Cyber security has a heavy technical element associated with it, as attackers are constantly looking to take advantage of application and operating system vulnerabilities to execute their payload.
Because of this there is a temptation, when faced with board-level responsibility for information security, to focus on these complex technical elements that underpin the attacks. Indeed many vendors will spend large amounts of time educating CIOs on technical concepts such as "log normalisation", "dynamic analysis" and even "the kill-chain".
Sadly, all too often CIOs fall for their shtick, and start trying to learn and understand as much about the technology as they are being invited to comprehend. At best this will result in a technically savvy board member who understands all the jargon used by tech-sec vendors, but is being distracted by too many things that are not necessarily important. At worst it will result in a CIO who does not focus on what really matters to the business, and devises and executes an irrelevant technology-led defence strategy.
My advice to all CIOs is to focus on the technology as required. Of course a background in the subject is very helpful when dealing with security analysts and incident responders. But the CIOs first questions should be to the board and senior management. Which information assets are valuable to the organisation? Is technology a fundamental part of the business that enables the company to communicate with suppliers and customers? How important is the company’s reputation and does it need to be protected?
Assuming that the appointment of a CIO was not a bizarre whim of the board, and that they did recognise that there could be a problem if there was a public incident, or if competitors accessed their information then it’s between you and your board to determine the risk appetite and the impact of different compromise scenarios.
But I will tell you now, unless you have the authority to turn off all computers and never power them up again; technology will always be an attack-vector that can be levied against your organisation.
Focussing the incident response on what the business needs (as opposed to the fun that is forensic analysis) can be quite tricky. I find it helps to focus everyone’s attention by asking four questions:
1. How did the attacker / malware / breach occur?
2. What did they do?
3. How do we get back to business as usual?
4. How do we make sure this never happens again?
These questions all need answers; none more so than the second question: "What did they do?" Too often I meet CIOs that tell me that they never ask this question – and yet I cannot understand how the business can make an intelligent response to any security incident without knowing it. When I ask the question, I need to know exact details.
The files that were accessed by the attackers matter because if it is only the canteen menu then I don’t need to worry. If it is the R&D results of a highly sensitive system that has been years in the design then there is a real problem that the board needs to know about.
The analogy I sometimes make is a house burglary. You need to know how the burglar got in, to try and make sure it does not happen again. You need to know what was taken to know what you have to replace (or cope without). And you need to know how to get the house back to how it was so that you can go back to how things were before the break-in. You wouldn’t leave the house with a broken window that allows others to get in.
The questions are important because they all tie-up to a business impact. And if you’re a CIO that doesn’t know what the business impact of a security incident is then there is a real problem, because it’s your job to be able to answer this question.
Andrew Nanson, CTO Cyber at CORVID, was previously Chief Architect for Security and Resilience within Vega (now part of Selex ES) where he developed secure systems and solutions for sensitive government agencies and the MoD. Whilst at Vega Andrew was the overall Technical Lead for the provision of the NATO Computer Incident Response Capability (referred to as NCIRC). Additionally he designed and implemented the Metropolitan Police Counter-Terrorism Hi-Tech Forensic laboratory.