Conversations in Risk-Based Security

Those Who’ve Been Hacked and Those Who Don’t Know it Yet

Posted by Joseph Wilson on Apr 10, 2018 11:23:49 AM
Bruce Brown (3)

When you were educated, prior to moving into the professional workforce, what sort of training did you get on cyber security?

Zero, other than password management! When I started in the IT space, Cyber Security wasn’t even a known term. If you said those words together, you would get puzzled looks. Less than two decades ago our biggest concern was getting ready for Y2K. However, continually learning has always been part of being a technologist. Learning to focus on security has certainly been a learned behavior. Almost every professional consultancy has developed a security practice and they have been a tremendous resource for security expertise and learning. In fact, now we obsess about protecting our critical information assets.

Back then most IT people had never heard of Romania, Ukraine, or Belarus. They certainly never considered nation states like China, North Korea or Russia as a threat to their business. Today information security people can tell you when hackers in those places are on a lunch break.

How does that massive growth in threats impact the Information Security professional today?

You must think differently. The perimeter is certainly critical, but as the Trojans found out, the enemy is not just at the gates, they can already be inside. Research shows, the average time between a successful hack and the hack being detected is over six months. Thus, it is critical to have thought out, tested and, exercised your security plan to protect your perimeter and your critical assets, even when the perimeter has been breached.

That said, is there a most important information security question to ask?

I’d suggest, “What is your approach to security from the standpoint of Diligence, Responsibility, and Partners?” I’d follow up their answer with a deeper dive into their response.

For Diligence

  • How do you assign resources?
  • To what do you pay constant attention?
  • Do you constantly produce analytics?
  • Spot the non-obvious, the anomalous
  • Check the network, operations and your critical data
  • Every network element, application, database, and physical asset requires security capabilities to be built in. Hackers too often find a way into businesses through what others perceived as low priority from a protection standpoint.

About Responsibility

  • You can delegate your work, but not your responsibility. You must decide who is responsible for security in your operation. You will be one of those responsible.
  • Every impactful leader must be identified; by group and by person.
  • Ask yourself, do they have the experience or knowledge to understand best security as well as efficiency practices?
  • A detailed knowledge of the business and its critical information is key to determining your real vulnerabilities.
  • You are responsible for the security of new/updated apps. Where does information flow in, out, and through your systems?

About Partners

  • Both internal and external partnering should be discussed.
  • Senior management’s involvement in security.
  • What is your assessment of your internal resources security capabilities and training status?
  • Do you need or already have in place external security expertise?

For too long, the measure of success has been making systems and business processes simpler and faster for the customer or employee. But those improvements can weaken security. No one appreciates “efficiency” more than hackers. Often it translates into them being able to steal from you more easily and more quickly.

Right. So, what should you do about it?

Ask yourself and team, have you made it harder to hack and easier for you to tell if anything has changed? Most likely not! Many businesses have made apps and processes so automatic, that no one believes that they need to watch over them anymore.

Your third byword was partners how do they fit in?

Remember, you can delegate work but you can never delegate responsibility. Ultimately, you’re not looking for someone to point fingers at after a breach. What you really need is a true “partner”, in the best sense of the word. Companies now understand the importance of having a C-Level constantly focused on security and many have positioned a Chief Security Officer (CSO) inside their leadership team. As a CTO or CIO, your working relationship with the CSO is your best and most critical opportunity to partner.

When reaching outside for expertise, choose your partners carefully. Constantly review how well they are actually keeping your information secure. Don’t just rely on their due diligence questionnaire responses. Test them, phish them, make sure that you can prove they are always up to par. If your outside partner resists your monitoring of their work, replace them. It is not about you or them, it is about protecting your customers and the livelihood of everyone dependent on your businesses success.

As the information and technology leader, your organization holds in its hands the assets that are most valuable to the success of your business and that are most prized by hackers. You must evolve your organization’s culture to value security as a critical asset. Every member of your team must think through what really needs to be protected in their area. Don’t create roadblocks to efficiency, but lean very strongly toward security to overcome decades of training which taught that faster is always better.

Does that mean security always translates into slower, more expensive, and more complicated processes?

No. Instead it means that investment in security is required. Perhaps not more money, but a change in the way software engineers are asked to build systems. They must be required to make systems smarter.

Today’s systems must be self-aware. I’m not talking about artificial intelligence. We need systems to monitor themselves, constantly looking for anomalies in the workflow, where transactions are entering, and if expected limits are being surpassed.

There are an endless number of ways for an application to monitor itself. The developer in concert with the business process experts can design and, regularly re-design sanity checks hackers won’t expect. You can improve security and keep efficiency but you must do serious work up front, and continuously monitor your environment and all of its assets.

Please expand on, what delegation of responsibility means to security leaders today?

Everyone who touches operations, data or any other assets is responsible for security. But, the buck stops with senior management. Leaders must change the way they direct their employees to think about security, starting with how they are assessed, paid, and otherwise recognized.

Software Engineers write code to efficiently execute transactions. They have been reviewed, graded, and often promoted for how quickly they’ve been able to deliver new functionality and applications. Yes, the business and customers deserve new faster functionality, but security enhancements must be required as part of every step forward. Security features have to be advanced hand-in-hand with every new piece of functionality.

Database administrators have extremely powerful tools and present completely different opportunities for detecting anomalies. In this world of cybercrime and hackers, programmers and database administrators must become security partners and constantly be watching over each other’s shoulders.

Remember, process efficiency can be dangerously insecure. Build a balance between security and efficiency. Assume every step shorter and every millisecond faster transactions process represents less time for you to detect a hack. Since customers and competitive pressures will continue to demand faster processing, technology leaders must insist that business processes and systems include smarter monitoring.

Remember in information security it’s not three strikes and you’re out. Sometimes one strike is all you get. Just ask Equifax.

How can you change the culture?

  • You must find those on your team that “get it”. Use them as examples, teachers, and evangelists.
  • Ensure everyone knows what you expect in making smarter systems.
  • Focus on their, training, written goals, teamwork and measures of success.
  • Motivate and grab the attention of your people by bonusing not only efficiency, but security.
  • Examine your own goals and personal security culture. If you don’t get it right nobody else will.
  • Be introspective enough to see your own weaknesses. That’s a tough one!
  • For that you will need some outside help. You can:
  • Get help from security consultancies.
  • Work with your peer group to test how well you’re doing. Make sure nobody pulls any punches, is totally honest and focused on the goal of making everyone secure.
  • You must take the time with your team, to listen to their ideas and help them create smart, secure systems they can be proud of every day.
  • Make catching hackers the goal of every employee; post bounties, recognize the trappers.
  • Enlist other leaders in the business. Communicate with them in terms of the health of the business, to understand how their decisions affect the security of their critical assets.
  • Translate the need for greater security into dollars and protecting customers.

Any final thoughts Bruce?

It doesn’t matter which category your company fits into. Every technology leader knows that hackers constantly get smarter and more determined daily. No systems are perfect; we must choose to dedicate the needed resources to outsmart them every day.

What I have said is not a comprehensive best practice for information security. Hopefully it helps address a problem you know all too well. As they say,

“There are only two kinds of businesses, those who’ve been hacked and those who don’t know it yet”.

Thank you to Bruce Brown and Lynx’s Joe Wilson, Director of Sales Southeast for sharing this conversation.