We all know about the good adage of "don't judge a book by its cover" and the importance of having a good first impression in your interview. The good, bad and ugly side of you is revealed. Same applies for an Organisation managing its people, process and technology in the good steed and faith.
"Teabreak" conversation between CIO and CISO ...
CIO: Can we ever sleep soundly ... hmm..
e.g. stay 100% secure, immune and impervious to all form of cyber attacks?
CISO: Boss, the fact is "Not now" AND I do NOT see it anywhere even in near future. Sad Reality!
CIO: Why are we in such state - are YOU SURE of this? Can't even catch some good nap minimally?
CISO: Not really, there is some saving grace - Cyber has its "Good", "Bad" and the "Ugly".
CIO: Enlighten ME please....
After a brief "educated" talk, CISO concluded with CIO nodding (thinking he "finally" understand):
"CIO: "Always secure" sounds good, but this false sense of security is bad. The ugly truth is many fall into th trap of being penny wise and pound foolish when comes to investment. Looks like I am lucky to have you as my trusted advisor going ahead.
Mr CIO took a quick tea sip, smiled - calming himself to stay optimistic (on the organisation security state). He was also hoping for CISO to return some positive cheers. To his surprise, CISO sighed along following by a serious glance ...
CISO: Boss, thanks for the kind compliment. I am glad you trust me. I believe as long as the company reinforce the "Good", guard against the "Bad" and be sensitive on the "Ugly"- we will as a whole gain trust from everyone, and move together as one with your great leadership!
Every CISO hopes to strike for such open conversation with their CIO and remain as their most trusted advisor.
However, this is rare as Cyber security has never gotten that top leadership attention - only when cyber incidents such as data sabotage and breach befalls upon the organisation. In short, Cyber security is being taken for granted.
Staying in good security shape and not falling into Bad and Ugly security situations
Upholding cyber security posture in organisation is not far fetched or unachievable. But this is also by no means an easy feat. Making thing worse, even as of now in reality, current cyber threat landscape has evolved at a pace where cyber incident and especially data breaches is becoming a norm in everyday headlines. The time has change and this is awakening time to all organisation including small and midsized companies themselves. All are interconnected and there is no such thing as standalone company in today business context. No man is an island in the world of the Wild Wild Cyber World!
If you take reference to the growing data breach records in datalossdb 1]
, it further proof the sad reality. All organisation types are not spared. It is no longer "If" but "When"
cyber incident befall any organisation will they be ready to face and handle it with strive. The truth is majority of them are not ready and always end up in a bad and ugly sorry state. Taking some recent examples, these include.
JPMorgan (from financial sector) breach 2] where the Departure of CISO and security staffs in JPMorgan Chase and their network breach seems too coincidental. Much to say but I leave it to easily googled with wide spread of "sharing".
Home Depot (from retaiing sector) breach ("leading" the data breach records in retailing industry) reported missing leading malicious indicator of compromise by Target's security team leading to eventual breach attempt successful. Things just goes wrong as investigation unravelled with the non-fit security team lead employed, extreme lax in maintaining security software patches e.g. the fundamental anti-virus definition, stays long in non-compliance state despite to be PCI-compliant and disregards best practices to monitor for network anomalies etc. The expected outcome is customers (and I believe their staffs too) lose great trust iand find discounted in this unfortunate saga.
Embracing security does not (and do not) just happen overnight. If you deem the organisation is secure and doing diligence in maintaining goodness of security, I do trust and you should as well but proof it and not assume this. Many who really stands by walking the talk, knows clearly there is no miracle pills or overnight for those security wins. A "good" organisation win is achieved with well planned invested, careful budgeting , sheer focus, and the always diligence and constant support by top leadership. Such great organisation's determination and vigilances give greater confidence in driving safely through current "cyber" express way, facing each road threats (cyber threat landscape) and overcoming them in its long and ongoing journey.
Majority (if not all) organisation is using IT to proliferate business value innovatively, but this can be double-edged in greater attack surface exposure (directly or indirectly). Simply, this cyber ride is not going to be smooth and predictable. The state of affair for security still requires funding and investment, not free and not for insurance only. The reality is the system in its totality today is not secure as organisation drving at fast pace and spending big bucks without taking precautions along the way. Cyber threats are here to stay and organisation has to learn to face it even when they are at that fast pace - ultimately stay aggressive in constant "good" security shape.
Organisation's cyber security state indicators - People, Process and Technology
Again I need to reiterate - one can never be crisis immune, but one can strive to be crisis ready. We need to be practical.
) taking over the driver seat, needs to take due care (process
) in ensuring the "vehicle" is fit for the road and its safety measures (technology) like the seat belt and air bag (for example)
are in good condition. In addition, the driver (people
) has to stay vigilance (process
) and always on lookout via additional aids (technology)
such as the additional camera, mirrors etc for possible threats during the journey. As a whole, the chances of fatality is lowered but not zero.
This is not in a worst off state and definitely worthwhile even if the drive takes a longer time to reach the destination. Below are some good, bad and ugly "driving" pointers.
We exercise good driving habits, taking all necessary driving precautions in all trips.
We avoid bad judgement ,knowing the red flags such as accident prone roads.
We are not ugly road bully whom is out to ruin one driving experience.
NSS Lab shared an interesting analyst brief 3]
sharing security professional should make themselves aware of the clear and present risk presented by "known unknowns". The latter described a vulnerability is known to exist and to pose a security threat, but the public does not know about it therefore cannot assess or remediate the risk. This is privately known vulnerabilities.
In similar thoughts, the next few sections take through three indicators in relation to the Organisation Cyber security state. I will share also my interpretation of the various "knowns" combinations in this organisation state context. It still embrace the spirit of information to public and those privately known (and totally unknown) vulnerability.
The "Good" (Being the "known known")
In this organisation state, it is perceived as an "Open Community" where cyber security savviness is inculcated top-down. It is deeply embraced and evolves with IT changes diligently. Within the organisation, there is high assurance and formalised governance structure in the security processes oversight. In event of breaches, organisation leader takes up responsibility and declared to public timely - making the information known to public. There is no secret or privately known flops that is witheld as the interest of the public and organisation reputation is at stake and need to maintain high regards and trust. Among one another at working level, there is no hidden schemes or perceived backstabbing evident - all are working toward common business goal and putting security as priority to uncover and escalate timely known organisation vulnerability.
Some "Good" indicator sightings.
a) People - One's mistake is another learning. The knowledge learnt through individual awareness and experience is retained and reinforced by everyone (including top leadership) walking the talk. There are good security habits demonstrated - you find use of password post-it is rare to come by in spot checks. Cyber security becomes the people's second nature and is spontaneous - not much security nagging necessary.
"Good" outcome is Security is always in one's top priority list from the beginning of most (if not all) organisation initiatives. This is important piece for making business and day-to-day decision making.
b) Process - A deep sense of accountability is adopted in the business service delivery. Organisation project SOP mandates phases (starting from requirement gathering to implementation and deployment) incorporate security scope of work. This is never an afterthought and great interaction is demonstrated to tune and alignment together with business goals. The existence of security health scorecard is part of an regular security steering committee agenda update item too.
"Good" outcome is Security is not compliance based but a driven business and project assurance lifecycle process covering continuous review and reconciliation.
c) Technology - This plays an important asset which the organisation leverage on for greater organisation situational awareness by extending its security visibility. Security staffs are trained and equipped with adequate competency to stay proficient in reinforcing and ring fencing organisation. As a whole, the organisation stays ahead looking out for innovative technology which enhance and augment existing security controls. The objective of the overall security technology chosen optimise having to minimise manual resources and manpower involvement and instead is an enabler to the staff to drive security in business function efficiently and securely. There is outreach to also crowd intelligence driven community for greater insights of evolving cyber threats to stay prepared and keep ahead of imminent event affecting the organisation.
"Good" outcome is Security creates more business opportunities and upgrades manpower skillset leveraging not on the organisation investment but also tapping the extended arm - security community networking. The organisation collectively grooms to be a trusted industry leadership and customer advisor upholding sound and good security practices.
The Bad (Being the "unknown unknown")
In this organisation state, it is perceived as a "Blind leading the Blind" where there is poor leadership and poor staff security competence. The leadership style is not well received by the staff due to the constant "whipping" approach - this creates undue frustration, uncertainty and most likely strike fear top-down (including at leadership level). In event of breach (and likely a regular affair), the organisation treats it lightly and try means to cover up and withold the truth - not making known fault information timely - to public. The public is left in great doubts while internally, the organisation is salvaging a haphazard predicament - scrambling in their "adhoc" unpractised incident management drills. There is no clear SOP to follow and most of the time, leaving everyone at a loss in hoping someone can make some decision. The staffs are not confident to advise internal and external customers' concerns raised aggressively. The organisation is (and definitely already) also ear-marked as easy target for any opportunitistic cyber criminal. It will surely crumble if hardcore sponsored adversaries (or the "hidden assassin") take fancy of the situation to advantage. This possibly include pounding it as favourite test ground for onslaught of "zero" days (unknown and unwarranted vulnerabilities) as there is many varied IT poorly guarded or maintained asset to "test" with. The organisation stays oblivious and lives in constant unknowns.
Some "Bad" indicator sighting.
d) People - The organisation staffs are conservative breeds, the grapevine and group thinking are easily an influential instrument employed by anyone. The security team (if such exists) is very assumingly and guillble to third party (or external) contractors' words of wisdom and doubt their own assessments. They are even more persuased by third parties compared to internal staff recommendations (if any). There is no confidence in security technical leadership. Moreover, end users' sloppy online habits easily missed out online security red flags (even they are make aware in the past) and become easy targets.
"Bad" outcome is Security mindset is ruled by FUD (Fear,Uncertainty, Doubt) and imbued with very morale and distrust among each others.
rocess - The "once bitten twice shy" attitude demonstrated again the organisation is taking security very lightly. In event of breach, after action review (if that happens) did not conclude security actionables to
follow up actions so as to learn and prevent similar breach from happening again. The SOP processes heavily rely on the same approving parties that include non-security matters which create vague escalation path for emergency incident. All incidents and breach are treated with same priority level or SLA. Even for cases of possible misrepresentation exist in security audit and review as deadline are tight to save cost with budget allocated. When budgeting exercise comes along, the "squeeze" (due to tight organisation budget) always looks at security budget - in the end all security related initiatives are shelved for the next (and next) decade.
"Bad" outcome is Security is always an one-off and complacency set in all the time. There is no urgency and clear direction given in upholding and reviewing the process lifecycle if discovered to have lapses (such as authority misuse) in approving processes - full of holes and lacking oversight .
f) Technology - There is quick buy-ins by organisation's approving parties without much discretionary and careful thought processes. The investment is just a buffer for "maintenance" so that in time of need, this sum can be "re-allocated" to other (and mostly non security) projects. The security technology is no different for running errand - common buys for replenishment. In event of breaches or compromise detected (or even reported by public), any cheap "snake oil" or "lemon market" solution - so long it can be an easy quick way out to stop the "bleeding" - easily override with poor buying prudence. Shadow IT (e.g. its supporting infrastructure etc) creeps in and breeds in the organisation inventory list. The organisation overall asset inventory list is has no authority oversight. Hence due to such poorly maintained asset list and it is further a manual tracking, such shadow IT are shrouded off and evetually also becomes white elephant draining up internal resources and budget. Overall, the organisation is averse to (and totally reject) changes - a default "no-no" to any cyber security investment.
"Bad" outcome is Security soluton and technology is a burden and money wasting tools, draining internal investment and deems as to create more security cracks than value add to business objective. Simply, event the costly security technology , if purchased did a poor job in maintaining organisation security posture - it is wrong fit. The security technology used can be from unknown establishment or ill reputable providers too.
The Ugly (Being the "unknown known" or "known unknown")
In this organisation state, it is perceived as a "one sided mirror" where the organisation is either not willing to share imminent or known threats to the public or (the other way round) the public is not willing to disclose to the organisation those potential threats that impact the latter. This is likely due to past dissent created as the organisation failed and misplaced public trust consistently. Hence, a groups of unrest and unnecessary detest breeds. However, the organisation security standing as a whole is still acceptable as it does try to share known threats to show that little diligence to the public. The organisation attempts to do some "good" in security investment and setting some security priority. Overall, it is a "want' compared to a "need" driven paradigm - creating a short sighted security public perception.
Some "Ugly" evidence sighting.
g) People - Finger pointing can be a common scene when security mistakes arises. Security related compliments are rare, if not "shadowed" (in appendix/annexes etc) within top leadership lengthy budget speech or email broadcast messages. Although there are constant security awareness training conducted, it is just a follow-through motion. There is consistently poor security training attendance and the poor turnout is left as it is - not investigated. The top leadership speaks and bring out security elements in their speeches and emphasis the importance, but (really) behind the scene, they do not walk the talk - security initatives is likely push back in their business strategy.
"Ugly" outcome is Security is a false sense of impression. For the sake of upholding overall organisation industry reputation, the staff security mindset is a "motion" to the public. Top down, there is not much depth in fully appreciating security values and see that as fruitful in ones career growth - not to mention there is no security related training grants or incentives provided or planned.
h) Process - There is still a (surviving) security team outfit in the organisation, with headcount retain and replenished. However, the team lacks clear role and empowerment in safeguarding overall organisation business service delivery interest. The "one size fit all" security mentality in the team has a couple of SOP in their security playbook but it always have the "all are nail" mentality. There is no deeper analysis and reach to maximise the playbook that is well kept by predecessor learning. Furthermore, risk treatment is same throughout the many year of diligent security review conducted. Actually by skipping one year or two of the review activities will not matter because the secuity review report always has same content findings with same controls recommended, and also the same residual risks. No close follow up to closure of all past surfaced security findings. There is lack of overall governance and many tier of approving authority is spawn off - small interest group empowered to make security investment decision. Ultimately there is inconsistent security investment directions given to various project teams. Likewise, many duplicative authority silo has caused security control deviations requests to slip through with residual security risk unmanaged and worst untreated for long period of time till another authority has been alerted to take over.
"Ugly" outcome is Security is merely a compliance chore with a long list of vague guidelines and mostly projects are loosely adhering to the controls by paper formality only. In other words, the security checklist is always nicely completed with minimally passing counts of security "tick" - this easily get the project moving with risk transfered to authority and likely buried unknowingly.
i) Technology - There is multiple security technology acquisition without clear objective in which of those can really address the security problem statement completely. These are still short term basis and small buys as the idea is to keep buying but buy within the budget not what is necessary and relevance. This leads to extreme security weariness as many such "small" non-complementary and unfriendly security technology are deployed throughout the organisation. More manual resource and efforts to "force-fit" them into existing business service delivery functions. For example, security team rely on heavy "eye-balling" for incident monitoring despite having multiple high tech cameras deployed at all various sites. There is no central managment and correlation to maximise the many "small" security asset equipped (they are right controls deployed but not interoperable hence counter productive). This inadverently required a lot of ground work to coordinate and maintain constant watch due to technlogy non-conformance. Overall, the organisation technology can miss out some security lapses and anomalous activities due to tired human "eyes".
"Ugly" outcome is Security is more fatigue with disparate "shop" led by tribe chief calling all different shots. There is no clear accountability from the system owners and collectively, technology is counter-intutitive for the organisation operationally .
Which my organisation state are we in - Good, Bad or Ugly?
In retrospect, the ideal state of "Good" is what we should strive and avoid the other state. It is always good to tak a look at example that rises or grows through the various states to reach their current standing of goodness. I believe RSA Security has learnt and NSS Lab shared an interesting paper 4] of RSA experience during the incident and probably there is some cherry to pick for learning too.
We must not lost sight of the evoving cyber threat landscape and the "Treasure Map" 5] that reveals a vast NSA campaign to map the global internet), simply reminds all technology can be double-edged in this "new Cyber Norm" so use them with care and know the perception it will create to public when leveraging on such technology.
Also it get complicated in the cyber world as Cyber Mergers and Acquisitions 6] is expected. The action plan that I like to share is one can consider Clarke's Three Laws (below) as a basis to guide how you can chart the strategy and plan in principle to reach the desired state of organisation - bring out the "Good" organisation itself. Put in your security context.
When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
The only way of discovering the limits of the possible is to venture a little way past them into the impossible.
Any sufficiently advanced technology is indistinguishable from magic.
Cyber security is (and will) still be a shared responsibility
As parting, driving safely in this cyber expressway, I preached all to spare a while into the NIST Cybersecurity framework 7] that helps layout logically a possible overall security strategy baseline. Below is a glimpse of three aspects that I find it may useful to derive your own Cyber Intelligence required to eventually contribute into a chapter in your organisation's cyber playbook.
- Strategic Cyber intelligence - Focus broadly on threat vectors and adversaries that include nation and non-nation state actors with intent and capability and on contextual political, economic, social trends.
- Operational Cyber intelligence - Focus on targeted, opportunistic, and persistent vectors that pose the greatest risk to business continuity and that would have the greatest business impact
- Tactical Cyber intelligence - Focus on understanding and analyzing the adversary’s use of technical/logical tactics, techniques and procedures (TTP) to target the organization.
Note this is not only the sole area to explore and the baseline need to cstomise to your outfit - there is no one size fit all framework as each organisation is unique. So do engage closely your top leadership, get supporting stakeholder at your side and plan out with your end user in mind. This helps and by always putting the organisation business priorities over pitching security as the single driver, you will see greater buy ins.
Stay aware of the legal structure and law the organisation is to adhere and walk the talk. For example, California has toughen breach laws to strengthen privacy and customer protection. It addresses what form a breach notification must take, what it must include, and when it must be sent out and to whom. Know it well and seek advices in time of doubt.
True security is a long term investment and do not be stingy over security budgets but be prudent over the needs and wants - we need more "Good" organisations.