HOW TO GET STARTED
In today’s cyber world, the likelihood of a breach has shifted. It’s no longer if you’ll be attacked, but when. All organizations, no matter the size, are vulnerable to data loss from a cyber attack. In fact, 38 percent of companies are attacked again after a first attack. A skilled attacker has access to a compromised network for a median of 243 days as they ravage systems, flying under the radar, stealing customer information, trade secrets, and financials.
To discuss how companies can prevent breaches, an Enlightened Speaker Series event was held in Houston. It included Art Conklin, the director of the Center for Information Security Research & Education at the University of Houston; Michael Farnum, a practice principal at Hewlett Packard; and Vid Sista, the Security Practice Director at Accudata Systems.
The most important part of cyber security? The people. “When you hire a Chief Information Security Officer, they will look at the organization, look at your goals, review business units, and review risks” Farnum said. “You don’t know what your goals are until you put somebody in place.”
Conklin cited Target’s well-publicized security breach. “What was the CIO’s experience?” he asked. “It was marketing, not IT or information or how information could better run their business.” In the case of the CISO – Chief Information Security Officer, whose job it is to protect information – “They didn’t have one,” Conklin said.
A CISO will help determine what you want to protect, Sista said. He used BYOD (Bring Your Own Device) as an example. The first thing to do, he said, is determine who should be able to access the product, what data is most essential, who should be allowed to access the data, and where it should go.
“There are some of those three letter agencies that I work for where I can’t even bring in my Fitbit into a building,” Conklin said. “A Fitbit is a pedometer, but it’s electronic and their policy is nothing electronic comes into the building.”
In other cases, some employees must have open access to information. Sales people, for example, might need to see sensitive information in real time. In fact, the sales person might need broader access rights than the company’s CEO.
“Once you define those things, there will be a technology out there that will get you to where you need to be,” he said. “Without the policy and a CISO that will help define that security policy, you won’t be able to find the right technology.”
The right person will have knowledge of your industry, too. A CISO in the banking industry will have a different skill set than the one who is right for manufacturing, or health care.
“The bad guys out there are trying to steal your intellectual property, and the CISO needs to understand what that is,” Conklin said. “You won’t hire a CFO who knows nothing about your industry, would you?” He said the person in information security needs to have some information and experience about the industry.
But information security officers with that kind of industry-specific knowledge come at a premium. “The CISO for Chase has a seven-figure income and that doesn’t count bonuses,” Conklin said. “Target is paying $450,000-$500,000 for their CISO.” For most companies, the salary of a CISO will be in line with that of a CFO. “It’s technology skills versus finance with the same level of responsibility,” said Conklin.
“I would add you should ask the people on the line about the value of the data they use,” Farnum said. “IT doesn’t own all the data – the legal department owns the legal data, and they are in charge of telling me who has access. I don’t determine that, they do.”
Farnum also noted that a CISO who is nothing more than a figurehead can easily get a company into trouble. A figurehead would do “security by compliance,” checking boxes to indicate certain measures have been taken. But in the case of PCI DSS – the credit card security standard – if one breach happens, that company is out of compliance. And a company out of compliance is automatically held to a “Tier One” standard – the same as a large company. “If you start focusing on compliance only, you’ll get into trouble,” Farnum said.
Keeping up with what’s happening in the world of threats is not realistic, Sista said. What can be done is to “shrink the world.” Concentrate on the critical data within the company. “You don’t have to be the fastest guy, you just have to be faster than the bad guys,” he said.
It’s also important to look at just how much risk is acceptable. If something costs a million dollars to protect, it might be worth it. Not so much for an asset worth only $100, Sista said.
A simple way to start approaching security is to consider the kinds of programs computers are allowed to run, and websites employees are allowed to visit. Many companies “whitelist” programs and sites. If blacklisting is the blocking of certain things, whitelisting is approving ahead of time what will be allowed. It’s tempting to whitelist everything, Sista said, but that might not be a wise course of action.
“If you are in the oil and gas business and you’ve got process control systems,” Sista said, “and there is a very specific function for this computer and you should only run one application on this PC, whitelisting is a great idea, because that device should not be able to surf the web.”
Another simple measure is to patch the system. “Patching” is a security update that fixes vulnerabilities. Conklin said systems can be set up to stay patched automatically. “Have a process in place to patch your system via upgrades will improve your system,” he said, “and that’s as easy as locking your door.”
Network segmentation is a low-cost way to improve security, Sista said. Only the minimum amount of access should be allowed for a person to do their job. He suggests a “hard shell” be put around critical data, then the company can decide which users can access which databases based on what they need to do their jobs.
“We also need to spend money on educating people,” Sista added. “If you educate your users on moving a mouse over the URL and the address is not a match, they need to send that email to the IT department.” If employees understand the data they are protecting is sensitive data, they will be less likely to circumvent security controls, he said.
Sometimes systems are breached through “social engineering,” or fooling someone. If someone calls up at tax time and claims to be from the IRS and is looking for money the company owes, they might really be trying to get bank account information. Or if someone sends an email to the CEO and gets an out of office message, they might know there is an open window for fraud.
But even tricks like “tailgating” can be effective, said Farnum. That’s when a badge is needed to enter a building, and someone follows a person in without having a badge. “If you see someone in the hall and you don’t recognize them, walk up and ask if you can help them and find out where they are going,” Sista said. “Should they really be there?”
Their final piece of advice? “Everyone who runs a company is not unfamiliar with risk – don’t look at IT security any differently,” Farnum said.
Conklin agreed. “Cyber-security is just like every other risk in your business – have a professional organization built around that set of risks.”
And from Sista: “There’s an IT security shortage in terms of technical talent, so if you don’t have the talent in house, hire external talent.”
THE PEOPLE, PROCESS & TECHNOLOGY GUIDE TO CYBERSECURITY
- Hire a Chief Information Security Officer (CISO)
- Use specialized recruiters
- Budget for good talent
- Look to boutique companies that offer CISO services if a full-time CISO is not in your salary budget
- CISO should report directly to the CEO
- Executive-level power and influence gives the CISO more confidence
- Policies created at an executive level carry more weight and are more likely to be followed
- Give the CISO adequate staff and budget
- CISO should determine staff needs and budget
- Staff can be hired, trained internally, or out-sourced
- Total security budget is generally between 2%-10% of total IT spend, depending on industry and other factors
- Create a plan for staff retention
- Trained security professionals are highly sought after
- Adequate salary is a must, but security professionals crave more training
- One note: If staff is out-sourced, this is less of a problem
- Create a security awareness program
- Staff within the company need to be trained in basic security measures; they do NOT need to be highly technical
- Staff should have some ownership in security by knowing what problems could arise if they are not diligent
- Remember that security is a risk-based endeavor
- All business decisions are risk-based; security is no different
- Inventory your business assets and allocate resources based on where the most risk lies
- Don’t forget that risk is not solely based on raw amounts of money; public perception of your firm is also a consideration
- Imbed security into all processes
- Security must be included as one of the factors when making business decisions
- Read The Phoenix Project as a high-level guide on how to imbed security and other factors into decision making
- Familiarize yourself with security
- Just like any area of the business, the CEO should have more than a passing knowledge of security
- Let the CISO do his/her job, but be familiar with the security concepts and controls
- Find articles like: http://chiefexecutive.net/6-things-every-ceo-know-cybersecurity
- Get a bit deeper with: http://www.counciloncybersecurity.org/critical-controls/ and NIST
- Have CISO create and report on a security plan
- Develop a budget based on the plan (see budget info in 3c above)
- CISO should develop high-level goals and a timeline for achievement
- CISO should perform a substantive quarterly report on progress of the plan
- Caveat: security is moving target and an ongoing process – bad guys refine their attacks, so organizations must adapt
- Do not let compliance be the primary driver of security
- Compliance should be ONE driver
- Reaching compliance does not mean security has been attained
- A high security standard will meet most compliance standards; one-offs compliance issues can be handled specifically
- Tech decisions should come last
- Buying technology first will very likely result in wasted money
- Only buy technology first in very dire security circumstances
- Technology should support your objectives
- All security technology is not the same; different objectives call for different tech
- Be sure that security staff is buying tech based on feature sets that support the objectives
- Segment and patch critical systems
- Critical business assets should be defined in CISO’s plan
- Putting a security wall around these systems can significantly increase your security posture
- Implement least-privilege and whitelisting (access set to default deny) in these areas so only authorized traffic is allowed
- Make sure patching is a critical part of the CISO’s plan
- Leverage open-source and what you own
- Technology does not have to be wholly commercially developed
- Many strong security technologies are freely available; security personnel must know how to use and configure them
- Don’t forget that you may have viable technology assets in house already
- Security does not have to be a rip-and-replace endeavor
- Dig into technology
- A CEO should have a high-level knowledge of security technology
- See the attached high-level Technology Selection document as a quick read about some of today’s tech
- Stay up-to-date with trends