Tag: #strategy

Build A Proactive Security Program By Focusing On The Fundamentals

A common topic at security conferences, CISO dinners and networking events is: “how you are preparing your program for a new and upcoming regulation?” For CISOs, this conversation is a way to exchange ideas, gather information and compare programs. Unfortunately, CISOs often express feeling underprepared for the upcoming shift in the regulatory landscape causing them to scramble to meet the new requirements. I’m sure this feeling has existed since the first CISO role was created and has been continuing through SOX, PCI-DSS, HIPAA, GDPR, DORA and CMMC. If you have ever felt your program can be better prepared for new challenges or are looking to be more proactive then this post is for you. The goal is to prepare your security program so well that any new challenges are a non-event and I fundamentally believe there are lots of things CISOs can do with their security programs to achieve this goal.

What Causes Programs To Be Reactive?

Underfunding

There are several issues that can cause a security program to be reactive and understanding the problem is the first step to over coming it. One of the most common issues with any security program is underfunding. Underfunding a security program can have ripple effects on staff, technology, risk management and compliance activities. Underfunding can be a conscious choice of the business, but more often it is the result of the CISO failing to articulate or demonstrate how the security program creates value for the business. If you can’t link your security program back to business objectives and risk then your program is falling short. When a program is underfunded it can’t innovate or gain breathing room. As a result the program will be in a perpetual state of reactivity and constantly responding to the next problem that comes up.

Poor Understanding Of Risk

But wait! You say. My program is well funded. I have the staff and technology I need, but we are still reactive. This can be for a few other reasons, such as your program has a poor understanding of the risk landscape for the business. At a basic level this means documenting your program, controls, policies, exceptions and strategy so you are in lock step with what the business is trying to accomplish. The culture of the security program should be “help me say yes to your security ask”, instead of always saying no.

Thoroughly understanding the risk landscape for the business, such as where your security program effectively manages that risk and where the business can take on more risk, is critical to helping the business operate, expand and be successful. If you haven’t mapped your program to risk then your program will always be reactive because you will have to constantly evaluate the changing business conditions each time slowing down the business and pulling resources from other areas.

Shiny Thing Syndrome

One final reason your security program can be reactive is shiny thing syndrome. This is where someone in the org (it can be you, the CTO, the CEO, etc.) is constantly enamored with new technology, things they read in Harvard Business Review or whatever they think is “cool”. This means your program will constantly lurch from thing to thing without ever gaining momentum. It also means instead of following a clear and well laid out strategy and roadmap, your program will hop around and never achieve success. They best way to counter shiny thing syndrome is with a well documented program, with a clear understanding of where you are and where you are going.

Shifting To Become Proactive

So the big question is: how do you shift your program to become proactive? We can talk about a lot of ideas like automation, AI, processes, etc., but I truly believe the core of any security program should be the fundamentals and by focusing on these fundamentals you can stop being reactive.

Don’t Practice During The Game

Here is an analogy that I like to use for what a proactive security program means. Consider you are learning to play baseball. You could go out into the field look around and hope the ball doesn’t get hit to you. Worse, you could have no idea which way to face, what to do with the glove or even how to win the game. You are just standing there… waiting to react to whatever happens and hoping to figure it out. This is a security program that hasn’t mastered the fundamentals.

However hope is not a strategy and you shouldn’t practice your skills at the game. You should practice the skills you need before the game, hone them over and over until they become instinctive allowing you to proactively shift your strategy during the game. This is what a proactive security program can do. By focusing on the fundamentals like knowing what you have, where it is and what the status is, you know you won’t have to scramble to figure these things out when a new regulation comes out or a new incident hits. By thoroughly documenting your program against an industry standard framework and continually measuring compliance and risk against that framework you will eventually master the fundamentals and become proactive. Focusing on and mastering the fundamentals allows you to continually refine your program so you can anticipate where the business, industry and regulatory environment is going. In fact, any changes in the business, industry or regulatory environment should be a non-event because your program is so robust that you can help the business take on and manage whatever new risk comes up.

Wrapping Up

Next time you are faced with a challenging incident, new regulation, new compliance activity or are at odds with the business, ask yourself if your program has mastered the fundamentals. Do an honest assessment of your program, conduct a retrospective of past activities and assess where you need to improve. Find new ways to articulate the value of your program and link your program back to business risk so you can get the funding and support you need. By mastering the fundamentals you are mastering important skills when it doesn’t matter, so you can be proactive and anticipate events before they matter.

Annual Planning For CISOs

The beginning of the year is a popular time for making personal resolutions, which can focus on health, finance or love. While the beginning of the year is a popular time to set resolutions, really what we are talking about is setting goals to improve ourselves. I’m a huge proponent of setting personal goals for the year because it gives focus and purpose to your actions. The beginning of the year is also a great time to review the annual goals of your security program to set your focus and establish priorities. Annual planning has several objectives that CISOs need to consider and include in their process and I’ll cover them in the rest of this post.

Strategic Planning (Strat Planning)

Strategic, or “strat” planning as it is sometimes called, looks at where the business and your organization want to be over a long term time period. Something like 18 months to 5 years is typical in strat planning. The planning session should include discussion of the one or more of the following macro level business topics:

  • Market forces and opportunities
  • Industry trends
  • Regulatory and legal landscape
  • Competition
  • Customer sentiment, goals, etc.
  • Economic and financial environment
  • Geo-political climate
  • Technology trends and latest research

This discussion could be part of a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), but the goal is to understand where your business is and where you want it to go in the long term.

Align The Security Program

Once the business has a strategic plan, the CISO should conduct a similar planning exercise for where they want the security program to be. These are sometimes called “North Stars”, but they are essentially high level objectives over the long term that merge technology trends, regulatory requirements and security goals into long term objective. These won’t be very specific, but instead should act as guidance for where your team should focus and hopefully end up over the next few years.

Examples

An example of a strategic trend and security objective are as follows:

Trend: As companies shift from the datacenter to the cloud and bring your own device (BYOD), the concept of a traditional perimeter no longer makes sense.

Strategic Security Objective: Shift to a zero trust strategy where identity becomes the perimeter.

The goal is to choose big ticket objectives that will take multiple years to achieve, but will provide guidance to your org and the rest of the business about the direction your team is taking. Your strategic plan will inform the next section, which is your operational plan.

Operational Planning (Op Planning)

Operational planning is more tactical in nature and covers a shorter time period than strategic planning. Op planning usually follows either a fiscal or calendar year that way it aligns to performance reviews and budgeting cycles. In op planning the CISO will select the high level goals they want the security organization to complete that year. Usually op planning will include discussion and planning of the following:

  • Budget creation, forecasting and changes
  • Headcount planning
  • Technology investments (if any)
  • Top risks to focus on
  • Any audits or compliance certifications needed that year
  • Development of timing and roadmap for completing specific projects and tasks
  • Discussion of security controls and services
  • Skill gaps and training requirements

The point is to create a tactical plan for the year that will inform your team’s specific goals and objectives. These goals should be clear and measurable. I typically use an iterative approach to break my goals down to my directs and then they break their goals down to their teams and so on. This ensures alignment throughout the business.

Measuring and Adjusting

One important aspect of any plan is to continually measure progress and adjust if needed. Goals and objectives aren’t useful if the business has shifted and they are no longer relevant or have become un-obtainable.

Wrapping Up

Strategic and operational planning are important activities for every CISO. These plans define the long term vision for the security organization and break down that vision into tactical objectives that are accomplished throughout the year. This post discussed a high level overview of what goes into strategic and operational planning, but aligning security plans to business risk, mapping security controls, obtaining funding and reporting progress are all complex activities that every CISO needs to master.

Five Take Aways From The New 2023 National Cybersecurity Strategy

In the first week of March, the Whitehouse released the new National Cybersecurity Strategy that outlines areas of focus and investment to “secure the digital ecosystem for all Americans.” Like most strategies, it is high level, broad in scope and forward thinking. Most of the strategy covers expected topics, with objectives like: protecting critical infrastructure, investing in research and development, expanding the qualified cyber workforce and increasing public-private collaboration. However, I found a few of the objectives thought provoking and ambitious because they have the potential to mature or disrupt the industry if enacted into standards or legislation.

Ransomware

The United States has labeled ransomware as a strategic objective that needs attention to prevent disruption of critical infrastructure and other “essential services,” like hospitals. Payments from ransomware support the activities of criminal groups and ransomeware attacks result in not only financial loss, but can result in loss of life through the inability to provide accurate or timely care. Dish Networks is the latest victim of ransomware, resulting in a 20% decrease in stock price, not to mention the amount it costs Dish to recover from the attack, including the loss of revenue from inability to process payments or provide adequate support.

Ransomware is a difficult problem to solve because the government can’t magically secure all of the vulnerable networks and systems in the US. Instead, the US Government plans to target the financial networks that process ransomware payments, disrupt infrastructure that supports ransomware and place diplomatic pressure on countries that continue to provide safe haven to ransomware operations. It will be interesting to see what effect this will have on ransomware attacks, but optimistically, I hope this will have the same result as recent high profile botnet disruptions.

As of yesterday, the administration can claim its first success in taking down part of a ransomware gang in Germany and Ukraine responsible DoppelPaymer and tied to EvilCorp.

Privacy

The Whitehouse considers privacy a strategic objective for the United States. The European Union set the global standard for privacy with GDPR and since then the United States has lagged behind other countries for national privacy regulations. This is evident because several states like California and Colorado have already passed privacy laws that establish fundamental rights to privacy for their residents and there are another three dozen bills in progress across several states in the US. A patchwork of state privacy laws will make it difficult for companies to navigate and satisfy each individual privacy law. Citizens in the United States suffer from poor privacy practices from companies that seek to monetize or use the data for strategic purposes.

There are dozens of privacy bills floating around Congress to address individual privacy, financial privacy, health privacy, and education privacy. These laws would give US Citizens fundamental rights to their privacy, the ability to control how their data is used and shift the collection of data from opting out to requiring consumers opt in to collection. A national privacy law would help consolidate the patchwork of state legislation and make it easier for businesses to navigate the new requirements. It would also place the United States on equal footing with other international standards like GDPR, which has had a significant impact on advertising and marketing business in the EU.

Liability for Third Party Software Security

One of the most interesting strategic objectives in the National Cybersecurity Strategy is the intent to “shift liability for insecure software products and services” to the companies that produce them. This has the potential to mature the technology sector by establishing a standard of security quality through legislation or penalties. The administration intends to do this by establishing a framework that will shield companies from liability if they follow the secure development practices in the framework.

In reality, software development is not that simple. Following a secure software development framework will not address the complex software security supply chain issues facing the technology sector. Use of open source software libraries is a common development practice that accelerates the development of software so companies don’t have to re-develop functions for themselves. This accelerates the software development life cycle and also self regulates by allowing the industry to settle on and standardize certain functions or technologies. While I applaud the sentiment to hold companies liable, it is unclear where the liability stops and this may actually hinder innovation in the technology sector. If a business includes an open source software package in their software are they now liable for the security of a software package they don’t control? Or, does the liability pass on to the random person who built the software package from their basement? Will companies now shift to stop using software they don’t control and develop these capabilities in house, which can waste development resources from producing products and services that generate revenue? What about embedded systems that have limited network connectivity or limited storage space to support continuous updates?

When looking at the history of massive security breaches like Target, SolarWinds, Sony or Equifax, there is certainly a need to hold someone accountable, particularly when the incident impacts consumers, shareholders or critical infrastructure. However, there are too many questions and complexities within existing software supply chains to simply regulate this problem away. I cautiously look forward to seeing how the administration navigates these issues without impeding innovation or levying burdensome penalties.

Federal Cybersecurity Insurance

One of the more interesting strategic objectives is to explore the creation of a Federal Cyber Insurance backstop. The concept is similar to FDIC for banks or disaster relief funds for natural disasters. A government cybersecurity insurance fund could be used to support areas of economic strategic investment that are not mature enough for full blown commercial cyber insurance, but need some sort of financial safeguard. The backstop can also be used for national level services that would have a catastrophic impact to the country if they were impacted due to a cyber event. A federal cyber insurance fund could be meted out like a disaster relief fund to help these critical services restore functionality or shore up finances in a time of crisis. Overall, I think this is a good thing and could provide some stability to the technology sector that is at times beholden to a cybersecurity insurance industry that has high rates and uncertain payouts.

Global Supply Chain

The COVID pandemic broke the equilibrium of a fragile global supply chain. Small disruptions in factory output or the availability of supplies brought several previously stable industries to a halt. As a result, the United States is rightfully considering the security of this global supply chain and what components are critical to maintaining military and economic superiority.

Computer chips are at the forefront of maintaining this military and economic superiority. In 2022 the Whitehouse signed an executive order, called the CHIPS and Science Act, to fund initiatives to make critical supply chain components, like semi-conductors, in the United States. Shifting or changing the global supply chain will take time, particularly with semi-conductors and so it makes sense to start immediately. Almost all of the manufacturing for semi-conductors occurs in Asia (South Korea, Taiwan and China) and it makes sense for the United States to begin to diversify this critical resource from a geographic region that is seeing increasing geopolitical instability. For example, if China invaded Taiwan it would massively disrupt the global supply chain for the rest of the world (including the United States). However, most semi-conductor industries have been built with, or heavily subsidized by, local governments and so the United States will have to match or exceed these subsidies if they truly want to be competitive in the global market, while securing a critical component of the supply chain.

Wrapping Up

Overall, the National Cybersecurity Strategy is a comprehensive and forward thinking strategy that has identified areas of national strategic cybersecurity importance in need of investment. Not all of the strategic objectives are clear on how they will achieve the goal without causing unintended negative consequences, but the intent to improve the resilience and preparedness of the United States is evident.