CBR, Q: Are CISOs losing the battle?
Brett Wahlin, A: Depends how you define it. Those guys [the attackers] only have to be right once. We have to be right all the time. So it makes it really difficult to keep up with the attacks, in a world of decreasing budgets. It is a hard battle. It is a complicated scenario we’re facing.
When an incident happens – and it will happen to everyone – there’s always a view that we’re negligent. There’s an optic around being a CISO.
It’s like a war on crime or any other good guy, bad guy situation. Bad things are always going to happen. So it is really difficult to say we’re losing, because we do have a lot of victories that you don’t hear about. We do catch a lot, but of course it is the ones we miss that actually make it into the press and that makes it appear that the problem is impactful when in fact we stop quite a bit. So I wouldn’t say we’re losing but I’d say it is a difficult battle that we continue to fight.
Q: What is happening in the end user environment?
A: I view security as an end-user. We’re not a vendor, we’re just like everyone else and we’re protecting the company. We have a better supply of secure technologies, but we approach it in much the same way as in my previous roles.
Our approach is to get a handle on an ever increasing array of things. For example how do you keep up with the cloud? What a lot of companies are still faced with is: How do I do the basics?
Patching, vulnerability assessments, risk assessments, understanding the basic security principles and continuing to do so while I add in all the rest of these pieces.
Q: What are the disturbances?
A: The more we get away from the controls we have in place – from on-premise data centres where you can put your arms around it and control your own environment – there was a feeling that you had better control. And the big disruption on moving to cloud is that we don’t know where that data is going. So it could go to a cloud vendor. We’re assuming they’re protecting it, but we don’t know for certain. We’re assuming that the end user is taking some control. They’ve brought their own system and application but they’re still accessing company data. We’ve lost control of that end point. We don’t know particularly what’s happening.
Content from our partners
There are things we can do to enhance that control, but it’s a risk. We have to get better at that discussion of risk with the business: is it important to have that new style of IT, to have that ability to use those types of cloud applications and the devices that employees want to bring, versus the fact that we’re losing sight of some of the data that is coming in from the network – we’re losing the ability to quickly lock down and track the end points. So there’s a trade off for this increased effectiveness and greater risk.
CISOs have to be really good at having that business risk conversation with leaders. How do I translate that into their language so they understand that if you do this, these are the potential bad things that could happen? And how can I help you with that. But it comes at a cost. It comes with a little less flexibility, so we have to walk that line where the user community understands the risk appetite in the company.
The data is going everywhere in big and small companies. The perimeter is no longer a perimeter, it is very porous.
As security professionals we have to change our approach and have that discussion, because in some cases there is not a lot we can do. The data is in the hands of the user. We can educate, we can increase awareness on many of those functions, but we’re taking a risk by releasing those controls.
Q: What is your view on education versus technology?
A: What’s changed is that security was focused on the infrastructure, then it was focused on the end point, and then it moved back. We see a lot of oscillation and we don’t really know the best place to put controls.
We move in conjunction with where the business is going. Years ago we’d concentrate on the end points. Let’s lock them down – you can’t have admin rights, then BYOD came in and we had to change. Now we have to balance.
The problem is if I were to design an infrastructure, design how data is classified and controlled, work on the policy piece today, and build an information architecture, it would be completely different from what we see in enterprises.
So we have to get that blend between what we have, because we can’t afford to rip and replace with all this new stuff. We have to rely on users to be aware of their surroundings and potential threats like ‘If I click this, what will happen.’ And to think ‘I have data and it is valuable.’
We have to continue that education across the board at a corporate and individual level and build personal awareness.
It is hard for security people to tell people about risk. For example, do you know the risk of putting your picture on icloud or on Facebook, because what we’ll do is paint this really scary picture.
Q: What’s the maturity level in the industry? What are you hearing about how people are engaging with security as a business issue?
A: There are three buckets of companies. Those who don’t think it will every happen to them. They are the blissfully unaware. If it never happened yet it won’t. Those are the companies who have already been breached. They just don’t know it.
There are those who have woken up in the last couple of years. I speak to my peers in those companies who have invested in the CISO role and it’s new, and you see them walking through a maturity curve.
The first thing they do is establish a corroboration centre, get some rigour around patching, vulnerability assessments and operational monitoring. Who is attacking us? Can I find it? Can I remediate it? And you eventually build your programme.
And then there are those of us who have been doing this for a while and what we are typically doing is going through a rework. Are we doing the right things? Do we have the ability to innovate?
And usually you will see those in the bigger companies and in financial institutions where companies are asking, what’s next? How do I keep up? How do I push the envelope? How do I do things differently?
So you have 3 levels. There are also interesting geographic developments around capabilities. I was recently in South Korea and they just said all banks will have CISOs and the banks are trying to catch up to figure out ‘how do we do this?’
Sometimes this is regulated into a sector. Sometimes it is just out of concern companies feel the urge to do something.
Q: Controlling behaviour is difficult – how do you approach it.
A: From a policy perspective we look for things that are defined as security controls. There is a policy you can set. There are more hard set controls based on technology. When you have a system that is a policy control point, it is much more effective.
So I can say don’t go to Facebook and put that in an outbound proxy and just block it.
So what have I done? Potentially I have upset a work life balance, or I have pushed someone to find a way to work around my security control. So for every policy we have to look at how it can be misused.
And for some companies, for example look at financial institutions and their compliance, they will set restrictions. While some companies will let people go on Amazon or do lunch time banking.
Security works best when you relate it to things you do in personal life and in your business life. You tie them together. Online banking, social media – these have impacts. They are great tools and I’m not here to say you can’t, but I want you to personally understand the risk. What we try to instill in the workplace will also have benefits in the home.
