Forbes.com interviews leaders on “10 Ways to Fix Cybersecurity“. It’s useless — in fact (as I’ll demonstrate below) worse than useless.
The problem is that these leaders aren’t experts, they are fluff. Their technical competence extends only as far as knowing who to call in IT to turn on their computer. You wouldn’t ask them how to fix cybersecurity anymore than you’d ask basketball fans, or even owners, how to fix the team. Instead, you ask the experts, like coaches. Steve Ballmer was the CEO of Microsoft for the last decade, but you wouldn’t ask him how to fix cybersecurity any more than you’d ask him to coach the LA Clippers.
The corporate executives in this list do as media training taught them: bridge whatever question is asked to the answer you want to give.Errata Security: PR will be first up against the wall when the revolution comes.
There is more at the link….
I have to agree with the sentiment. I have 10 things I would do to fix cybersecurity.
1) Work on increasing the work factor of attacking an organization so that breaking in isn’t easier than securing the infrastructure. How? Increase layered defenses, look at breadth and systemic injects (like whole of enterprise modeling), utilize hardened information assets (an iPad isn’t perfect but it is much better than a PC). Continue to refine understanding of BYOD, and other breadth creating risks. This is NOT the pithy analogy of the car with the alarm in it. What happens when everybody has car alarms? The bad guys bypass them. This is the old school bat mobile with armor slamming close doors and windows, and an entire shuttered exterior active defense alarm. If somebody messes with the bat mobile it isn’t some poorly trained cop coming to check out the bad guys, it is freaking batman.
2) Focus on defense. I know “hack all the things” is so freaking cool. Breaking stuff is easy in comparison to fixing stuff. Focus on automation and agile defense strategies. How? Automate common responses and put the decision to automate in the responders hands. If you know your network you can shuffle network address space as needed to confuse attackers (I know that I just broke all your stuff, but nobody said this was easy). There are top ten lists, top 25 lists, the highest classified vulnerabilities is the OSVDB and CVE. You should know which software and information assets are subject to each one of those and have a name next to which executive said they were worth the risk.
4) Stop spending stupid money on security. How? Lots of companies sell IDS/IPS software but almost no company or entity within a company uses all the features of any suite of tools. I see lots of companies use a feature in one software package but by another entire software package for a feature that is now duplicated. This causes tool fatigue and actually decreases security as the footprint of security tools increases so does the vulnerability and management tasks. I am not arguing for stove pipes but it is crazy, silly, stupid, to think you can be an expert at all the tools. If you are an expert at all the tools you are either an academic with no practical experience or you haven’t been securing the enterprise you are getting paid to secure.
5) It is about risk management so quit bitching about breaches. They are going to happen. Even to good and pure security implementations. Most of the technical folks can likely look at the enterprise architecture and tell you the path bad guys will get in. How? Assign risk categories and publish them to the highest management layers of the company. For larger companies publish internally a risk profile that includes risk assets and risk actors within the organization. Tell the bosses “THAT” guy represents the #1 threat actor. To your surprise it is likely an administrator or security guru. Risk does not denote lack of value, it does not say they are “bad”, and it is not necessarily technical. Discuss the attack path and use what ever silly analogy you need to get corporate bosses to understand. Explain equally why if you close down certain paths the radical impact it will have on business. Cut off your point of sale software as a risk vector? I don’t think so. Do you even manage your point of sale software? Likely not. A good technical team will know that is a risk (they most assuredly do) and they will segment or otherwise protect against that asset class in their security configuration. Now repeat for all the other issues in the network.
6) Structure the company so it reflects a risk aware organization rather than a technocracy. How? Chances are you are not in government. You are in a company and it is the job of that company to make profit. The bosses likely know to make X dollars they have to invest Y capital. Suddenly you come along and tell them their strategic automation plan and information asset infrastructure has Z risk. You need to be able to tell them how Z impacts X and how much of Y you need to mitigate Z. Sounds simple. You can’t speak technese you have to speak business. Don’t like it? Won’t do it? Think talking to the pointy haired boss who doesn’t speak TCP/IP is stupid? You are likely the #1 threat actor.
7) Legacy, new shiny, solidly dependable, and trusty are not security classifications. Secure based on the threat profile of the systems not on their emotional baggage. How? Nobody ever got fired for implementing Microsoft. It is a long and old adage. Information Technology management and information security practices are rife with a set of myths and social cult values. Break them down. Attack them. If it is said to you as a pithy quote look the person straight in they eye and say, “I secure my enterprise on evidence, and not some fantasy or myth.” You can’t talk threat profiles until you have evidence of the characteristics of the environment. If you are spending money on “threat intelligence” and don’t have a good network map you are an idiot. Following fashion trends instead of best practices is easy but stupid. If you are focusing on incident response (my specialty by the way) instead of focusing on keeping incident response out of a job you are stupid. If your incident response doesn’t feed directly into your evidence of success and failure metrics you are stupid.
8) Defense through maturity and maintainability. If the technocrats ruled the world we would be living on the bleeding edge of Moores law and replacing the critical information assets every few months. The other side of this is the poor federal government that still has machines running on Windows 2000 and Windows 98. How? Unlike your home entertainment system the information enterprise should be managed like an orchestra. Every asset is interacting with every other asset. Every time you add another asset to the orchestra the first question isn’t what it will add but how it will interact with the already existent assets. If you add a tuba and can’t hear the piccolo the addition is not helping. Even if it is the best damn tuba on the planet. The second part of this equation is always forgotten. If you add an information protection asset into the enterprise the second question before implementation is what will you remove. This is old school. In the day we would always swap agents out on computers. We never layered them unless it was required. We talked about processor overhead. Go old school. Be relevant. Think ahead rather than behind.
9) Structure matters. Technology is all over the organization. You don’t have the truck driver reporting to the industrial automation engineer because he has a cruise control in his truck. Unfortunately you might have the mechanic reporting to information technology because the GPS system ties into your enterprise. Structure the company based on the corporate governance model and stop trying to foist a information governance model on top of the business. How? Look at the asset owners and the threat profiles to those asset owners. Organizations are often modeled as business entities by one group, and then over on the information asset side of the house they are modeled as information entities. Quit doing that. It is a business and information governance should follow the asset owner and user paradigm. This is a key enabler to the information technology department ability to tie needs to costs. By the way Information technology reports to the CIO. Information security reports to the CFO. Digital forensics reports to corporate counsel. You work your way up from “it works”, to “oh shit”, and end up with “I take the fifth”.
10) It depends. I am not the smartest, coolest, neatest, best looking, or most professional consultant on the planet. I like doing fun things and I get bored easily. If I have learned one thing in my many decades it is that hard and fast rules are for amateurs. I only have anecdotal evidence and I am willing to admit that. Those bound by rules are bound to be crushed by those rules. As an attacker I will use your own rules against you. You need to be flexible in thought and action. How? Don’t be a slave to fashion. Don’t be a slave to security technical implementation guides. Do more than the minimum and tie it into understanding your domain. Every company is different and every organization within a company is different. Monoculture is the enemy of security and simply taking care of the top 10, 25, or 100 issues just changes or flips you over to a set of new issues. Securing and mitigating security issues of an enterprise is a job that requires adaption and flexible thinking. It is not for the concrete thinker. It is not about age, skills, or capability. It is about willingness to poke, prod, and evaluate. If somebody asks you for “THE” answer they simply don’t understand there is no “TRUTH” just process.