CISO DRG Vol 2: Chapter 10 – Finding Talent and Developing Your Team

Introduction

We begin Volume 2 with a discussion about people. As you strive to create a world-class cybersecurity program, you must recognize and address the critical human element. We look at the human element from several different perspectives. We include the technical skills that are required and how to assess them; motivating, inspiring and nurturing the people on your team; and understanding the environmental factors that impact your talent pool and your hiring decisions.

Bill Bonney offers a lot of practical advice on assessing, recruiting, motivating and developing the people on the CISO’s team. But he also recommends an honest assessment of the tasks that can realistically be outsourced to third parties and proposes that you look at how technology, specifically artificial intelligence, can help you be more effective in meeting your goals. Bill includes a bit of a call to arms for our industry to address the shortfall of qualified candidates.

Matt Stamper suggests that CISOs should carefully consider how they define each position. It is essential that requirements and job descriptions are realistic and appeal to the people you are trying to attract. Matt also thoughtfully unpacks several factors, both internal and external to the organization, which impact the composition of the talent pool for any particular hire.

Gary Hayslip takes a data-driven approach to workforce planning that acknowledges the fierce competition for talent in the field of cybersecurity and offers practical advice for motivating the people on your team. He continues using data to define a set of metrics to help the CISO determine if the talent on the team is delivering the outcomes that are needed and to help develop the training necessary to close any gaps.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How do CISOs develop their hiring priorities to support the organization and their cybersecurity program effectively?

♦  What hard and soft skills does the CISO believe their cybersecurity program requires?

♦  How can I construct a training program that will keep my team’s knowledge, skills, and techniques current?

♦  What metrics can I use to measure the effectiveness of my cybersecurity team’s capabilities to provide security services and reduce risk to the organization?

Talent, Skills and Training – Bonney

I think it’s important to put the topics of recruiting, skills, training, and development in the larger context of talent management and the still larger context of the changing workforce demographics and the technical skills shortage that we face in industry – the so-called “War for Talent.” My point is not to give the reader comfort that this is a problem faced by many companies across most industrial sectors and throughout the entire world economy because that doesn’t absolve us from dealing with the problem, but rather, to draw attention to the true scope of the problem.

In the larger sense, we are dealing with a fundamental transformation of the use of human capital, on par with the industrial revolution. We should keep this in mind when determining how to approach our talent issues. Yes, the short-term tactical advice is always useful. But, planning for the long term can’t be ignored and will take a combination of human resource planning, government policy changes, new capacity and new approaches in our education systems, and new technology. These changes will require us to work differently with partners and suppliers to achieve the outcomes we want. We can’t rely on the old models of allocated headcount with defined duties and desired skills to just “get the work done.”

Talent and the Human Element

Let’s first put the topics for this chapter in the larger context of talent management. Talent management as a discipline traditionally includes four pillars: recruitment, learning, performance, and compensation. This chapter is focused on recruitment and learning which is done for an outcome (performance) at a price (compensation). Keep in mind that the purpose of talent management is to create a high-performing, sustainable organization that meets its strategic and operational goals and objectives. The goal we have for talent development is to:

♦  allow the Information Security team to develop the skills and capabilities to continually adapt to changing business and threat environments, thereby

♦  help the larger organization identify and manage the risks that threaten its information and operations technology, in order to

♦  safeguard the organization’s data (both generated and entrusted), and

♦  protect the people and operations from cyber and cyber-kinetic harm, thus

♦  enabling the organization to compete with less drag and friction.

I think to be successful with how we approach building and developing our team’s capabilities we need to consider the human element. Several different works that share some similarities with each other are helpful here. The first is a book called Drive: The Surprising Truth About What Motivates Us (Pink 2009) by Daniel H. Pink. The second is a study conducted by Tony Schwartz of The Energy Project along with Christine Porath, an associate professor at Georgetown University’s McDonough School of Business. The study is summarized well in an article in the New York Times (Porath 2014). The third is an article in the MIT Sloan Management Review (Gunter K. Stahl 2012) called “Six Principles of Effective Global Talent Management.”

What is common to these works is the assertion that the sense of purpose that each person has for their work is more indicative of their engagement and success than their skills. The argument is that affinity is a more important predictor than efficiency.

That is not to say that skills aren’t important. On the contrary, one has little chance of being successful without possessing the skills required for the job. But it would be worth your time to review these works. Daniel Pink tells us that by providing our teams with opportunities for autonomy, mastery, and purpose, we are providing the key ingredients to motivate our people. Tony Schwartz and Christine Porath tell us that employees are vastly more satisfied and productive when four of their core needs are met:

♦  physical, through opportunities to regularly renew and recharge at work;

♦  emotional, by feeling valued and appreciated for their contributions;

♦  mental, when they can focus in an absorbed way on their most important tasks and define when and where they get their work done;

♦  and spiritual, by doing more of what they do best and enjoy most, and by feeling connected to a higher purpose at work.

Gunter Stahl, et al., found that large successful companies adhere to six key principles rather than traditional management best practices focused on maximizing the four pillars listed above. Those key principles are:

♦  alignment with strategy,

♦  internal consistency,

♦  cultural embeddedness,

♦  management involvement,

♦  a balance of global and local needs, and

♦  employer branding through differentiation.

Therefore, I’d like to suggest that we think of the people we work with, who help us achieve our outcomes, as people, not just talent. We would like to hire the best people with the right skills and mindset, help them become even better at what they do, have them share a common set of goals, and have them engaged and happy to be part of our team for the long haul.

Recruitment

With the human element considered, let’s turn to the issue of recruitment. I referred at the beginning of this chapter to the “War for Talent” and noted that we are dealing with a fundamental transformation regarding how we deploy human capital. These changes affect different industries in unique ways and the various functions within organizations in very different ways. Three factors I think we need to address are the scarcity of qualified workers, third-party service delivery, and augmentation using artificial intelligence.

Scarcity of Qualified Workers

A significant result of the industrial revolution was the migration of populations from rural to urban centers. This migration was aided by several factors. Among these factors were the ability of manufacturers to expand the capacity of their workforce, the resulting increase in productivity and profitability of doing so, the resulting elasticity of wages, and the relatively low barrier to entry (compared to both the guild system that preceded industrialization and the highly technical skillsets that are required in today’s digital workplace). While there were often labor shortages when new factories or industries popped up, the pace of industrial development, the availability of investment capital, and the speed of communications served as natural governing factors.

Still, labor shortages could at times doom businesses or at least temporarily suppress profits. In short, the demand signal was sent, and the response was the arrival of men and women ready to work. Training shifted from years of apprenticeship to mere weeks of classroom or vestibule training, but the key factor was the availability of any person ready and willing to work.

Fast-forward three hundred years, and many of the jobs we need to fill are highly specialized, requiring years of school and what amounts to years of apprenticeship. The demand signal has again been sent, and governments and universities recognize the severe shortages of highly-skilled workers, not just cybersecurity professionals. However, the pace of development in the digital age, the availability of abundant investment capital, and the instantaneous speed of communications serve as accelerators, not governors.

Enough Admiring the Problem. What Are We Going to Do About It?

First, CISOs must recognize that they are always recruiting. Even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. And while there is a minimum bar for the skills your team will need to be successful, you can only hire for so many of those skills. The cost (in hard cost and opportunity loss) of competing for and hiring fully formed senior security engineers for all positions has already become prohibitive.

Hiring the right team will be a mix of seasoned individuals from outside of the organization along with individuals you nurture. You will use your network, internal and external to your organization, to help you identify and attract both.

You could easily create a laundry list of security domains along with areas of specific process expertise from reviewing the requirements and controls listed in the eight CISSP domains, the 18 security control families from the NIST 800-53 standard, and the 12 PCI-DSS requirements. Add in various processes that have information technology and information security overlap, such as vulnerability management, change management, and mobile device management, along with security-focused activities, services and products such as threat intelligence, forensic analysis, penetration testing, intrusion detection and prevention, and the whole discipline of governance, risk and compliance, and you have a massive set of competencies from which to select job requirements.

It’s tempting to reduce this problem to simple analogies such as building a professional sports team. Drafting from the college ranks to fill skill gaps is like hiring workers early in their careers. Using free-agency can fill more senior positions. The minor leagues provide internships. And a deep bench can stand in for succession planning. These analogies can help explain the situation in simple, familiar terms, but they can also seem repetitious and shallow, and the consequences of failure are very different.

When we trivialize talent development by comparing it with building a sports team, we risk treating all professionals the same as members of sports teams – short-term combinations of skills designed to win a trophy. Failing to win a trophy is disappointing to the team and the host city, but teams can be overhauled in a matter of a few years and a trophy in 5 or 10 years, though not ideal, will still be celebrated.

The skills needed to be successful in the modern white-collar workplace (both hard and soft) are not so readily observed, as they are showcased outside of the arena of public spectacle. Employees are afforded many labor protections that professional athletes do not enjoy. And, the consequence of the team’s performance is greater than the disappointment in the execution of a billionaire’s hobby. And thus, the analogy breaks down.

The few elements of this analogy I do think can add value to our thinking are the youth leagues and skills development programs that exist across all of the major team sports. These programs are available for baseball, football, basketball, hockey, soccer, volleyball, gymnastics and even sports that are more focused on individuals, such as tennis, swimming, ice skating, skiing and golf. In fact, I can’t think of any sports that don’t have youth leagues and skills development programs, and many include community outreach, traveling ambassadors, senior leagues, and representation in K-12 physical education programs.

While not the only cause for this deep infiltration of sport at every level of our society, one major reason for this is President Kennedy’s revitalization of the President’s Council on Physical Fitness and Sports. Physical fitness was seen as a critical need for all Americans to maintain a healthy lifestyle, both for their health and the cost to the nation that would most certainly result from the poor health of the population.

I do not mean to trivialize healthcare or the impact of poor health to our lives, but I do think that building a nation that is “cyber healthy” will be crucial to our citizens’ financial health and our nation’s public safety. I believe that existing programs that invest in STEM (and STEAM) education, hackathons, and other curriculum-based and after-school activities for the K-12 education system are vital to both teach skills and familiarize students and their parents, with cyber hygiene, cyber defense and where the skill and interest surfaces, cyber offense.

Investing for the Long Term

There is widespread recognition that building the skills and competencies needed to improve the overall cybersecurity of critical infrastructure requires national and coordinated attention. NIST’s National Initiative for Cybersecurity Education (NICE) is focused directly on addressing this challenge.  Special Publication 800-181 outlines the initiative.

NICE offers prescriptive detail regarding seven core security functions, and 33 specialty areas of cybersecurity work. It defines 52 cybersecurity roles while providing the requisite knowledge, skills, abilities, and tasks for each role. NICE thereby helps organizations understand the types of skills and competencies that will be required to support a security program comprehensively.

In the graphics below, the seven core security functions are described, and a sample drill-down is provided. Within each core functional area, NICE provides insights and recommendations on necessary training to adequately address the function. NICE therefore provides the foundation for your cybersecurity staffing program.

Both graphics are courtesy of the National Initiative for Cybersecurity Careers and Studies.

Figure 10.1 The NICE Cybersecurity Workforce Framework

Figure 10.2 Detailed Description of Analyst Position

With the NICE skills framework, educational organizations across the nation, including K-12 schools, trade schools, community colleges, technical institutes, and universities can design programs to provide the critical training our workforce needs.

Helping the cyber workforce become productive is another gap that we must fill. The traditional model of graduating four-year degreed individuals from colleges and universities will not, by itself, overcome the worker deficit we face. On-the-job experience, in the form of internships and apprentice programs, is another vital source of learning that is necessary to allow newly trained workers to put their skills to use quickly.

Internships are excellent supplements for the typical four-year program that help the student step out of the classroom and spend critical time in the field at a variety of organizations, seeing real-world events unfold in real time. Apprenticeship programs allow a broader set of experiences that can help trainees use additional avenues to gain the skills they need. These include students who are not following the four-year degree path, workers reentering the workforce, military personnel who are transitioning into the commercial workforce, and unlocking other sources of specialists that are currently under-utilized. A critical insight is that just as the total number of seats in four-year degree programs is not adequate to provide all the cybersecurity workers we will need, and the traditional four-year program is simply not required for many of the entry-level positions that currently go unfilled.

One final recommendation about some of these novel approaches to training the cyber workforce of tomorrow is to look to cyber ranges as an option worth exploring. Cyber ranges can help you train new workers on current methods and help keep your existing workforce up-to-date. Think of cyber ranges as simulators, but under live fire. In order to train our pilot workforce without crashing real planes, we built and deployed flight simulators. Cyber-ranges scenarios are real, but with coaches and highly-skilled experts available as backup.

Hiring Who You Need

Coming back now to your immediate hiring decisions. While it’s difficult to hire individuals with a mastery of the complete list of skills and experience across each of the relevant domains, senior security engineers and security architects should have a fundamental knowledge of all of them. How can you possibly determine whether the more senior people you are hiring have the right level of broad mastery? Some rely on certifications, but I challenge how effective that is. I see a lot of value in certifications; they set an effective minimum bar in many areas, they come with an ongoing requirement for continuing education that in theory keeps people in constant learning mode, and they provide a shorthand for assessing, in aggregate, the skill level of a department.

The latter is the most perilous, though. In any population of certificate holders, just given a normal bell curve of capability, there will be some people who barely met the proficiency requirements. It is not statistically impossible to have a larger than normal collection of people on the left side of the bell. Also, the minimum bar I spoke of is just that, a minimum. It gives a reasonable assurance of familiarity with general concepts, but unfortunately, there is not enough assurance that the familiarity comes along with experiential knowledge.

So, while certifications have their purpose, we can’t solely rely on them for determining the technical fit for new hires. What other tools do we have? A lot of time and energy have gone into interviewing techniques that will both root out the hard skills (have the candidate take a coding test or configure a firewall rule) and soft skills (subject the candidate to team interviews with each team member tasked with assessing certain key soft skills such as communication skills, problem solving, managing up, and team dynamics). There are several systems out there. One of the more popular ones is the “STAR” Technique: situation, task, action, result. It’s so popular that interview candidates also use it to prepare to talk to you.

None of this is ground-breaking, and chances are good your Human Resource department will have a favorite rating system that you can adapt to the hard and soft skills that you want to test for in your screening. But most of the last two paragraphs assumes that you have a pool of reasonable candidates to start from, and your job is to screen for a fit for your team. I do happen to agree that these techniques are valuable. However, I have always found the greater challenge to be finding the reasonable pool of candidates in the first place.

That is why I said that even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. You want to make sure you always know who you would try to recruit to your organization if you should have a position open. Every interaction you have in your local security community is a recruiting event. Every meeting, every talk, every conference, every happy hour.

I’m going to put the cart before the horse to share a brief thought. The single most important recruiting tool you have is your team. If team members are motivated, work as a team, win more often than they lose, celebrate their wins, pick each other up when they are down, and care about the company they work for, others will want to come work for you too. I know that doesn’t help a lot when you are building a new team, but there is some element of that statement that you can leverage in practically any situation. They will help make your team an attractive place to be before there is a position available.

It is also important to pay attention to social tools such as LinkedIn and Twitter as well as any blogs or security forums you participate in. Make sure your profiles are up to date and that they show a positive image of you and your role. The same should be true for the people on your team. Just as companies use social tools to vet candidates, we all use social tools to vet the companies and teams we want to join. When we see a limited profile, we might believe them to be insular and two-dimensional. That may not always be accurate but underestimate the subconscious signals we pull from social tools at your own peril.

Bill Bonney

CISO DRG Vol 2: Chapter 11 – Cyber Awareness Training: It Takes an Organization

Introduction

Educating your workforce about cybersecurity through an awareness program is a foundational requirement that all cybersecurity standards share. So why don’t we have a very well-educated workforce when it comes to cybersecurity? Perhaps too many organizations, when they recognize the need for a cybersecurity awareness program, treat it like a change management effort; roll it out just in time and then add it to the corporate training curriculum. We know that’s not effective.

Bill begins this chapter by recalling that there have been other large-scale societal changes that have required massive, sustained awareness programs. He outlines the commonalities between these programs and allows the reader to draw inferences that will help put their program into context and set it up for success.

Matt continues the discussion by showing how each member of the executive team must buy in and be part of the solution. Education and awareness are about people, and specifically, the role each of us plays and how that role is personal to every one of us and through us becomes personal for each organization.

Gary then shows us how important it is to measure what we do, and more importantly, to build a habit of learning from each breach and changing the training content so that it evolves as our threat environment evolves. Tying our metrics to our awareness program is a powerful concept and will help any team be more successful by focusing on continual improvement.

The authors would like to pose some important questions to think about as you read this chapter:

♦  What are the “lessons learned” from industry data breaches that can be used to reduce our organization’s risk exposure to these adverse events?

♦  How successful is training our staff in actually preventing breaches versus having the right software and hardware in place?

♦  Does our organization have a culture of cybersecurity awareness and do we have a program to educate our staff?

♦  What is our Incident Response Plan and how do we train staff, stakeholders and partners on how to use this plan?

The Critical Role of Security Awareness with Executive Management – Stamper

Doesn’t Every Executive Value Cyber?

Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.

Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.

We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.

Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.

As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.

It’s About the People

Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.

Matt Stamper

CISO DRG Vol 2: Chapter 12 – Monitoring Your Environment

Introduction

Networks are noisy. From heartbeats to probing, from legitimate database extracts to covert data exfiltration, from sensor telemetry to malware infusions, there is an enormous amount of traffic on your network. Without a strategic and diligent approach, It is difficult to know how much of your traffic is appropriate. Long gone are the days when volume alone was the biggest hint that you were under attack.

Bill starts the discussion by reminding us just how much the network and the devices on the network have changed. In the last decade, we have seen not just an explosion in data volume, but a significant change in control as to how the network and the applications and devices on it are acquired, deployed and exploited for business utility. Bill also highlights the need to look at a wide range of activities to successfully monitor the organization’s infrastructure.

Matt reminds us that monitoring involves more than just checking the flashing lights for activity and sniffing packets. His advice for program monitoring shows us the broad range of health indicators that the CISO must be concerned with and how important it is to be integrated with the lines of business to know what matters to the entire organization.

Gary emphasizes the need for continued diligence through scanning, monitoring, and remediation before addressing the critical requirement for having a deep understanding of the health and security of your applications. To end this chapter, he brings the discussion back to one of our favorite topics: metrics.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?

♦  What framework and/or processes should a CISO use to remediate vulnerabilities and search for malware in their organization’s application portfolio?

♦  Your organization experiences numerous unauthorized attempts to breach its enterprise networks. What metrics are important to your enterprise cybersecurity program to enable it to see these attempts?

Monitoring the Enterprise and Your Cybersecurity Program – Hayslip

It’s 2:00 AM and the smartphone on a nightstand is chirping a lonely message for Alice Bentlee (fictitious). Alice is the Vice President, Cybersecurity and Risk Operations Director for a local bio-technical research facility and right now she is trying to brush the sleep from her eyes as she reaches for her phone. In the next fifteen minutes, she will become wide awake as she learns the news. The organization, which is her employer, has had a data breach and has activated the incident response plan. In the days to come as she triages the breach, she will use forensics to understand how it happened and what data was accessed.

The company will leverage its cyber insurance policy to help cover its costs as it initiates an internal investigation into Alice’s cybersecurity program, and as the CISO she will need to answer questions to prove her program was meeting the definition of “reasonable care.” Did she, as the senior security executive for the company, implement a cybersecurity program to the best of her ability that met industry best practices and as an organization met the standards of care for protecting the critical intellectual property data her company had stored within its enterprise networks

As a CISO, it is essential to understand the idea of “reasonable care” and why it is a minimum strategic standard for the business. This concept is based on several core principles:

  1. The organization, or the CISO acting on its behalf, shall be considered to have complied with reasonable security practices and procedures if an industry standard framework was used to implement the procedures (i.e., NIST, ISO, COBIT, and CIS), and there is a current documented information security program. This program should have mature information security policies that contain managerial, technical, operational, and physical security control measures that are at a maturity levelcommensurate with the level of sensitive information being protected by the company.
  2. In the event of legal action or a request from regulators stemming from a data breach, the organization, or the CISO acting on its behalf, may be required to demonstrate that security control measures were implemented, and they are documented in the organization’s information security policies.
  3. The security procedures are certified or audited on a regular basis by an independent auditor. The audit of reasonable security practices and procedures must be current and therefore conducted within the last year.

I am sure by now you are wondering why this is so important. The reason is that, as we’ve previously discussed, cybersecurity is a continuous lifecycle and breaches are part of that lifecycle. To reduce the risk to our organizations, as CISOs we create and implement enterprise cybersecurity programs and deploy policies, procedures, security controls, and standards to reduce risk and protect our assets. However, even with a mature cybersecurity program, we will at times remediate security breaches and then be required to prove that we are meeting reasonable security standards.

Continuous Scanning, Monitoring, and Remediation

We’re now ready for our next discussion topics. One of the primary processes that your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, there may be extreme technology change as organizations try innovative solutions to compete in their specific business markets. This dynamic change environment makes providing enterprise risk management and cybersecurity as a service extremely challenging.

To bring balance to my security teams and be effective as a security leader, when operating in chaotic business environments where there is no stable risk baseline, I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. Understanding the answers to the questions for this chapter will enable you as a CISO to state that you are meeting the requirements of “reasonable care.”

Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. I believe it is essential to understand that continuous monitoring is a component of a lifecycle, a cybersecurity lifecycle.

I have written about this lifecycle and its five stages: inventory, assessment, scanning, remediation, and monitoring (Hayslip, Pulse, Articles by Gary Hayslip 2015). This graphic is a depiction of the final stage, continuous monitoring, and will be our guide in the discussions that follow.

Figure 12.1 Continuous Monitoring Mind Map

The first question that we will review will provide some insight into the components that make up continuous monitoring and why I believe it is an essential business process. Numerous strategic frameworks address continuous monitoring. I have implemented the National Institute of Science and Technology (NIST) guidelines, NIST SP800-137 (NIST 2011) at multiple organizations over the last several years. I consider it to be a best practice for a CISO standing up a security program.

I believe it is a critical business process for organizations to understand and maintain their situational awareness and oversee their enterprise risk management portfolio. While I used the NIST guidelines for continuous monitoring, the framework you select should be decided through input from your stakeholders, including legal staff and executive management, and depends on your technical requirements.

With that said, let’s review our first question: “As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?”

To design and implement an effective continuous monitoring program, a CISO will need to take into account answers to the following questions:

♦  Purpose of the monitoring system – From the viewpoint of the organization, what are the overall business reasons to develop a monitoring system? Is it a compliance/regulation requirement? Are there technical requirements? As a CISO you must be able to answer the question of why resources need to be expended to develop this program.

♦  Requirements – Now that you understand why you need to implement it, what are the technical, security, legal, business, and compliancerequirements for the program’s creation, management, report structure, and data views?

♦  What needs to be monitored – This question is critical. It is imperative for the CISO to work with stakeholders and trusted partners to identify what systems, applications, and data to monitor.

♦  How will it be implemented – From a technology perspective, will this monitoring be on-premises, will it be in the cloud, or would it be better to use a hybrid approach? If deploying sensors or agents, determine if the deployment is a one-to-many configuration or a distributed site-to-site configuration. Once you have identified the data to pull, you can create the architecture to move the data to a location for analysis and storage.

♦  Data, data, and more data – You have identified what data you will monitor, and now you need to ask yourself, where will the data be stored? Do I have a data retention policy? Do I have a data governance program that specifies who is allowed to access it and why?

♦  Metrics and reports – Collecting information from the monitoring program should have a purpose. Do you have any metrics? Do you have specific reports based on the analyzed data? What is the story, and to which audience are you providing this data?

♦  911 – You understand your requirements, you have built a continuous monitoring program for the organization, you are collecting information, and now the question is who will use it to protect the organization?

As you can see from these questions, there is an extensive amount of information you need to collect before you begin architecting a monitoring program. I typically start with conducting an inventory of my security suite to identify all of my security assets such as firewalls, IPS sensors, honey pots/nets, endpoint platforms, and vulnerability scanners. I then proceed to document what logs I can collect from these platforms and meet with my peers in our data centers, desktop support, and network services teams to verify what assets they have and what logs I can collect from them. Once I have identified these assets and log types, I research and deploy a security information and event management (SIEM) platform that enables me to build dashboards to analyze the collected information. This allows me to make decisions about reducing risk and focus on how to best use my limited resources.

You will need to review several issues if you plan to use a SIEM platform as one of the core elements of your continuous monitoring program. The SIEM platform will provide your monitoring program with extensive capabilities for reviewing and analyzing collected data for actionable threat mitigation. However, you will need to verify some information before you start analyzing the collected data. Some of the issues I would recommend you check are:

♦  Deployment of Security Suite Assets – Review where you have your security assets deployed in your enterprise network. Assets such as intrusion prevention systems (IPS) or unified threat management (UTM) appliances become primary sources for data logs and it is critical to position them at locations in the network with the best visibility into data flows to ensure you are collecting optimum data. Whether it’s at the network edge, chokepoints between sites, or within enclaves that manage sensitivedata – review your network maps and the position of your security suite’s

♦  Log Filtering – Next, I would recommend that, depending on the data type you collect (for instance, if the data is from security components like firewalls or IPS systems), you incorporate filters or pre-defined rulesets to remove basic informational data so your analysts don’t get overwhelmed. There are configurations for many of your security components that will allow you to filter out informational data and only send alerts for data that meet specific criteria for review by one of your security personnel. The use of these filters and automation for specific analysis will help provide relevant data and meaningful metrics for review. As a result, security staff will be able to spend less time analyzing the data and more time remediating any issues they find.

♦  Log Management – You are collecting logs and sending them to a central repository for your SIEMto review, however, what events are you collecting? Some events that I have collected in the past (and by no means is this a complete list) are:

◊  Asset boot/shutdown

◊  System process initiation/termination

◊  Invalid Login attempts

◊  File Access/File Close

◊  Invalid File Access attempts

◊  Network activity

♦  Ports/Protocols

♦  Flagged application activity (Tor, Web Proxy, File Sharing)

◊  Resource Utilization information

♦  Log Retention/Access – It is critical that you understand your log retention requirements. If you must keep logs for several years due to federal regulations or industry compliance, you will need to factor storage and encryption of the data at rest as part of your program for managing this data. Another critical question you will need to address is who needs access to these logs, why do they need access, and what rights do they need to this data? You will need to incorporate an access control mechanism for this information, so you can demonstrate you’re a good steward of the data entrusted to your program. I have found that discussing this issue with my stakeholders will help identify who needs access and the business requirements for the information, so collaborate when setting your access control mechanisms. 

Gary Hayslip

CISO DRG Vol 2: Chapter 13 – Threat Intelligence

Introduction

In the first three chapters of Volume 2 we have been focused internally. In Chapter 13, we turn our focus to outside your organization. Threat intelligence, like situational awareness, is the discipline of becoming conscious of the environment in which you are operating with the intent of decreasing the potential impact of harms that are presented to you or your community. You’ll need to use a combination of data about the relevant threat actors and the vulnerabilities of your high-value assets along with your judgment about the combinations that pose the greatest risk to your organization.

Bill starts the discussion where we have traditionally associated protection from risk, with the law enforcement community. Every organization operates in the context of local, state and federal jurisdictions, some grounded in the physical world and many increasingly incorporating the digital realm. From there, Bill expands the scope to include the entire human network that all three authors have repeatedly highlighted.

Matt asks us to look inward again to establish the context in which threat intelligence is most effective. He guides us on an exploration of six keys to threat intelligence that teach us how to use that context to make better decisions about which threats are most real to us and build a program around that knowledge.

Gary gives a thorough analysis of the sources for threat intelligence and leaves us with an understanding of how these sources are structured, characterized, and effectively utilized. He concludes with an extensive review of Open Source Threat Intelligence and how you should incorporate that into your threat intelligence program.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is threat intelligence, and what types of external threat intelligence sources should the CISO use to augment their cybersecurity suite?

♦  What are the business scenarios for incorporating threat intelligence services into an enterprise cybersecurity program?

♦  Which Open Source Threat Intelligence (OSINT) resources should a CISO consider for enhancing their threat vulnerability management program?

Situational Awareness – Bonney

What Is Threat Intelligence?

Before answering the questions that we have posed for threat intelligence, I’d like to define what threat intelligence is, or what it means to me. Some threat intelligence products and services might include phrases like “organized, analyzed and refined information” and reference “potential and current attacks” somehow targeted, generally or specifically, “at your organization or industry.” That’s certainly one aspect of a good threat intelligence program. That kind of information is consumed at a knowledge level, in other words, informing the people on your team about the current threats that they should focus on, how to recognize them, how to prepare for them, and how to defend against them.

Threat intelligence information can also refer to specific vulnerabilities and the techniques that might be used to exploit those weaknesses in a way that your people and your defensive systems can immediately use to prevent or mitigate specific threats. Threat intelligence can also refer to specifics about the adversaries (who is posing a threat) and the victims (who is the target). Good threat intelligence should be actionable; you need to know what the adversaries want to do, to what, and you need to know if that applies to your organization.

We have to assume that you know what assets you have that are susceptible to any threat. Much of what I’ve listed above is available through commercial and cooperative services. Depending on the scope and capabilities of your organization, you might consume one or more commercially available sources of threat intelligence.

There is a tendency to believe that once something like threat intelligence is packaged commercially, that “buying” your threat intelligence is the most comprehensive and practical approach. Let the experts collect the data from their millions of sensors and their honeypots, and let their analysts review that intelligence and monitor the dark web for you and tell you where you should focus your attention. It’s true that very few companies have the means to run a comprehensive threat intelligence program on their own, and even those that do still consume commercial feeds to support their efforts. But there is another aspect to threat intelligence that does involve work that you do on behalf of your organization. You now have an excellent opportunity to work with your human network, especially your external network of peers, subject matter experts, law enforcement, vendors, and partners.

With this context for threat intelligence, I want to ask an additional set of tactical questions:

  1. What is our current working relationship with law enforcement?
  2. What are our sources of international cyber threat intelligence?
  3. What organizations are we sharing our cyber threat knowledge with, and what are we learning from them?
  4. What is our working (information sharing) relationship with the most high-profile firms who have had breaches? Do we have information coming to us from them? What have we learned?
  5. Do we track social mediasites and blogs referencing us for clues about our vulnerabilities?
  6. When we hear of a breach in another organization, what do we do? When does that process start, and what is the routine reporting in the organization? What are the criteria that determine who to notify and when to notify the board of directors?
  7. As we look at the data for intrusions, penetrations, or attempts to gain unauthorized access, what has been the primary category of threat actorswho seem to have made these efforts? How has that information influenced our defensive efforts?

Threat Intelligence Is More Than a Service

Let’s look at what these questions are getting at and how we, as CISOs, might go about responding. Starting with number 1, our relationship with law enforcement. We’ve all heard that law enforcement wants to have a relationship with us. They would like organizations to tell them when suspicious events occur and identify potential bad actors for them. Then, they will share information with industry about threats they become aware of through various means. Each party would be able to use this information without additional jeopardy.

Just a few years ago, this statement met with a fair amount of skepticism. However, through organizations such as InfraGard, which is an FBI public-private partnership program, and concerted efforts by law enforcement and various supportive industry groups, cooperation and trust has been building. While it still varies by region and community, there has been significant progress.

If your organization has a relationship with local law enforcement through its physical security organization, partnering with that group and leveraging that connection is a great place to start. Usually, this involves at least local law enforcement, such as city police departments, county sheriff’s departments, and state troopers across the United States. If your organization does not currently maintain any federal relationships, you should consider connecting with the FBI (through regional associations such as InfraGard) and the Department of Homeland Security (DHS).

The DHS was created in the aftermath of the events of September 11, 2001, to manage and coordinate the activities between several existing agencies. The combined organization addresses land and marine borders and immigration, with the U.S. Customs and Border Protection (CBP), the U.S. Immigration and Customs Enforcement (ICE), and the U.S. Coast Guard (USCG). It also addresses accidents and several types of threats, with the Federal Emergency Management Agency (FEMA), the Transportation Security Administration (TSA), the U.S. Secret Service (USSS), and the Office of Intelligence and Analysis (OIA).

In addition to the FBI’s InfraGard program, there are many cooperatives and public-private partnerships. Among them are the ISACs (Information Sharing and Analysis Centers), which exist for all of the elements of the U.S. critical infrastructure. The graphic below (courtesy of the National Fusion Center Association – NFCA) depicts the 16 components of the U.S. critical infrastructure. The U. S. DHS declared a 17th component, the U. S. Electoral System, a part of the nation’s critical infrastructure in January 2017.

Figure 13.1 The 16 Original Industries in the U.S. Critical Infrastructure

In addition to the NFCA, the ISACs, and your local law enforcement, there are the 76 regional “Law Enforcement Coordination Centers” (LECC). Reach out and connect with these groups and then leverage these groups to find local industry associations if you are new to the region or just don’t know who to ask.

Regarding question 2, not every organization will need sources of international threat intelligence, but if your team has a global footprint, there are significant considerations. First, some cyber-criminal gangs are very regional, and intelligence is limited outside their region. Second, if you do not have a substantial presence in international markets, your international field offices might be especially vulnerable to local cyber-criminal activity if you aren’t able to keep the cyber education level high among your global workforce. To address this, ensure that any vendors you use for threat intelligence have sufficient coverage in the markets where you are present.

Bill Bonney

CISO DRG Vol 2: Chapter 14 – Continuity Planning and Your Approach to Backups

Introduction

In the next four chapters, we’re going to do a deep dive into the entire process of preparing for, responding to, recovering from, and learning from cyber incidents. A passage Bill writes in Chapter 17 is worth previewing here: While it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.

At times, the material we present over the 12 essays that make up these next four chapters, that overlap will become apparent not just within the activities of responding to the specific event, but over the entire set of disciplines we cover.

In Chapter 14 we look at the close relationship between business continuity planning and your strategy for becoming a cyber-resilient organization. Each of the three authors ties these two critical business processes together and emphasizes the importance of understanding what is fundamental to the business.

Bill discusses backup and recovery planning. He challenges the reader to factor into their backup planning the traditional elements of business continuity planning while considering vital new dimensions. These new dimensions include accommodating new service delivery models such as cloud computing and new attack methods such as ransomware in our models.

Matt emphasizes the importance of executive and board-level engagement. From understanding the organization’s core priorities and tying those to the appetite for risk to making sure the board understands how the BCP / DR strategy seeks to manage and mitigate that risk, Matt shows how ultimately it is about business strategy. A key way that the CISO drives this engagement is by making sure that the security program and security architecture should be reflective of organizational priorities as captured in BCP tools such as the BIA. Ensuring that the organization is a going concern is the ultimate responsibility of the board.

Gary reminds us of the impact that cyber incidents can have, including outcomes like disruptions to business continuity and reputation damage. Significant events can translate to disappointed customers, lost jobs, and hard monetary costs that can leave an organization reeling. He then helps the reader construct a plan by building on many of the lessons from previous chapters and showing how the pieces fit together.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is a Business Continuity Plan (BCP) and what are the steps to create one?

♦  What critical components should a Disaster Recovery Plan (DRP) include to be effective?

♦  What value does the CISO’s security program receive from the organization’s Business Continuity Plan and its associated Disaster Recovery Plan?

Cybersecurity’s Debt to the Business Continuity Community – Stamper

Let’s face it – cybersecurity is exciting. Our profession is in the crosshairs of the media, with reports related to high-profile attacks frequently covered on the nightly news. We even have popular TV shows. For new entrants to our profession, this focus on cybersecurity may seem to be the norm. For those of us who have been in the industry more years than we’d like to admit, we recognize that the current focus on cybersecurity is a relatively new phenomenon. It may come as a shock to some that there was a time when cybersecurity (and before that, information security) was the forgotten stepchild of IT, overlooked from a resource and budget perspective. Security was the department – let’s be honest about this, the individual – that would get the table scraps from the IT budget once leadership addressed all other “priorities.”

I bring up this historical perspective to acknowledge our profession’s debt of gratitude to our colleagues in the business continuity and disaster recovery (BC/DR) community. Historically, our two disciplines shared similar common neglect. Like security, everyone knows and recognizes that business continuity and disaster recovery are important elements to an organization’s overall resilience.

Despite this recognition of the importance of BC/DR, most organizations only pay lip service to this critical discipline with incomplete and untested BC/DR plans. Furthermore, our colleagues in BC/DR frequently have their budgets and projects undermined by higher priority efforts within the organization. The result is that organizations are less resilient and subject to significant interruptions to their operations. Kind of sounds like the risk factors associated with inadequate and poorly-resourced security programs.

While the current focus on cybersecurity is beneficial, we should not overlook the contributions from our colleagues in BC/DR, especially in the context of resiliency. Our respective professions both focus on resiliency. Resiliency is at the heart of cybersecurity. No organization is immune from being attacked. In fact, our organizations are subject to ongoing and in many cases highly persistent attacks. Our jobs are to ensure that our organizations remain resilient when confronted with risks, be they cyber or natural disasters.

We can learn and have learned much from our colleagues in BC/DR. First and foremost, let’s not overlook one of the great tools that our BC/DR friends leverage to evaluate their continuity programs – the business impact analysis (BIA). BIAs are powerful tools that should be leveraged to improve our security programs. They convey detail related to organizational priorities, expressed in terms such as maximum allowable downtime (MAD), recovery-point objective (RPO), and recovery-time objective (RTO). Further, well-crafted BIAs highlight key dependencies on applications, staff, infrastructure, and vendors.

Collectively, the detail resulting from the review of a BIA provides essential context related to the organization’s risk landscape. We don’t have cybersecurity for cybersecurity’s sake. Cybersecurity must be focused on the business and not just cool and innovative technology. Ultimately, a business consists of distinct processes and protecting these processes from cyber risk is our raison d’être.

The BC/DR community has also done an excellent job of looking at mitigating strategies to improve organizational resilience. Strategies related to fault tolerance of components, fail-over, and high-availability architectures including active/active and active/passive configurations have their roots in approaches designed to improve RPO and RTO. In the aggregate, our BC/DR colleagues have produced a body of work that can inform how we look at our cyber programs with the ultimate goal of improving the operational resiliency of organizations.

Let’s take a look at how cybersecurity can improve resiliency. I’d like to recommend we spend a bit of time on the following:

♦  Defining, documenting, and mitigating risk

♦  Tying risk to the organization’s core priorities and organizational objectives

♦  Keeping executive management and the board of directors appropriately informed

 These three practices will help us to position our cybersecurity program in a manner that improves the resilience of the organization.

Defining, Documenting, and Mitigating Risk

CISOs would be well served to bring risk management front and center in their security programs. We cannot protect every system equally. Not all business processes, applications, and infrastructure are created equal. Similarly, not all employees have the same value to the organization. This inequality may seem obvious, but our security programs frequently don’t reflect this reality. Too many security programs attempt to apply ubiquitous security to all systems, infrastructure, and employees.

The consequences of a blanket, cover-all approach to security are challenging. Unless the organization benefits from an ever-expanding budget and nearly unlimited resources, the reality of a protect-everything-equally security program is watered down security. Critical systems are under-resourced and under-secured while we effectively overprotect non-critical systems. The root cause of this disconnect is fundamentally a lack of alignment with organizational priorities. A discussion that is risk-focused is the most effective means to avoid this dynamic.

Key to a successful risk discussion is for the CISO to capture and understand the organization’s overall risk appetite concerning the impacts on the confidentiality, integrity, availability, privacy, and even the safety of material business processes. These impacts, however, need to be more formally aligned with enterprise risk management and specific risk considerations for the organization related to financial, reputational, operational, and other higher-level risk considerations.

When done correctly, a risk-focused discussion translates detailed technical risk into business terms which senior executives and the board can more readily consume and act upon. Executive management and the board are concerned about the impacts of an adversary on the organization, its reputation, and its finances, even if they are not well-versed on the tactics, techniques, and procedures (TTPs).

CISOs should continually ask themselves: “What is it that I don’t know that I should know about this business process or initiative that could impact the confidentiality, integrity, availability, privacy, and safety of the process?” This open-ended question keeps the focus on considerations that could materially impact the organization. Returning to our colleagues in BC/DR, the BIA can facilitate this line of questioning. What dependencies and risk factors – notably from a cyber perspective – could negatively influence those processes that are most critical to the organization? Knowing these factors will help align your security program and architecture to those processes that the organization values most – as noted in the MAD and RPO/RTO.

Another, more direct but less structured approach to understand risk appetite across the organization is to simply ask colleagues in various departments and lines of business to clarify their areas’ priorities and key functions (e.g., business processes). This insight will facilitate the alignment of your security program to the organization’s core focus, effectively, what the organization values most. For the good of their security programs, CISOs must excel at understanding this business context.

Matt Stamper

CISO DRG Vol 2: Chapter 15 – Incident Response and Communication

Introduction

Incident response is the most visible function for a typical CISO. For good or for ill, it is the primary way CISOs are judged. Beyond the immediate impact of demonstrating the organization’s resilience to customers, management and employees, how an organization deals with incident response says a lot about its culture. Does the organization recognize the challenges and opportunities of doing business in the twenty-first century? Does management invest in and support the security hygiene and preparation it takes to protect long-term value delivery while competing in a digital world?

Bill starts by focusing the reader on the training and preparation that must be done, specifically triage training for the security team and situational training for the whole organization. Quickly recognizing and responding to incidents can be the difference between a minor disruption and a major breach. Communicating effectively during an incident is also critical to maintaining the confidence of the organization’s many stakeholders, and preparation is key to success here as well.

Matt reminds us of the ongoing yet still emerging convergence of information technology (IT) and operational technology (OT). The ability of errors in code or network misconfigurations to contribute to the physical harm done to a person or group adds a new dynamic to data protection. In addition to increased technical complexity, this now forces a level of due care that is new to many industries. Just as interactions between the physical and digital world are exploding in scope, so too are people becoming more aware of the peril of being an open book to merchants and criminals and demanding greater say over and greater protection for the use of their online identities.

Gary shows how organizations can demonstrate value in their incident response program by first understanding that the business must be the focus. Once the organization realizes that incident response is about staying in business, not playing spy-catcher and whack-a-hacker, investing in incident response becomes investing in the organization, its customers, and its people. He then walks us through building the incident response program and measuring its success.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What is the business value of an Incident Response Program (IRP)?

♦  What are the processes to create an IRP?

♦  What are some methods to measures the effectiveness of an organization’s IRP and why is it important to the CISO?

Incident Response – a CISO’s Best Friend – Hayslip

I want to set the stage for us. In the early morning hours, as the CISO for a global software company, you are awakened from a deep sleep by the chirping of an emergency number on your smartphone. As you proceed to talk in hushed whispers, you are informed by your managed security services provider (MSSP) that their SOC analysts are reporting an anomalous incident in your organization’s primary datacenter.

The MSSP used the incident response communications tree and contacted the company network team and security liaison staff, who are now reporting they see suspicious network traffic and upon investigation have found evidence of a malware outbreak in several production servers. As you wake up and shift into troubleshooting mode, you receive more troubling information. This issue doesn’t affect just a couple of servers but has manifested itself as ransomware on critical production databases. With this information, as the CISO, it’s time to transition into your role as the Incident Response Team Manager and begin the activation of the company’s Security Incident Response Plan.

Cybersecurity leaders today know their roles have matured and they must align their departments and security programs to the business and support its strategic goals to be successful. However, one area many organizations and CISOs still need assistance with is incident response. In 2016, SANS surveyed 591 security professionals about the state of incident response in their organizations (Bromiley 2016). There was some good news – 76% of those security professionals had dedicated internal IR teams, an increase from the SANS 2015 survey.

However, there is still much work to be done. Approximately 21% said that their time to detect malware in their networks, or “dwell time,” was two to seven days, while 40% indicated that they could detect an incident in less than one day. Some other bleak statistics: malware remains the underlying cause of most reported breaches, at 69%, with unauthorized access seen as a rising menace due to attackers taking advantage of weak, outdated remote access and authentication mechanisms. This report noted that 65% of the security professionals surveyed were still dealing with a shortage of skilled personnel, and only 58% of organizations admit to regularly reviewing and updating their IR processes.

The report demonstrates that incident response, as a program, is in a state of change in organizations today and when there is a security incident, many lack the ability to lead a coordinated response to the event. I am sure there are reasons why organizations do not have formal incident response policies or documented incident response methodologies. Some companies focus on purchasing technology in the belief that when an event occurs, the purchased hardware and software will save the day. Unfortunately, they are missing a critical point – incident response isn’t about technology, it is really about business.

It’s About the Business

At its core, incident response is about an organization’s strategy and business processes, it is tactical and will incorporate stakeholders from many departments within the company as well as external partners. Incident response is an action plan for dealing with incidents like internal and external intrusions, cybercrime, disclosure of sensitive information, or denial-of-service attacks. In typical organizations, the CISO is tasked with developing the Incident Response Plan and managing the Incident Response Team. This is why the questions we will discuss focus on the business value of your incident response, the processes to follow for an effective program, and how the CISO can measure the effectiveness of their IR program.

Cybercriminals are successfully targeting and compromising businesses of every size across all industry sectors. This ongoing digital onslaught demonstrates the need for organizations to be prepared to respond to the inevitable data breach. They should guide their response with a methodical plan designed to manage a cybersecurity incident with the goals of limiting impact to business operations, increasing the confidence of external stakeholders, and reducing recovery time and incident remediation costs. These goals mean that organizations need to require their CISOs to create an incident response program tailored to the company’s strategic operations.

However, many organizations lose sight of their incident response program’s strategic value. Instead, incident response documentation describing how to act in the event of a breach is forgotten and soon out of date. The documentation quickly becomes ineffective for key decision makers; too generic, and unhelpful for making critical, informed decisions. I therefore chose the first question for our discussion to be about the business value of an incident response program. As CISO, there will be times when you will need to defend the resources needed for the incident response program, and you will need to be able to describe several business cases that demonstrate the value it brings to the company and its operations.

This leads us to our first question: “What is the business value of an Incident Response Program (IRP)?”

Cybersecurity incidents are on the rise and now frequently headline news around the world. Many of the recent attacks have brought severe damage to organizations of all types, including governments and international nonprofits. An organization with a mature incident response program would have a methodical course of action for responding to these attacks in a fast, effective, and comprehensive manner. However, many organizations do not see incident response as a mature process. Instead, they see it as a collection of disjointed practices and procedures, thus they prefer to contract it out to third parties.

How Incident Response Adds Value

To address this, I will discuss some of the issues companies see when looking at incident response and describe several cases that highlight how incident response can provide value to an organization. As we begin, some of the contention around investing in an internal incident response program is as follows:

♦  There are too many common definitions of what constitutes a cybersecurity incident. With this wide variety of interpretations resulting in organizations adopting different views on how to manage them. Many organizations consider it difficult to address this effectively and understand the level of incident response capability they require.

◊  Response – That is true for many companies when they first start the process of addressing incident response and allocating resources for their CISO to build an IRP. However, there are amazing references from both NIST SP 800-61r2 (NIST 2012) and ISO/IEC 27035 (ISO 2016) to begin this process, so it is not unattainable.

♦  There are different sources and types of cybersecurity incidents. Some appear to originate from minor criminal groups and produce annoying disruptions, others from major organized crime syndicates that result in business-ending events. Plus, there are so many types of cyber incidents, such as hacking, malware, or social engineering. All of this generates confusion, and organizations just want something that is manageable. Given all this, why not outsourceit to a partner who specializes in incident response?

◊  Response – There are always some incident response services that can be outsourcedto a third party. With that said, the business still has accountability for how it manages its assets during a breach and must be able to answer the questions of “reasonable care.” For example, did the organization implement reasonable security controls and follow industry best practices to reduce risk exposure as much as possible? If a company doesn’t have an incident response program, they are likely not meeting a “reasonable care” standard.

Even if a contracted third party does the primary work for the incident response program, the business still have an incident response plan. The plan will cover communication with its partners, what resources to activate for an incident, who has overall responsibility to manage the incident, and how and when to report its findings to executive leadership. In a sea of misinformation on how to deal with an incident, an incident response program provides the business clarity to reduce the incident’s impact and return business operations to normal.

♦  Many organizations do not understand their state of readiness; they lack insight into how they would respond to a cybersecurity incident. In fact, many organizations are typically not well prepared in terms of having any personnel assigned to an incident response team or providing training to grow sufficient technical skills for team members. Even if they have an incident response program, they lack clear policies that provide guidelines on how to identify a cybersecurity incident, investigate the incident, take appropriate remediation action based on the incident, and recover critical business systems.

Many organizations also don’t fully understand the location or use of their critical business data. They lack a complete picture of how their enterprise network topology is architected, and they don’t know all of their egress/ingress points to the Internet. Finally, many of them lack information on the incidents themselves. Having no incident response program or an immature one at best, they respond to an incident after it impacts the organization and rarely collect internal threat intelligence on when, where, and how the incident occurred.

◊  Response – An incident response plan, policies, and program provide a framework that enables quick decisions and provides a communication process to access critical third partieswhen needed. The IRP would have procedures to help team members know what they need to do, how to do it, and when to do it during a time-critical cybersecurity incident. The IRP process, led by the CISO, will also provide organizations with an understanding of the lifecycle of their data and how their networks are architected, and help in determining what event logs are considered appropriate for collecting and storage.

During the remediation process, the collection of event logs will enable team members to understand when, where, and how the incident occurred. Finally, the IRP helps the organization define their business priorities; it provides understanding about its interdependencies between processes, support systems, and partners, such as cloud providers or MSPs.

♦  Many organizations opt to purchase the services of properly qualifiedthird-party  Yes, this option can significantly help organizations. It can provide qualified personnel with the experience to handle cyber incidents more effectively and appropriately. However, the company must interface and work with these competent individuals because they need context into the organization’s networks, its data, applications, and business practices to be effective. Even having the full IRP process contracted out, organizations will still have to participate in a cybersecurity-related incident. There is no sitting on the sidelines.

◊  ResponseOutsourcingto a managed security services provider (MSSP) to access more experienced, dedicated technical staff to respond to sophisticated cybersecurity incidents is prudent. If the organization lacks the resources to employ an internal IRP fully, then I would suggest a hybrid approach to augment those internal staff who will execute and manage the organization’s response to an incident. A hybrid approach is one in which the company has an incident response program, created and managed by the CISO, with members from across the organization and trusted external partners. The program specifies in detail the business’ response to particular types of incidents and documents when MSSP staff are required to assist in conducting technical investigations or performing post-incident analysis.

Typical business continuity/disaster recovery plans inadequately cover the impact cybersecurity incidents can have on organizations. These incidents can affect the ability to operate strategic business units and can lead to loss of reputation in a competitive industry and financial losses due to fleeing customers or third-party lawsuits. These are just some of the effects that a business can experience due to a cybersecurity incident if they have no IRP and are not prepared to defend themselves.

However, if an organization funds an incident response program they now have a platform to focus on upcoming security issues, facilitate the centralized reporting of incidents, and coordinate a response to those incidents. In fact, an IRP managed by the CISO can provide a platform to educate staff on security awareness, promote good cyber hygiene, and provide contacts to legal and criminal investigative units both internal and external to the business. I believe that all of these positive outcomes make the case that a mature IRP process provides value to any organization. Incident response is not about technology; it is about business and how the company responds using people, processes, technology, and data to defend that business.

Building Your Incident Response Program

As organizations begin to build their incident response capability, they will want to identify the best strategy for putting an incident response program in place. They will not only want to know what has worked well for others within their industry, but also want some guidance on the process itself and requirements they should follow to establish an effective incident response capability. With that, let us move on to our next discussion: “What are the processes to create an IRP?”

The primary objective of incident response should be to guide the incident response team members in a methodical process to respond to and remediate an incident. Focus this process on managing the cyber event in a methodical manner to reduce its impact on the company, reduce the recovery time for full operations, and minimize the costs to triage the incident. There are numerous questions that the CISO and the company will need to answer as they start the process of establishing an Incident Response Program (IRP).

Gary Hayslip