviewed and updated from time to time, based on changes to the organization, technology, or other changes should be incorporated to offer flexibility.

♦  Version – Policies should be version controlled. The version number should change following each annual review (or during an interim review if required).

♦  Scope – Policies should have a defined scope or boundary for their required procedures and practices. The policy’s scope will determine where applicability to needed procedures starts and ends within the organization. As a case in point, there may be a policy to require encryption of data in transit and at rest. The scope of the policy would specify which types of information should be encrypted (e.g., PIIor ePHI).

♦  Procedures and practices – Policies should reference the specific procedures and practices required to ensure that the organization is meeting the policy objectives. Proper procedural documentation leaves little space for ambiguity. Procedural documentation should also capture the system(s) of record used to carry out the activities, the types of documentation created relating to the procedure, and where this documentation is stored. Validation and verification activities should also be clearly captured and understood. There should be no doubt what’s required, who is doing the work, and how it is measured and validated.

Procedures should include a basic RACI. This should note who is:

♦  Responsible (the individuals or departments doing the actual work)

♦  Accountable (the specific role or individual that effectively owns the result of the procedure)

♦  Consulted (individuals with expertise and knowledge of a given domain that can help validate and inform procedures and practices)

♦  Informed (those departments, individuals, clients, regulators, boards, etc. that should know about the existence of a procedure and the outcomes of its activities).

 Collectively, these elements are necessary constituent parts of a well-structured policy.

Introduction

We begin Volume 2 with a discussion about people. As you strive to create a world-class cybersecurity program, you must recognize and address the critical human element. We look at the human element from several different perspectives. We include the technical skills that are required and how to assess them; motivating, inspiring and nurturing the people on your team; and understanding the environmental factors that impact your talent pool and your hiring decisions.

Bill Bonney offers a lot of practical advice on assessing, recruiting, motivating and developing the people on the CISO’s team. But he also recommends an honest assessment of the tasks that can realistically be outsourced to third parties and proposes that you look at how technology, specifically artificial intelligence, can help you be more effective in meeting your goals. Bill includes a bit of a call to arms for our industry to address the shortfall of qualified candidates.

Matt Stamper suggests that CISOs should carefully consider how they define each position. It is essential that requirements and job descriptions are realistic and appeal to the people you are trying to attract. Matt also thoughtfully unpacks several factors, both internal and external to the organization, which impact the composition of the talent pool for any particular hire.

Gary Hayslip takes a data-driven approach to workforce planning that acknowledges the fierce competition for talent in the field of cybersecurity and offers practical advice for motivating the people on your team. He continues using data to define a set of metrics to help the CISO determine if the talent on the team is delivering the outcomes that are needed and to help develop the training necessary to close any gaps.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How do CISOs develop their hiring priorities to support the organization and their cybersecurity program effectively?

♦  What hard and soft skills does the CISO believe their cybersecurity program requires?

♦  How can I construct a training program that will keep my team’s knowledge, skills, and techniques current?

♦  What metrics can I use to measure the effectiveness of my cybersecurity team’s capabilities to provide security services and reduce risk to the organization?

Talent, Skills and Training – Bonney

I think it’s important to put the topics of recruiting, skills, training, and development in the larger context of talent management and the still larger context of the changing workforce demographics and the technical skills shortage that we face in industry – the so-called “War for Talent.” My point is not to give the reader comfort that this is a problem faced by many companies across most industrial sectors and throughout the entire world economy because that doesn’t absolve us from dealing with the problem, but rather, to draw attention to the true scope of the problem.

In the larger sense, we are dealing with a fundamental transformation of the use of human capital, on par with the industrial revolution. We should keep this in mind when determining how to approach our talent issues. Yes, the short-term tactical advice is always useful. But, planning for the long term can’t be ignored and will take a combination of human resource planning, government policy changes, new capacity and new approaches in our education systems, and new technology. These changes will require us to work differently with partners and suppliers to achieve the outcomes we want. We can’t rely on the old models of allocated headcount with defined duties and desired skills to just “get the work done.”

Talent and the Human Element

Let’s first put the topics for this chapter in the larger context of talent management. Talent management as a discipline traditionally includes four pillars: recruitment, learning, performance, and compensation. This chapter is focused on recruitment and learning which is done for an outcome (performance) at a price (compensation). Keep in mind that the purpose of talent management is to create a high-performing, sustainable organization that meets its strategic and operational goals and objectives. The goal we have for talent development is to:

♦  allow the Information Security team to develop the skills and capabilities to continually adapt to changing business and threat environments, thereby

♦  help the larger organization identify and manage the risks that threaten its information and operations technology, in order to

♦  safeguard the organization’s data (both generated and entrusted), and

♦  protect the people and operations from cyber and cyber-kinetic harm, thus

♦  enabling the organization to compete with less drag and friction.

I think to be successful with how we approach building and developing our team’s capabilities we need to consider the human element. Several different works that share some similarities with each other are helpful here. The first is a book called Drive: The Surprising Truth About What Motivates Us (Pink 2009) by Daniel H. Pink. The second is a study conducted by Tony Schwartz of The Energy Project along with Christine Porath, an associate professor at Georgetown University’s McDonough School of Business. The study is summarized well in an article in the New York Times (Porath 2014). The third is an article in the MIT Sloan Management Review (Gunter K. Stahl 2012) called “Six Principles of Effective Global Talent Management.”

What is common to these works is the assertion that the sense of purpose that each person has for their work is more indicative of their engagement and success than their skills. The argument is that affinity is a more important predictor than efficiency.

That is not to say that skills aren’t important. On the contrary, one has little chance of being successful without possessing the skills required for the job. But it would be worth your time to review these works. Daniel Pink tells us that by providing our teams with opportunities for autonomy, mastery, and purpose, we are providing the key ingredients to motivate our people. Tony Schwartz and Christine Porath tell us that employees are vastly more satisfied and productive when four of their core needs are met:

♦  physical, through opportunities to regularly renew and recharge at work;

♦  emotional, by feeling valued and appreciated for their contributions;

♦  mental, when they can focus in an absorbed way on their most important tasks and define when and where they get their work done;

♦  and spiritual, by doing more of what they do best and enjoy most, and by feeling connected to a higher purpose at work.

Gunter Stahl, et al., found that large successful companies adhere to six key principles rather than traditional management best practices focused on maximizing the four pillars listed above. Those key principles are:

♦  alignment with strategy,

♦  internal consistency,

♦  cultural embeddedness,

♦  management involvement,

♦  a balance of global and local needs, and

♦  employer branding through differentiation.

Therefore, I’d like to suggest that we think of the people we work with, who help us achieve our outcomes, as people, not just talent. We would like to hire the best people with the right skills and mindset, help them become even better at what they do, have them share a common set of goals, and have them engaged and happy to be part of our team for the long haul.

Recruitment

With the human element considered, let’s turn to the issue of recruitment. I referred at the beginning of this chapter to the “War for Talent” and noted that we are dealing with a fundamental transformation regarding how we deploy human capital. These changes affect different industries in unique ways and the various functions within organizations in very different ways. Three factors I think we need to address are the scarcity of qualified workers, third-party service delivery, and augmentation using artificial intelligence.

Scarcity of Qualified Workers

A significant result of the industrial revolution was the migration of populations from rural to urban centers. This migration was aided by several factors. Among these factors were the ability of manufacturers to expand the capacity of their workforce, the resulting increase in productivity and profitability of doing so, the resulting elasticity of wages, and the relatively low barrier to entry (compared to both the guild system that preceded industrialization and the highly technical skillsets that are required in today’s digital workplace). While there were often labor shortages when new factories or industries popped up, the pace of industrial development, the availability of investment capital, and the speed of communications served as natural governing factors.

Still, labor shortages could at times doom businesses or at least temporarily suppress profits. In short, the demand signal was sent, and the response was the arrival of men and women ready to work. Training shifted from years of apprenticeship to mere weeks of classroom or vestibule training, but the key factor was the availability of any person ready and willing to work.

Fast-forward three hundred years, and many of the jobs we need to fill are highly specialized, requiring years of school and what amounts to years of apprenticeship. The demand signal has again been sent, and governments and universities recognize the severe shortages of highly-skilled workers, not just cybersecurity professionals. However, the pace of development in the digital age, the availability of abundant investment capital, and the instantaneous speed of communications serve as accelerators, not governors.

Enough Admiring the Problem. What Are We Going to Do About It?

First, CISOs must recognize that they are always recruiting. Even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. And while there is a minimum bar for the skills your team will need to be successful, you can only hire for so many of those skills. The cost (in hard cost and opportunity loss) of competing for and hiring fully formed senior security engineers for all positions has already become prohibitive.

Hiring the right team will be a mix of seasoned individuals from outside of the organization along with individuals you nurture. You will use your network, internal and external to your organization, to help you identify and attract both.

You could easily create a laundry list of security domains along with areas of specific process expertise from reviewing the requirements and controls listed in the eight CISSP domains, the 18 security control families from the NIST 800-53 standard, and the 12 PCI-DSS requirements. Add in various processes that have information technology and information security overlap, such as vulnerability management, change management, and mobile device management, along with security-focused activities, services and products such as threat intelligence, forensic analysis, penetration testing, intrusion detection and prevention, and the whole discipline of governance, risk and compliance, and you have a massive set of competencies from which to select job requirements.

It’s tempting to reduce this problem to simple analogies such as building a professional sports team. Drafting from the college ranks to fill skill gaps is like hiring workers early in their careers. Using free-agency can fill more senior positions. The minor leagues provide internships. And a deep bench can stand in for succession planning. These analogies can help explain the situation in simple, familiar terms, but they can also seem repetitious and shallow, and the consequences of failure are very different.

When we trivialize talent development by comparing it with building a sports team, we risk treating all professionals the same as members of sports teams – short-term combinations of skills designed to win a trophy. Failing to win a trophy is disappointing to the team and the host city, but teams can be overhauled in a matter of a few years and a trophy in 5 or 10 years, though not ideal, will still be celebrated.

The skills needed to be successful in the modern white-collar workplace (both hard and soft) are not so readily observed, as they are showcased outside of the arena of public spectacle. Employees are afforded many labor protections that professional athletes do not enjoy. And, the consequence of the team’s performance is greater than the disappointment in the execution of a billionaire’s hobby. And thus, the analogy breaks down.

The few elements of this analogy I do think can add value to our thinking are the youth leagues and skills development programs that exist across all of the major team sports. These programs are available for baseball, football, basketball, hockey, soccer, volleyball, gymnastics and even sports that are more focused on individuals, such as tennis, swimming, ice skating, skiing and golf. In fact, I can’t think of any sports that don’t have youth leagues and skills development programs, and many include community outreach, traveling ambassadors, senior leagues, and representation in K-12 physical education programs.

While not the only cause for this deep infiltration of sport at every level of our society, one major reason for this is President Kennedy’s revitalization of the President’s Council on Physical Fitness and Sports. Physical fitness was seen as a critical need for all Americans to maintain a healthy lifestyle, both for their health and the cost to the nation that would most certainly result from the poor health of the population.

I do not mean to trivialize healthcare or the impact of poor health to our lives, but I do think that building a nation that is “cyber healthy” will be crucial to our citizens’ financial health and our nation’s public safety. I believe that existing programs that invest in STEM (and STEAM) education, hackathons, and other curriculum-based and after-school activities for the K-12 education system are vital to both teach skills and familiarize students and their parents, with cyber hygiene, cyber defense and where the skill and interest surfaces, cyber offense.

Investing for the Long Term

There is widespread recognition that building the skills and competencies needed to improve the overall cybersecurity of critical infrastructure requires national and coordinated attention. NIST’s National Initiative for Cybersecurity Education (NICE) is focused directly on addressing this challenge.  Special Publication 800-181 outlines the initiative.

NICE offers prescriptive detail regarding seven core security functions, and 33 specialty areas of cybersecurity work. It defines 52 cybersecurity roles while providing the requisite knowledge, skills, abilities, and tasks for each role. NICE thereby helps organizations understand the types of skills and competencies that will be required to support a security program comprehensively.

In the graphics below, the seven core security functions are described, and a sample drill-down is provided. Within each core functional area, NICE provides insights and recommendations on necessary training to adequately address the function. NICE therefore provides the foundation for your cybersecurity staffing program.

Both graphics are courtesy of the National Initiative for Cybersecurity Careers and Studies.

Figure 10.1 The NICE Cybersecurity Workforce Framework

Figure 10.2 Detailed Description of Analyst Position

With the NICE skills framework, educational organizations across the nation, including K-12 schools, trade schools, community colleges, technical institutes, and universities can design programs to provide the critical training our workforce needs.

Helping the cyber workforce become productive is another gap that we must fill. The traditional model of graduating four-year degreed individuals from colleges and universities will not, by itself, overcome the worker deficit we face. On-the-job experience, in the form of internships and apprentice programs, is another vital source of learning that is necessary to allow newly trained workers to put their skills to use quickly.

Internships are excellent supplements for the typical four-year program that help the student step out of the classroom and spend critical time in the field at a variety of organizations, seeing real-world events unfold in real time. Apprenticeship programs allow a broader set of experiences that can help trainees use additional avenues to gain the skills they need. These include students who are not following the four-year degree path, workers reentering the workforce, military personnel who are transitioning into the commercial workforce, and unlocking other sources of specialists that are currently under-utilized. A critical insight is that just as the total number of seats in four-year degree programs is not adequate to provide all the cybersecurity workers we will need, and the traditional four-year program is simply not required for many of the entry-level positions that currently go unfilled.

One final recommendation about some of these novel approaches to training the cyber workforce of tomorrow is to look to cyber ranges as an option worth exploring. Cyber ranges can help you train new workers on current methods and help keep your existing workforce up-to-date. Think of cyber ranges as simulators, but under live fire. In order to train our pilot workforce without crashing real planes, we built and deployed flight simulators. Cyber-ranges scenarios are real, but with coaches and highly-skilled experts available as backup.

Hiring Who You Need

Coming back now to your immediate hiring decisions. While it’s difficult to hire individuals with a mastery of the complete list of skills and experience across each of the relevant domains, senior security engineers and security architects should have a fundamental knowledge of all of them. How can you possibly determine whether the more senior people you are hiring have the right level of broad mastery? Some rely on certifications, but I challenge how effective that is. I see a lot of value in certifications; they set an effective minimum bar in many areas, they come with an ongoing requirement for continuing education that in theory keeps people in constant learning mode, and they provide a shorthand for assessing, in aggregate, the skill level of a department.

The latter is the most perilous, though. In any population of certificate holders, just given a normal bell curve of capability, there will be some people who barely met the proficiency requirements. It is not statistically impossible to have a larger than normal collection of people on the left side of the bell. Also, the minimum bar I spoke of is just that, a minimum. It gives a reasonable assurance of familiarity with general concepts, but unfortunately, there is not enough assurance that the familiarity comes along with experiential knowledge.

So, while certifications have their purpose, we can’t solely rely on them for determining the technical fit for new hires. What other tools do we have? A lot of time and energy have gone into interviewing techniques that will both root out the hard skills (have the candidate take a coding test or configure a firewall rule) and soft skills (subject the candidate to team interviews with each team member tasked with assessing certain key soft skills such as communication skills, problem solving, managing up, and team dynamics). There are several systems out there. One of the more popular ones is the “STAR” Technique: situation, task, action, result. It’s so popular that interview candidates also use it to prepare to talk to you.

None of this is ground-breaking, and chances are good your Human Resource department will have a favorite rating system that you can adapt to the hard and soft skills that you want to test for in your screening. But most of the last two paragraphs assumes that you have a pool of reasonable candidates to start from, and your job is to screen for a fit for your team. I do happen to agree that these techniques are valuable. However, I have always found the greater challenge to be finding the reasonable pool of candidates in the first place.

That is why I said that even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. You want to make sure you always know who you would try to recruit to your organization if you should have a position open. Every interaction you have in your local security community is a recruiting event. Every meeting, every talk, every conference, every happy hour.

I’m going to put the cart before the horse to share a brief thought. The single most important recruiting tool you have is your team. If team members are motivated, work as a team, win more often than they lose, celebrate their wins, pick each other up when they are down, and care about the company they work for, others will want to come work for you too. I know that doesn’t help a lot when you are building a new team, but there is some element of that statement that you can leverage in practically any situation. They will help make your team an attractive place to be before there is a position available.

It is also important to pay attention to social tools such as LinkedIn and Twitter as well as any blogs or security forums you participate in. Make sure your profiles are up to date and that they show a positive image of you and your role. The same should be true for the people on your team. Just as companies use social tools to vet candidates, we all use social tools to vet the companies and teams we want to join. When we see a limited profile, we might believe them to be insular and two-dimensional. That may not always be accurate but underestimate the subconscious signals we pull from social tools at your own peril.

Introduction

Educating your workforce about cybersecurity through an awareness program is a foundational requirement that all cybersecurity standards share. So why don’t we have a very well-educated workforce when it comes to cybersecurity? Perhaps too many organizations, when they recognize the need for a cybersecurity awareness program, treat it like a change management effort; roll it out just in time and then add it to the corporate training curriculum. We know that’s not effective.

Bill begins this chapter by recalling that there have been other large-scale societal changes that have required massive, sustained awareness programs. He outlines the commonalities between these programs and allows the reader to draw inferences that will help put their program into context and set it up for success.

Matt continues the discussion by showing how each member of the executive team must buy in and be part of the solution. Education and awareness are about people, and specifically, the role each of us plays and how that role is personal to every one of us and through us becomes personal for each organization.

Gary then shows us how important it is to measure what we do, and more importantly, to build a habit of learning from each breach and changing the training content so that it evolves as our threat environment evolves. Tying our metrics to our awareness program is a powerful concept and will help any team be more successful by focusing on continual improvement.

The authors would like to pose some important questions to think about as you read this chapter:

♦  What are the “lessons learned” from industry data breaches that can be used to reduce our organization’s risk exposure to these adverse events?

♦  How successful is training our staff in actually preventing breaches versus having the right software and hardware in place?

♦  Does our organization have a culture of cybersecurity awareness and do we have a program to educate our staff?

♦  What is our Incident Response Plan and how do we train staff, stakeholders and partners on how to use this plan?

The Critical Role of Security Awareness with Executive Management – Stamper

Doesn’t Every Executive Value Cyber?

Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.

Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.

We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.

Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.

As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.

It’s About the People

Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.

Introduction

Networks are noisy. From heartbeats to probing, from legitimate database extracts to covert data exfiltration, from sensor telemetry to malware infusions, there is an enormous amount of traffic on your network. Without a strategic and diligent approach, It is difficult to know how much of your traffic is appropriate. Long gone are the days when volume alone was the biggest hint that you were under attack.

Bill starts the discussion by reminding us just how much the network and the devices on the network have changed. In the last decade, we have seen not just an explosion in data volume, but a significant change in control as to how the network and the applications and devices on it are acquired, deployed and exploited for business utility. Bill also highlights the need to look at a wide range of activities to successfully monitor the organization’s infrastructure.

Matt reminds us that monitoring involves more than just checking the flashing lights for activity and sniffing packets. His advice for program monitoring shows us the broad range of health indicators that the CISO must be concerned with and how important it is to be integrated with the lines of business to know what matters to the entire organization.

Gary emphasizes the need for continued diligence through scanning, monitoring, and remediation before addressing the critical requirement for having a deep understanding of the health and security of your applications. To end this chapter, he brings the discussion back to one of our favorite topics: metrics.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?

♦  What framework and/or processes should a CISO use to remediate vulnerabilities and search for malware in their organization’s application portfolio?

♦  Your organization experiences numerous unauthorized attempts to breach its enterprise networks. What metrics are important to your enterprise cybersecurity program to enable it to see these attempts?

Monitoring the Enterprise and Your Cybersecurity Program – Hayslip

It’s 2:00 AM and the smartphone on a nightstand is chirping a lonely message for Alice Bentlee (fictitious). Alice is the Vice President, Cybersecurity and Risk Operations Director for a local bio-technical research facility and right now she is trying to brush the sleep from her eyes as she reaches for her phone. In the next fifteen minutes, she will become wide awake as she learns the news. The organization, which is her employer, has had a data breach and has activated the incident response plan. In the days to come as she triages the breach, she will use forensics to understand how it happened and what data was accessed.

The company will leverage its cyber insurance policy to help cover its costs as it initiates an internal investigation into Alice’s cybersecurity program, and as the CISO she will need to answer questions to prove her program was meeting the definition of “reasonable care.” Did she, as the senior security executive for the company, implement a cybersecurity program to the best of her ability that met industry best practices and as an organization met the standards of care for protecting the critical intellectual property data her company had stored within its enterprise networks

As a CISO, it is essential to understand the idea of “reasonable care” and why it is a minimum strategic standard for the business. This concept is based on several core principles:

1. The organization, or the CISO acting on its behalf, shall be considered to have complied with reasonable security practices and procedures if an industry standard framework was used to implement the procedures (i.e., NIST, ISO, COBIT, and CIS), and there is a current documented information security program. This program should have mature information security policies that contain managerial, technical, operational, and physical security control measures that are at a maturity levelcommensurate with the level of sensitive information being protected by the company.
2. In the event of legal action or a request from regulators stemming from a data breach, the organization, or the CISO acting on its behalf, may be required to demonstrate that security control measures were implemented, and they are documented in the organization’s information security policies.
3. The security procedures are certified or audited on a regular basis by an independent auditor. The audit of reasonable security practices and procedures must be current and therefore conducted within the last year.

I am sure by now you are wondering why this is so important. The reason is that, as we’ve previously discussed, cybersecurity is a continuous lifecycle and breaches are part of that lifecycle. To reduce the risk to our organizations, as CISOs we create and implement enterprise cybersecurity programs and deploy policies, procedures, security controls, and standards to reduce risk and protect our assets. However, even with a mature cybersecurity program, we will at times remediate security breaches and then be required to prove that we are meeting reasonable security standards.

Continuous Scanning, Monitoring, and Remediation

We’re now ready for our next discussion topics. One of the primary processes that your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, there may be extreme technology change as organizations try innovative solutions to compete in their specific business markets. This dynamic change environment makes providing enterprise risk management and cybersecurity as a service extremely challenging.

To bring balance to my security teams and be effective as a security leader, when operating in chaotic business environments where there is no stable risk baseline, I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. Understanding the answers to the questions for this chapter will enable you as a CISO to state that you are meeting the requirements of “reasonable care.”

Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. I believe it is essential to understand that continuous monitoring is a component of a lifecycle, a cybersecurity lifecycle.

I have written about this lifecycle and its five stages: inventory, assessment, scanning, remediation, and monitoring (Hayslip, Pulse, Articles by Gary Hayslip 2015). This graphic is a depiction of the final stage, continuous monitoring, and will be our guide in the discussions that follow.

Figure 12.1 Continuous Monitoring Mind Map

The first question that we will review will provide some insight into the components that make up continuous monitoring and why I believe it is an essential business process. Numerous strategic frameworks address continuous monitoring. I have implemented the National Institute of Science and Technology (NIST) guidelines, NIST SP800-137 (NIST 2011) at multiple organizations over the last several years. I consider it to be a best practice for a CISO standing up a security program.

I believe it is a critical business process for organizations to understand and maintain their situational awareness and oversee their enterprise risk management portfolio. While I used the NIST guidelines for continuous monitoring, the framework you select should be decided through input from your stakeholders, including legal staff and executive management, and depends on your technical requirements.

With that said, let’s review our first question: “As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?”

To design and implement an effective continuous monitoring program, a CISO will need to take into account answers to the following questions:

♦  Purpose of the monitoring system – From the viewpoint of the organization, what are the overall business reasons to develop a monitoring system? Is it a compliance/regulation requirement? Are there technical requirements? As a CISO you must be able to answer the question of why resources need to be expended to develop this program.

♦  Requirements – Now that you understand why you need to implement it, what are the technical, security, legal, business, and compliancerequirements for the program’s creation, management, report structure, and data views?

♦  What needs to be monitored – This question is critical. It is imperative for the CISO to work with stakeholders and trusted partners to identify what systems, applications, and data to monitor.

♦  How will it be implemented – From a technology perspective, will this monitoring be on-premises, will it be in the cloud, or would it be better to use a hybrid approach? If deploying sensors or agents, determine if the deployment is a one-to-many configuration or a distributed site-to-site configuration. Once you have identified the data to pull, you can create the architecture to move the data to a location for analysis and storage.

♦  Data, data, and more data – You have identified what data you will monitor, and now you need to ask yourself, where will the data be stored? Do I have a data retention policy? Do I have a data governance program that specifies who is allowed to access it and why?

♦  Metrics and reports – Collecting information from the monitoring program should have a purpose. Do you have any metrics? Do you have specific reports based on the analyzed data? What is the story, and to which audience are you providing this data?

♦  911 – You understand your requirements, you have built a continuous monitoring program for the organization, you are collecting information, and now the question is who will use it to protect the organization?

As you can see from these questions, there is an extensive amount of information you need to collect before you begin architecting a monitoring program. I typically start with conducting an inventory of my security suite to identify all of my security assets such as firewalls, IPS sensors, honey pots/nets, endpoint platforms, and vulnerability scanners. I then proceed to document what logs I can collect from these platforms and meet with my peers in our data centers, desktop support, and network services teams to verify what assets they have and what logs I can collect from them. Once I have identified these assets and log types, I research and deploy a security information and event management (SIEM) platform that enables me to build dashboards to analyze the collected information. This allows me to make decisions about reducing risk and focus on how to best use my limited resources.

You will need to review several issues if you plan to use a SIEM platform as one of the core elements of your continuous monitoring program. The SIEM platform will provide your monitoring program with extensive capabilities for reviewing and analyzing collected data for actionable threat mitigation. However, you will need to verify some information before you start analyzing the collected data. Some of the issues I would recommend you check are:

♦  Deployment of Security Suite Assets – Review where you have your security assets deployed in your enterprise network. Assets such as intrusion prevention systems (IPS) or unified threat management (UTM) appliances become primary sources for data logs and it is critical to position them at locations in the network with the best visibility into data flows to ensure you are collecting optimum data. Whether it’s at the network edge, chokepoints between sites, or within enclaves that manage sensitivedata – review your network maps and the position of your security suite’s

♦  Log Filtering – Next, I would recommend that, depending on the data type you collect (for instance, if the data is from security components like firewalls or IPS systems), you incorporate filters or pre-defined rulesets to remove basic informational data so your analysts don’t get overwhelmed. There are configurations for many of your security components that will allow you to filter out informational data and only send alerts for data that meet specific criteria for review by one of your security personnel. The use of these filters and automation for specific analysis will help provide relevant data and meaningful metrics for review. As a result, security staff will be able to spend less time analyzing the data and more time remediating any issues they find.

♦  Log Management – You are collecting logs and sending them to a central repository for your SIEMto review, however, what events are you collecting? Some events that I have collected in the past (and by no means is this a complete list) are:

◊  Asset boot/shutdown

◊  System process initiation/termination

◊  Invalid Login attempts

◊  File Access/File Close

◊  Invalid File Access attempts

◊  Network activity

♦  Ports/Protocols

♦  Flagged application activity (Tor, Web Proxy, File Sharing)

◊  Resource Utilization information

♦  Log Retention/Access – It is critical that you understand your log retention requirements. If you must keep logs for several years due to federal regulations or industry compliance, you will need to factor storage and encryption of the data at rest as part of your program for managing this data. Another critical question you will need to address is who needs access to these logs, why do they need access, and what rights do they need to this data? You will need to incorporate an access control mechanism for this information, so you can demonstrate you’re a good steward of the data entrusted to your program. I have found that discussing this issue with my stakeholders will help identify who needs access and the business requirements for the information, so collaborate when setting your access control mechanisms.