By Alan Zeichick, Principal Analyst, Camden Associates
The Chief Information Security Officer’s job is to protect the business. How? By knowing technology, understanding risk – and being a good politician who can persuade others and justify the return on the technology investment. Here’s what two experienced CISOs have to say about the challenges and opportunities.
An organization’s Chief Information Security Officer’s job isn’t ones and zeros. It’s not about unmasking cybercriminals. It’s about reducing risk for the organization, for enabling executives and line-of-business managers to innovate and compete safely and securely. While the CISO is often seen as the person who loves to say “No,” in reality, the CISO wants to say “Yes” – the job, after all, is to make the company thrive.
Meanwhile, the CISO has a small staff, tight budget, and the need to demonstrate performance metrics and ROI. What’s it like in the real world? What are the biggest challenges? We asked two former CISOs (it’s hard to get current CISOs to speak on the record), both of whom workedin the trenches and are now advise CISOs on a daily basis.
Things Move Too Fast for the CISO to See
To Jack Miller, a huge challenge is the speed of decision-making in today’s hypercompetitive world. Miller, currently Executive in Residence at Norwest Venture Partners, conducts due diligence and provides expertise on companies in the cyber security space. Most recently he served as chief security strategy officer at ZitoVault Software, a startup focused on safeguarding the Internet of Things. Before his time at ZitoVault, Miller was the head of information protection for Auto Club Enterprises, the largest AAA conglomerate with 15 million members in 22 states. Previously, he served as the CISO of the 5th and 11th largest counties in the United States, and as a security executive for Pacific Life Insurance.
“Big decisions are made in the blink of an eye,” says Miller. “Executives know security is important, but don’t understand how any business change can introduce security risks to the environment. As a CISO, you try to get in front of those changes – but more often, you have to clean up the mess afterwards.”
As an example, Miller described a corporate marketing department decides to partner with an external vendor for a mobile app that provides end customers with access to their accounts and purchase history. However, he says, “There are a lot of moving pieces needed to set partnerships like this up structurally. If the app and access aren’t done properly, it opens up a hole in the environment.”
Unfortunately, Miller says, in many organizations, the CISO has not been in the loop – doesn’t know about the project, doesn’t help vet the third-party vendor, doesn’t write or review requirements, and doesn’t validate that such requirements are followed. “Too often, the CISO isn’t involved until after the contract is signed,” he says, and even then, it may not be until the app is deployed… possibly introducing security flaws.
Justify the Expense for Minimizing Risk
Another CISO, Ed Amoroso, is frustrated by the business challenge of justifying a security ROI. Amoroso is the CEO of TAG Cyber LLC, which provides advanced cybersecurity training and consulting for global enterprise and U.S. Federal government CISO teams. Previously, he was Senior Vice President and Chief Security Officer for AT&T, and managed computer and network security for AT&T Bell Laboratories. Amoroso is also an Adjunct Professor of Computer Science at the Stevens Institute of Technology.
Amoroso explains, “Security is an invisible thing. I say that I’m going to spend money to prevent something bad from happening. After spending the money, I say, ta-da, look, I prevented that bad thing from happening. There’s no demonstration. There’s no way to prove that the investment actually prevented anything. It’s like putting a “This House is Guarded by a Security Company” sign in front of your house. Maybe a serial killer came up the street, saw the sign, and moved on. Maybe not. You can’t put in security and say, here’s what didn’t happen. If you ask, 10 out of 10 CISOs will say demonstrating ROI is a huge problem.”
Contributing to that is the relative immaturity of the cybersecurity field – unlike with, say, marketing or research & development, there’s no standard for how much a company should spend on information security, Amoroso says. “Manufacturers know how much to spend on supply chain. How much should you spend on security, on sustainability? Nobody knows. This is a new field, only 20-30 years old. Sometimes you can justify that the security budget should be 5 times bigger – maybe it should be5 times smaller. The industry is arriving at metrics, but there’s no agreed-upon rule of thumb” that you can present to the CEO or CFO.
Jack Miller’s take: “The ROI conversation most often comes up with a business unit with a new project. So, just calculate the costs for security for that new project, and roll those expenses into the project budget. After all, the business unit must justify the full costs for that project, which includes security.”
His advice: Embed security costs into projects, rather than look at security as a separate issue. ““Security is part of the cost of doing business. If a project’s budget can’t justify its security costs, then executive management needs to fully understand the risks the project brings and be willing to accept those risks before letting the project move forward.”
False Positives – Both Good and Bad
Sometimes the security team gets told about an alert – and that alert turns out to be nothing to worry about. That’s a false positive; it’s a nuisance, and if there are too many, the staff might stop paying attention. It’s like a smoke detector that sounds the ear-splitting horn every time someone has a shower or makes a piece of toast. On the other hand, there are false negatives: Times when the security system examines an email attachment or an attempt to authenticate traffic through the firewall and determines that it’s safe… but it’s not safe, but is rather malware or a hacking attempt.
Ed Amoroso thinks that the oft-discussed flood of false positives from a Security Information and Event Management (SIEM) is “a totally bogus issue.” At home, if someone walks up your driveway and peers in your window, he says, you might get alarmed. At the public library, it’s curious, but no big deal. At a retail store during the day, it’s window shopping and a good thing. If it’s a nuclear power plant, bring out the Dobermans and guards, he says. “If you’re the CISO for a nuke plant, you should have a gigantic false positive rate and investigate every anomaly. If you’re the CISO for a public library, you can relax. It’s a business decision. A high false-positive rate might be exactly the right thing for your business.”
Meanwhile, Jack Miller is more worried about false negatives – that is, missing actual attacks. “From a security perspective, we want to be better safe than sorry. Err on the side of protection. Work to minimize the false negatives, so you don’t miss an incident. Unfortunately, this approach can create a high number false positives and while a false positive is not an incident, too much noise makes it hard to identify and respond to the real events and often results in a small event, which could have easily been contained, turning into actual security incidents because they weren’t responded to quickly enough.”
Miller continues: “However, if you tune your security systems in order to minimize false positives, your false negatives will usually increase resulting in too much bad stuff getting through or not being alerted on. We need better tools, ones that have both low false negative and low false positive rates. Remember, alerts don’t resolve problems. The response resolves the problem. If you can’t address the alerts, you haven’t solved the problems.”
Really huge organizations, and service providers, must have a very diligent approach: They obviously has the wherewithal to make a fuss about every little thing, and thoroughly investigate every single alert. An enterprise can’t.
For his part, Miller advocates for organizations using managed security service providers as part of their security setup. “Most businesses are better served letting a service provider do it for you – hire an MSSP, you just need to watch them closely to ensure they are actually providing the level of service you bought.”
The Need for New Security Products and Technology
Both Miller and Amoroso see the need for enterprises to adopt new security technologies to stay ahead of the game. To Miller, the huge threat is the Internet – and what happens when ordinary employees, that is end users, access the Internet.
Two security platforms have caught Miller’s eye. The first is from Menlo Security, an which offers an isolation platform where end users’ browser sessions are executed remotely, but securely, in a cloud platform. If the website, plug-in or advertisement are malicious, the cloud isolation platform stops it from doing any harm. And if the website attempts to gather personal information, such as banking records, the Menlo Security platform will detect if the website is genuine – and if not, block the user from divulging critical data.
“If you look at the job of a CISO as managing risk, the most effective way to manage risk is to eliminate the risk.” Explains Miller. “That’s what I love about Menlo Security, their web isolation solution takes this approach. Instead of trying to identify good from bad, they simply eliminate the risk. It’s like in a bank: Why worry about trying to identify which people entering the bank want to rob it if you can put bullet-proof glass between the people entering the bank and the tellers, eliminating the risk to the tellers of someone walking up to the them and threatening with a gun? That’s what Menlo has done for browsing the Internet Its like bullet-proof glass for surfing the web.”
The other company that impressed Miller is SlashNext, which is used in situations where it’s impractical or infeasible to work through an isolation platform. In those cases, SlashNext creates a secure sandbox for websites and applications to run in – but one which is more secure, and which detects and blocks what signatures, next-gen firewalls, anti-virus and even other sandboxes miss.
Miller explains, “SlashNext’s founder had developed sandboxes at another company, and saw that while bad guys have learned how to circumvent sandboxes, human security researchers could still spot the malicious activity. He then built software that does what that human expert would do. Their system is like having your own army of security researchers working for you in the cloud, at wire speed.”
How is SlashNext different? According to Miller, unlike other network-based security solutions, not only will SlashNext identify zero-day malware and exploit code attacks, it will also identify and block social engineering attacks like credential theft as well as data exfiltration attacks and call backs, with no false positives. “While isolation is a great approach, there are situations where you can’t or don’t want to isolate, so you can use SlashNext to protect those types of sessions.”
Prepare to Get Fired
“I tell every CISO is that if you’re going to take a security job, you have to be willing to get fired,” advises Ed Amoroso. Don’t play it safe, he says. “Retention of your job can’t be a primary goal — you’re there to make substantive risk decisions. If you’re the person who has to provide security guidelines, there’s no option for saying that it’s optional. You can’t think, ‘I want to keep my job so I won’t make waves.’ ”
Don’t back off your zeal for risk management, Amoroso insists. “Be the noisiest voice in the room. If you’re a little timid and don’t want to go toe-to-toe with an exec, you’re in the wrong business. You can’t be a CISO if you’re unwilling to accept conflict.” Or create conflict, in some cases.
Jack Miller agrees. “CISOs need two qualities. They need to understand technology since cybersecurity is a tech problem. They also need to be a politician. You have to motivate those people to do what you need them to do.”
How? Miller explains, “Learn what’s important to the other execs, and let them see that you’re not hindering them from reaching their goals. Instead, you are trying to help them be successful. If you can’t show that, if you don’t know how to motivate people, you will be seen as a roadblock. You will never be successful.”
Get the Job Done
It’s not easy being the CISO. You need to be a politician, be willing to be the loudest voice in the room, try to build security into every decision – while being seen as someone who wants the business to be nimble and successful. It’s a management job, a business job, but as Ed Amoroso and Jack Miller explained, it’s also a technical job that requires knowing about the latest technologies for isolating users from the Internet, or actively protecting them when isolation is not practical, and also knowing how to safeguard virtual loads running in the cloud. It’s a hard job, especially with a tight budget, worries about demonstrating ROI, and a small staff. But it’s arguably the most important C-level job in the modern business.
Alan served as Editor-in-Chief of LAN Magazine and was the founding editor of Network Magazine, which later merged with CMP’s Network Computing. He also founded BZ Media’s SD Times, the world’s leading publication for software development managers. Today, Alan is President and Principal Analyst of Camden Associates, a bespoke analyst firm in Phoenix, Arizona, that focuses on enterprise IT. Alan is a regular contributor to Network World and other online publications.