Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
Ending this round of CISO Chat questioning is David Damato, Chief Security Officer at Tanium who feels the boards are more focused on security, as a result of the increasing number of public breaches and that The challenge for security leadership is how to present this data in an effective and meaningful way.
As a CSO, what is your objective?
As a CSO, my goal is to reduce risk and uncertainty, while enabling our business. We do that by hiring talented employees, documenting and monitoring robust processes, and acquiring impactful technologies. I’m fortunate to have the opportunity to use Tanium’s platform as part of my mission. It provides me with real-time visibility into the current state of endpoints so I can ensure our systems remain resilient in the face of cyber-attacks or operational issues.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
Resolving vulnerabilities in a timely manner should be top of mind. The last 12 months have been riddled with complex and impactful vulnerabilities that have resulted in some very public attacks. As a security leader you must be able to answer the questions, “what patches are missing” and “how long does it take to apply critical patches on average”. This is something we track internally, and report to our executive team, using the Tanium platform.
It is also important to understand threats targeting your business. I often see organisations obsess about the “who”, which is only really applicable if you’re an intelligence agency. Organisations should be more focused on the “how”, which is characterised as “techniques” within the MITRE ATT&CK framework. We use this framework internally to build detection mechanisms with Tanium Detect.
What do you see being the biggest threat for 2018?
I’m asked this question each year and it rarely changes. Unless you’re an organisation that is highly targeted and has a mature information security program, the biggest threat in 2018 remains basic attacks against misconfigured, unmanaged, or legacy systems.
For those organisations that worry about targeted attacks and have mature information security programs, the biggest threat will be supply chain attacks. Injection of malicious code in valid applications, like we saw with MeDoc (NotPetya) and CCleaner, are designed to bypass new solutions like next-gen security technologies, and will be increasingly used in attacks.
Organisations should be focused on creating an accurate inventory, ensuring standard secure configurations across all devices, applying critical patches in a timely manner, and improving the speed at which they can detect and respond to attacks. WannaCry is a great example of an attack that could have been prevented just by enforcing these foundational concepts.
What advice would you give to anyone wanting to go into the cybersecurity industry? How do you believe we can improve the cyber skills gap?
When it comes to attracting top talent, one sector stands above the rest in recent years: the tech industry. For engineering and tech talent, there’s no better place to look than cybersecurity. Whether working for the government or in the private sector, there are huge opportunities for people interested joining the cybersecurity industry. There is no “typical day” in this field and you will be consistently challenged and have an opportunity to solve some of our world’s greatest cyber challenges. My advice would be to find your passion and develop your skills. Organisations such as the National Cyber Security Centre and the Department for Digital, Culture, Media & Sport (DCMS) have plenty of useful tips about how to get involved.
Organisations looking to grow their cybersecurity talent shouldn’t solely seek out those with security or IT degrees. Instead, look for college graduates who are smart, motivated, and passionate about the field. One of my best hires was a nuclear engineer who had a limited background in security. Secondly, organisations should develop internal programs to transition IT talent to security. Good IT employees typically have a foundation of important concepts like networks, operating systems, and identity management work — making them great potential security resources. These programs also show you’re invested in your employees’ growth and, in turn, foster loyalty.
Technology is now a part of every profession, which means we all have a role to play in keeping each other safe and improving the skills gap. Universities can help by making security a core class requirement, even for those not majoring in a security or IT field. Secondary schools can help by incorporating security into basic computer literacy classes. And organisations can help by offering cybersecurity training, and not just as a one-off task during onboarding.
Today, IoT and AI have become real big areas of focus for organisations with almost every device, toy and appliance created having this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
A: IoT is just like any other technology, in that security must be integrated within the development lifecycle. Unfortunately, many IoT manufacturers are new to the world of connected devices and do not have a secure development lifecycle that incorporates key concepts like threat modelling and testing.
This problem can be easily remedied by ensuring we apply the same basic concepts to IoT that we already apply to traditional software and devices. Examples include ensuring products rely on a secure development lifecycle, configuring devices to restrict access to management interfaces from the internet, and keeping devices updated by automatically pushing patches, without user interaction.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
Thanks to a close partnership with our legal team, today we have the people, processes, and technology in place to comply with the General Data Protection Regulation (GDPR).
There are two primary components to GDPR. The first, and most concerning, places broad requirements on companies to identify and have the ability to remove personally identifiable information (PII) upon request. Although it’s unclear how this will be interpreted, it could mean anyone could contact a large company and request to have their information (e.g. name, email, even IP addresses) removed from their systems. In theory this sounds great – but in practice, it’s a significant undertaking that could overwhelm already understaffed security teams, and keep them from focusing on more important risks. It will require organisations to have unmatched visibility and control over their systems and data.
The second component focuses on breaches of personal information. GDPR requires breaches to be reported within 72 hours, with any violation potentially resulting in fines of €20M or 4% of global annual revenue – whichever is higher. If upheld, this would provide the significant reason for executives and boards to get serious about cybersecurity. It will also require organisations to make investments to not only mitigate the risk of a breach, but to speed investigations and remediation activities in order to provide meaningful results in the 72-hour reporting window.
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have the Board of Directors become more responsive and shown a better understanding of the work you and your team do?
I report to Tanium’s executive leadership and board, in addition to working closely with executive leadership at our customers. In every case, boards are more focused on security, as a result of the increasing number of public breaches. The challenge for security leadership is how to present this data in an effective and meaningful way.
Education is one of the most important components of a successful interaction with the board. Most board members are not security experts, so you’ll need to spend some time with each member to ensure they understand and agree with the information you’ll be presenting. For example, I’ve spoken with specific board members about our risk management process to help ensure our approach is understood and aligned with their objectives.
Board members also want to understand major risks to the business and planned mitigations. To do this, my team relies on the FAIR risk assessment methodology, which assigns a frequency and dollar cost to risks. We then map mitigation activities to these risks and provide some sense for how much each investment will reduce the overall risk to the business.
Finally, boards want metrics that communicate the overall state of the security program. Our team uses metrics, aligned with the NIST Cybersecurity Framework, to communicate our organisation’s maturity and effectiveness. Effective metrics should be directly related to risk of an incident and trend – either up or down – over time. Some of the most effective metrics we’ve used include mean time to patch critical vulnerabilities and the percentage of both unmanaged assets and endpoints that are not in compliance with our defined security baseline configuration. I rely on Tanium to collect these metrics.
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
Social media can be an ideal hunting ground for cybercriminals. The droves of data we post online can be used against us through targeted phishing attacks. By publishing details about our workplace or current occupation, hackers can personalise their approach to compromise our work email or device – whether through a fake email from the boss, or a bugged PDF from Harry in accounts claiming to have details of your upcoming bonus. Its important colleagues are aware of the risks, and are shown how to recognise malicious and untrustworthy emails.
At Tanium, training is incredibly important to us and we regularly conduct sessions with every member our staff to ensure that they are aware of potential pitfalls and solutions when it comes to addressing cyber threats.
It is important to remember there are two sides to every effective cyber defence. Well-prepared staff is one part: technological capability is another. Without modern tools in place to give you visibility and control over your network, you will inevitably face a breach.
What would be your No.1 piece of cybersecurity advice as we begin 2018?
Know your endpoints. You would be astonished at the number of organisations that don’t have clear visibility of their operating environment. In our experience, organisations do not manage or secure 15% to 20% of their endpoints simply because they don’t know they exist. It’s impossible to assess the risk or protect a device you don’t know exists.