CEOs and CIOs need to start accepting “red” security dashboards. Two CISOs explain why...
No plan survives contact.
Security specialists commonly now argue that cybercriminals’ endless capacity to innovate means it’s inevitable a given organisation will find its defences breached at some point: CISOs should plan accordingly, they say, “assuming compromise” and stress-testing their responses.
What’s less common is for those same specialists to admit that those plans are rarely going to play out as you’d expect and that “everyone has a plan until they get punched in the face” as Mike Tyson memorably said.
Surviving contact: More than a metaphor
James Blake, VP of global cyber resiliency strategy at the data security firm Cohesity, and Chameleon Cyber Consultants CISO Mo Ahddoud have been through the wars together; arguably more than metaphorically.
Both began their careers in the UK armed forces, meaning they both know the importance of preparation and planning. But it also means they recognise that no plan survives intact once you see enemy contact.
The problem is businesses rarely grasp this unsettling fact. This is despite the increasingly diverse and chaotic landscape they are operating in.
That includes an explosion in data and criminals’ increased focus on it.
There’s also the widening range of threats to the data centre, both cyber, and physical, such as extreme weather. And CISOs and other leaders are being hit with ever more legislation and regulation, such as NIS2 and DORA in Europe. This regulatory wave can help bolster security – if executives realise compliance is about more than just box ticking.
Industry thinking, they told The Stack, needs to change.
“I think we've over focused the CISOs on prevention and detection,” Blake (himself an experienced former CISO) says. What’s missing is an understanding of how modern attacks can prevent a business not just accessing its data, but of operating as a business at all.
Blake cites the example of one private bank he consulted with. It had spent a lot of money with a large consultancy firm to produce a detailed crisis management programme. It was clear, he said, that the plan would not work: "They made an assumption about the availability of a piece of technology to be able to even start their response" he tells The Stack.
This showed the bank – and its very expensive consultants – had simply not grasped the nature of today’s destructive attacks.
See also: The Big Interview with JPMorgan's Global CISO
“They don't just target our data,” Blake explains.
“They target the things that get us in the building, the thing that allows us to phone law enforcement, our insurance, our retained incident responce capability and our ability to recover.”
How can you get in and out of the Security Operation Centre, when the access system has been fried?
This illustrates how resilience to cyberattacks overlaps with disaster recovery and business continuity. But as Blake points out: “One of the major problems is the place that people go to within the business to deal with disaster recovery and business continuity isn't the CISO, it’s IT.”
While IT might think they can get a business back up in three or four days following a disruption, they might not have factored in security elements to ensure they’re not also bringing the attacker back into play again.
This means tech and business leaders must reimagine the threats they face and how they might respond – and also often fundamentally reimagine the relationships between IT, security and senior leadership.
See also: Flooded airports, DORA, and security siloes: Mark Molyneux on rethinking cyber-resilience
This requires two forms of holistic thinking, says Blake.
“One is IT and security working together to do that investigation, and then the recovery and mitigation.”
At the same time, leadership – particularly the most senior leaders – need to change the way they look at the world.
Ahddoud describes how senior leadership at clients often “want to manage a view of their business via dashboards”.
This can result in an unhealthy fixation with making sure everything looks green. But if we’re taking a realistic view of security posture, there’s bound to be some red in there too. That could be because we know there are patches to be applied, or because we recognize there may be vulnerabilities in the system that are yet to be uncovered, or that we just don’t know where attackers are going to strike next.
“What we ideally want is people to be able to comfortably live in red dashboards,” Ahddoud says, potentially counterintuitively.
Explaining it further, he says simply: “There are things we don't know, there are things that are vulnerable. Every incident that ever happens, comes through a path that we had not anticipated.”
Tabletop exercises? Swap out the roles
Ultimately, he says, because the resilience conversation is a business one, not a purely technical one, “all of the right stakeholders need to be in the room to be able to have these conversations.”
This might be stressful, but not as stressful as living through an actual cyber-attack.
Both Blake and Ahddoud are big fans of running tabletop exercises to help companies plan for the worst.
This often involves swapping the roles of key staffers so they can understand their colleagues’ responsibilities, and the pressures they face.
Some of these might be purely technical, of course. But other factors include whether it makes sense to pay a ransom, and if so, how will they obtain cryptocurrency, or whether they have considered that the entity they’re paying is sanctioned. CEOs in certain jurisdictions could face a lengthy prison sentence if they make the wrong call on this.
Blake says that in some cases they have equipped execs with Apple watches during such exercises. “Their heart rates were through the roof.”
That makes it clear the middle of a cyberattack is a bad time to be making strategic decisions. “You want to be making those decisions in advance.”
Ahddoud adds, participants should recognise that even if they’ve rehearsed and worked through their plans, real life will be different.
It’s that military training thing again, he says.
“We always at the back of our minds are reminded that none of this will work to plan when you actually have to use it in real life. So, you have to be flexible. You have to be prepared for what you don't know.”
And that mindset is what it really means to be resilient.
Delivered in partnership with Cohesity.