In the fast-evolving realm of cybersecurity, the role of a Chief Information Security Officer (CISO) is pivotal. Securing an organization goes well beyond the all-too-common approach of “we have a tool for that”. We’re all familiar with the People, Process, Technology (PPT) Framework, but often lose sight of just how directly it applies in the realm of cybersecurity. In this blog, I’ll lay out the core strategy for leveraging the PPT framework to deliver a measurably secure enterprise.
People
Create a Culture of Security
Yes, I know it’s cliché, but that doesn’t make it untrue. Empowering your people doesn’t just mean training them on how to spot a phishing attack. It means teaching them why it’s important that they do so. FUD can be a double-edged sword, but realistic information about how a breach could affect your business, turns security vigilance from a nebulous concept to a task with a purpose.
Security Education Doesn’t Happen in One Hour a Year
Annual security training is a good starting point, but it’s unrealistic to think that your staff will absorb, retain, and use the knowledge that’s been shared. Coupled with the rapid advances in AI-developed attack techniques, regular refreshes and updates should be conducted. Even 15 minutes, once per quarter can make a big ifference.
Trust but Verify
Hire a service to test your people. (I can hear the groans coming from some of you already). Remember, this is not about singling people out for their mistakes, it’s about education through practice and repetition. Send fake phishing attempts. Send text messages. Make phishing phone calls. Make them believable, using available public records. The key here is to reward success and encourage after failure. Make it a game. Every time an employee correctly spots an attack, they get a $10 gift card. It’s a small price to pay, given the alternative.
Listen
Last, and certainly not least, listen to your employees. Too often, CISOs are so ensconced in the security bubble that they lose site of the forest for the trees. As Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” Likewise, every CISO has a plan until it meets the reality of the business. Learn from people who are struggling to do their jobs because of your comprehensive zero-trust initiative. Trust me, they will find a way to work around your controls, and that kinda defeats the purpose, no?
Process
Follow a Framework (or Frameworks)
This one is kind of a no brainer, but I’m shocked how many CISOs I talk to that pay scant attention to any structured framework. To many, it seems too daunting of a project to undertake, especially with an understaffed security team and a limited budget. But I encourage people to look at the frameworks as nothing more than a way of organizing their team’s efforts to address their risks in order of priority, with the added benefit of being able to measurably track improvements over time. And remember, checking a box next to all 20 CIS Critical Controls doesn’t get you a gold star. Addressing the five that are most critical to your business is far better than addressing none of them because it’s too much to take on.
Assess & Prioritize Risk (ALL Your Risk)
Risk assessment is a key part of every CISOs strategy, but unfortunately, many take too narrow a view. Yes, cyber risk is a critical part of your organizational risk, but it’s not the only part. Step outside of the SOC and assess the risk of the business as a whole. What is my third-party risk from trusted vendors? What is my supply chain risk? Is my data on the dark web? Financial risk? Legal? Brand and reputation? It’s amazing how much you can learn about the image your company is presenting by spending a few minutes looking at Glass Door reviews.
Develop and Test Your IR Plan
Understand up front that you will be breached. But how you react when it happens is the key to a successful IR strategy. Develop a comprehensive incident response plan outlining procedures to follow in case of a security breach. Define roles and responsibilities within the response team, establish communication protocols, and conduct regular drills to ensure readiness in handling security incidents effectively. Keep in mind that a breach response might go far beyond reimaging a compromised computer and resetting some passwords. It might include a full disaster recovery from a ransomware attack, media messaging related to stolen customer data, and more.
Learn from your Mistakes
This applies at both the individual and organizational levels.
- Non-Security Personnel: This might mean reviewing the successful phishing email that snagged a couple of employees on the next all-hands call. (And no, no names will be mentioned).
- Security Personnel: They can learn from the post-mortem of an event where they could have improved. Maybe a SOC analyst dismissed a legitimate alert which allowed an attack to progress. Or the IR team only partially cleared the breach and additional malicious activity was later found.
- Organizational: This involves objectively measuring your progress against the framework (or pieces thereof) which the organization is following. Course corrections will always be necessary. Make them based on hard data.
Do the Math
Lastly, objectively assess your security operations. How well is my team performing? Are they understaffed? Undertrained? Use metrics like MTTD and MTTR to gauge your team’s performance and ability to successfully handle complex attacks. But also assess your spending. Annually assess your security tooling. Are the tools providing the value they promised? Are they redundant? What is their signal-to-ratio? And what about the hidden costs? How much time does my staff spend on care and feeding? What is my cost to host the infrastructure (especially if it is running in the cloud)?
Technology
Find Your Gaps
Back to the clichés again but you can’t protect what you can’t see. And in the world of multi-hybrid-cloud environments, comprehensive visibility is even harder to achieve. But it can be done, with the right tools and some persistence. Enterprise visibility is not an end in itself; it’s the foundational information required to conduct a proper gap analysis of your security controls. Your EDR dashboard is a great resource for telling you which machines it’s protecting. But it doesn’t tell you about all of the hosts that were missed during the rollout and are completely unprotected (and are very exploitable).
Objectively Assess Your Tooling
I’ve yet to meet a CISO who’s team has so much free time that they can devote many hours to regularly auditing how well their tools are working. But it needs to be done anyway. Network configurations change, patches break things, and sometimes the tool itself just doesn’t deliver on what it promised. Your team is only as good as their data and if the tools are wasting their time with a lot of noise, or worse, missing real security events, something needs to change. If a POC was conducted before purchase (and it almost always should be), then there should be a set of success criteria that were used to evaluate each tool. At a minimum, check these again. Or better, modify or add new criteria to reflect what has been learned since that purchase.
Have a Migration Strategy
In today’s security world, SecOps teams are dependent on rapid access to large volumes of information. SIEM has become the de facto standard for meeting this requirement. But all SIEMs are not created equal and a better solution is always around the corner. Anyone who’s ever deployed a SIEM knows the pain of connecting dozens of different data sources, all using different formats, from cloud, data center and on-prem, into a single platform (and even better, make it useful when it gets there!). SIEM vendors know the dirty little secret that if their platform, once deployed, provides a bare minimum of functionality, customers are willing to live with it, rather than go through a painful migration to a new platform. Consider using a simple log collector or a cloud bucket as the destination for all of your logs, with a single forwarder to the SIEM. Not only can you migrate at the drop of a hat, but you can also POC other products with very little effort. Some solutions even let you parse and modify the packets it receives, in case the preferred new tool needs a different format. And whenever possible, stay away from tools that require significant expertise to operate. Just like the inertia to change platforms, the inertia (or outright opposition) to retraining your staff can be just as powerful in keeping you from making a necessary change.
Embrace AI
The roaring (20)20’s are the decade of AI. And for good reason. Deep Learning and Big Data have given rise to incredibly powerful analytical models that can parse out and correlate vast quantities of data in near real-time. The best models for security operations teams use “Weak AI” models that have been developed specifically to understand what a security incident looks like, and continuously monitor events, looking for this evidence. Not only have these models proven incredibly effective, they also address the shortcomings of human operators and work exponentially faster than a human could.
Conclusion
The role of a CISO in fortifying an organization’s security posture is challenging, at the best of times. But by remembering the three variables that can be controlled (People, Process and Technology), it is not only achievable, but also rewarding. Cybersecurity is an ongoing journey requiring adaptability and constant improvement. By leveraging the proven “PPT” model, you can proactively mitigate risks, strengthen defenses, and safeguard your organization’s assets and reputation in an increasingly interconnected digital world.
