Sunday, April 7, 2024

The Key Fundamental Cyber Question That Needs To Be Asked And Answered

 


Today’s blog is a little bit different than the others, and yes, that means no AI!!!!  This is an issue that I have addressed many times before, and even in one of the books that I wrote about on Risk and Cybersecurity Insurance.  This is the topic of whether a CISO is really understanding what they get when they purchase a holistic, end to end Cyber based solution.

What got me to this topic was an article that I had read this morning about a Cyber Executive who interviewed many people in the industry to see what kinds of trends exist in their buying patterns.  Here is what he found:

*Not planning the solution in its entirety.  In other words, asking questions and evaluating the product and/or service to make sure that it addresses all of our needs.  In other words, CISOs very often look for curing the symptoms and not the actual cause.  Once they have found something that can do this, they immediately jump at it without thinking clearly if this is what they really need.

*CISOs are often taken aback by all of the bells and whistles that comes with an all-inclusive security package.  For example, if a dashboard looks sleek, that is the catalyst that decides if they will buy or it not.  Or now, the big thing is Generative AI.  If the package comes with it, buy it!

*CISOs very often don’t take a close look at the triaging process and the legitimate warnings and alerts that come through.  Very often, they leave this to their IT Security teams to filter through.  But IMHO, this is the wrong approach to take.  It is this very process that paint the entire picture of what exactly is going on the IT and Network Infrastructure.  It’s like taking aspirin to stop a chest discomfort without seeing the doctor to determine the underlying cause and to see if further action is needed. 

*Another area of key weakness is that CISOs do not adopt and enforce is a software patching process.  Instead, if they even do have a process in place, they often rely on automation which may or may work.

So, what does the author recommend as to how a CISO should make their purchasing decisions?  He starts off with first that an organization needs to have a comprehensive Security Program in place first, which should answer these fundamental questions:

*Examining all current processes for your lines of defenses, and asking this question:  “Why are we using it?  Give me the reasons.”

*Your current strategies for fending off an imminent threat, and how to even deal with those that are lurking about your IT and Network Infrastructure, when you finally discover them.

*How quick is the response time?  This is where the key metrics of the “Meant Time To Detect” and the Mean Time To Respond” become especially critical.

*What are the current methods for Incident Response, Disaster Recovery, and Business Continuity?  Are there even plans in place, and if so, how often have they been rehearsed?

*Who is part of the Incident Response team, and do they know what they need to do if they are called upon during the time of a security breach?

To help the CISO address all of the issues, and even more, he recommends following the Security Framework as outlined by NIST.  It can be downloaded at the link below:

https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools

He gives his own model for Cybersecurity, which is as follows:

“Program = Tool + People + Processes + Goals”

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools)

In my writings, I have produced something similar, but with not as many variables in it.  This is as follows:

Great Cyber:  People + Technology

In other words, to have truly effective lines of defense for your business, you cannot rely too much upon one side or the other.  You need both, as the model proposed by the author also suggests.

Towards the end of the article, the author also points out two key areas the CISO also needs to address in crafting their plans.  They are as follows:

1)     Involve everybody:

In Corporate America today, people still think that all issues that are related to technology fall onto the shoulders of the IT Department.  While the proverbial buck does stop here, it is important to remember that each and every employee has to tow their own line for the collective good!!!  In other words, “Cyber Hygiene” is not just left to the IT Department.  Everybody has their role in this, to make sure for example, that they recognize the signs of a Phishing Email and discard it.  Or, creating long and complex passwords with the help of a Password Manager.  It takes all of the employees to fill the cracks!!!

2)     Conduct Risk Assessments:

This is one area in which I have belabored heavily upon.  In order to lay out your Security Framework, you first need to identify all of the vulnerabilities that are present.  Simply put, this means inventorying all of your digital and physical assets, and ranking them on a numerical scale in terms of their degree of vulnerability.  Of course, those with the highest ranking should receive immediate attention, by either putting in new controls or upgrading the existing ones that are in place.  Also, by conducting this kind of Assessment, you will know where all of your security tools lay at, and from there, you can then decide if you really need them or not.  This is called decreasing your Attack Surface, and will enforce the efficient use of the tools.  Remember, by having too many of them, you widen the gap for the Cyberattacker to penetrate into.

My Thoughts On This:

To be honest, I agree with the author on these points.  As a CISO, if you are considering procuring a new solution, ask this basic question:  “Am I really addressing the underlying issue or just the symptom”?  By thinking along these lines, you and your IT Security team will go a lot further in staying ahead of the Cyberattacker.

No comments:

Post a Comment

Here Comes 2025: The Major Cyber Threats To Happen

  Ok, here we   go, as we fast approach now into 2025, here are the predictions as what the major Threat Variants and Attack Vectors will be...