SECURITY IMPERATIVES
51%
to help CISOs stay a step ahead
Could the CISO’s job description possibly get any broader? Even before the global pandemic disrupted the workplace, CISOs and their security teams were already being asked to protect systems and data across cloud and mobile environments, managing risk for the workforce as well as with partners, vendors, and increasingly digitalized supply chains.
Security leaders must do all this without taking their eye off what Microsoft CISO Bret Arsenault calls “the pedestrian, but still most important, part of the job.” These are the basic security hygiene tasks — patch management, identity and device management, threat detection, and incident response — that take up the bulk of a security analyst’s day. As organizations adapt to the broad remote-work policies that fell into place swiftly as the global health crisis took hold, “routine” operations management has become anything but routine.
CISOs were already doing much of this heavy lifting with fewer resources, thanks to an ongoing cybersecurity skills shortage. As of mid-2019, the global workforce had an estimated 4 million unfilled IT security positions, with 51% of cybersecurity professionals saying their organizations were at moderate to extreme risk due to staff shortages .
As cyber attacks increase in volume and variety, an amplified threat landscape requires a more proactive and predictive approach to anticipate and guard against unknown and increasingly sophisticated threats. Continuous shifts (and shocks) to the security landscape require CISOs to be in constant learning mode — reflecting on what’s working and what’s not and fine-tuning their strategies and tactics.
We interviewed five security leaders to hear their perspectives on the current and future state of cybersecurity. What emerged were four imperatives to help CISOs stay a step ahead in increasingly uncertain times.
of cybersecurity professionals say their organizations are at moderate to extreme risk due to staff shortages.
Our Panel of Security Experts
Scott Foote discusses the “scope creep” of the CISO’s role.
Bret Arsenault, Microsoft
As the CISO for Microsoft Corp., Bret Arsenault leads a global team of security professionals with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. In addition to his CISO responsibilities, Arsenault serves as Chairman of Microsoft’s Information Risk Management Council and as an outside cyber risk advisor to executives and boards at numerous Fortune 100 companies.
Bob Bragdon, CSO
As Founding Publisher of the CSO media brand, Bob Bragdon leads all operations for the full CSO product line. He works closely with chief security officers, law enforcement, and security vendors providing thought leadership to identify, interpret and address today’s challenges of complex security and risk management environments.
Chase Cunningham, Forrester
Dr. Chase Cunningham, Principal Analyst at Forrester, guides client initiatives related to security operations center (SOC) planning and optimization, counter-threat operations, encryption, network security, and Zero Trust concepts and implementation. He is a retired U.S. Navy chief with more than 19 years’ experience in cyberforensic and cyberanalytic operations.
Chris Dimitriadis, INTRALOT
Chris Dimitriadis is Group CEO and Executive Member of the Board of Directors of INTRALOT Group and he is supervising the strategic direction of the company. He also built INTRALOT’s Enterprise Risk Management, innovation, cybersecurity, privacy, technology transformation, and intellectual property protection frameworks.
Scott Foote, Phenomenati
Scott Foote is a senior executive and entrepreneur, with more than 30 years of experience in the technology industry, from Fortune 500 companies to startups. Scott is CISO and managing director of Phenomenati, which provides virtual CISO services, including tactical and strategic consulting.
4
1. Treat security as a team sport
Enterprise-wide initiatives require enterprise-wide efforts, with consideration for and participation from all areas. Enterprise security is no different, requiring alignment between security and other business and functional teams, and proactively involving all employees to help protect data, reduce risk, and achieve business goals.
This “team sport” aspect of security is easier said than done in organizations that may still view it as a separate department. Some business leaders may even perceive security as the “department of no” whose risk-based agenda is perceived as blocking business objectives or the implementation of new technology initiatives.
“There is certainly still a disconnect, because in many organizations, we still see silos,” says Chris Dimitriadis, Group CEO of INTRALOT Group and previous board chair of ISACA. “This is not just between security and IT, but between security and the other departments as well.”
If security and technology teams don’t work well together, there’s a tendency to point fingers when something goes wrong, says Bob Bragdon, SVP and Publisher of CSO. That limits the effectiveness of both groups.
An even broader obstacle extends across the entire workforce. Despite an emphasis on awareness training, employees continue to take unintentional security risks, falling for deceptive tactics or simply not following established practices for protecting the information and devices they use daily. It’s a constant source of frustration, says Bragdon. “It’s not just phishing emails,” he says. “It’s also, what’s your staff doing with their laptops? Are they leaving them on the back seat of their car?”
Smarter team-based security in 2020
Here are three ways to improve your organization’s security mindset and culture:
Less “nerd speak,” more business context.
Align with IT across all aspects of the technology stack.
Balance security and productivity to enable the business.
1
2
3
2. Use AI and automation to tackle complexity — and the skills gap
Automation and intelligence solutions have already proven to be valuable tools, improving IT productivity by up to 23% . These technologies are also playing an important role in ensuring robust security, while helping to fill the ongoing security talent gap by automating repetitive functions and processing high volumes of data.
“Automation can take the load off of a security team in areas where you have higher numbers of burnout among staff because they’re staring at a pane of glass 24/7,” explains Bragdon. “That’s a short path to losing employees.”
In this regard, AI and intelligent automation play critical roles in enabling staff to focus on higher-value activities. “Leveraging AI-based approaches frees up the human capital to do the work that you need,” says Cunningham. “You don’t need 1,000 ditch diggers. You need one really good ditch digger with a really powerful bulldozer. That’s what AI will do for you.”
AI and automation technologies can be put to work immediately for threat detection and protection, where triage for attack vectors presents a significant challenge. “The only way for us to do this effectively was to build technology that gives us a much better capacity to detect risky scenarios across a diverse set of signals,” says Arsenault.
Microsoft has turned the trillions of cloud-scale telemetry signals it gathers daily from its services, solutions, and partners into the Microsoft Intelligent Security Graph, which serves as a foundation for big data analysis, machine learning models, and other AI technology to power real-time threat detection, protection, and response in Microsoft products and services. These capabilities benefit Microsoft’s own security operations as well as those of its customers and partners, as learnings are shared across the Microsoft ecosystem.
Another area that benefits from automation is incident response. For example, Microsoft’s security team automated early-stage incident handling and cut mean-time-to-resolve rates in half — even as incident volume has doubled year over year.
“We’ve freed up Tier 1 SOC analysts so that those people can do more interesting Tier 2 and Tier 3 work,” Arsenault says.
Then there’s event management and real-time analysis of data, a historically time-consuming, painstaking task. “For many years, we have had security event management systems in place that collect logs from several different parts of an ecosystem and then try to correlate them,” says Dimitriadis. “With the evolution of AI, we will be able to correlate huge amounts of information more effectively and much faster.”
“We now have this massively diverse set of data that you can correlate and gain insights from that just wasn’t possible even five years ago,” says Arsenault.
Integration is a critical consideration
As with all security tools, security teams should deploy automation and machine learning capabilities with integration in mind. It’s critical to break down isolated pockets of information to get a complete picture of the threat landscape. Automation can help to corral large volumes of information from different sources, but CISOs should also explore ways to trim down the number of one-off security tools to reduce complexity, eliminate redundancy, and improve efficiency.
“The value play becomes how well can you integrate [different tools] across silos,” Arsenault says. “You shouldn’t spend all of your time trying get systems alignment on simple things like dates, formats, structures, and metadata. Ten years ago, this would have been more difficult, but thanks to the maturity of products today and consolidation in the market, it’s easier to leverage fewer suppliers.”
At Microsoft, Arsenault’s team has halved the number of solutions it uses, deleting some simply because they were no longer functional, and consolidating others where capabilities overlapped. Benefits of this approach include accretive value of telemetry signals, greater accountability and visibility, and improved allocation of resources.
“The more you can leverage fewer suppliers, the more efficient you will become,” he says. “Now I get best of integration as opposed to just best of breed. Also, it’s not a statement of efficiency in terms of value for dollar. It’s the fact that my most constrained resource is people, so now I can do more with less.”
Smarter security technology utilization in 2020
1
Don’t set it and forget it
2
Augment AI with human intelligence
3. Update your risk profile to account for broader attack surfaces
As IT infrastructure complexity increases, the attack surface continues to grow. The Internet of Things (IoT) is connecting new endpoints and other devices across organizations, including devices that were never designed to connect to the Internet and therefore have no inherent security controls. These devices create new points of entry for bad actors. In addition, as digital transformation efforts remake traditional supply chains , due diligence of partners, vendors, and solutions must expand to include associated security controls and risks.
“We can’t just rely on trusting all parts of the supply chain [equally],” says Dimitriadis. “History and incidents that we read about every day demonstrate that it’s always about the weakest link of the supply chain, which can create a very big problem.”
In addition to new threat vectors, bad actors continue to innovate on traditional attack methods. For example, AI-fueled digital disinformation — in which audio or video is manipulated to deceive consumers — is making its way into business. The most notable example came in 2019 when fraudsters used an AI voice generator to convince the CEO of a German company to transfer more than $240,000 into a fake account . As a whole, costs associated with deep-fake attacks will exceed $250 million in 2020 .
“The one thing that keeps me up at night right now is what’s going on around social media disinformation and deep fake technologies. It’s a problem we don’t have a handle on. It’s so far outside the bounds of our control and ability to respond.”
Security leaders offer critical advice for successful AI/automation adoption:
Smarter risk-based security in 2020
As the threat landscape evolves and expands, CISOs and leadership teams should adopt a more strategic approach to assessing and mitigating risk as it relates to the business. Foote recommends a four-step process:
1
Conduct a business impact analysis
2
Develop a risk assessment
4
Commit to Board-level communication
3
Create a risk-level agreement
Arsenault stresses the need to be concise with the board and not go too far down into mundane technical issues. Speaking in Microsoft’s CISO Spotlight Series, he recommends answering three questions during presentations to the board:
Do we have the right people working on security?
Can we demonstrate that we have a good governance process in place?
What are we doing to ensure we have a culture of cybersecurity across everyone’s role?
4. Begin (or continue) a Zero Trust journey
As CISOs grapple with ways to address the challenges around broader attack surfaces and rapidly evolving threats, a new security model is gaining traction. Zero Trust has emerged as a better alternative to traditional perimeter-based defenses, which CISOs acknowledge are no longer sufficient to protect the enterprise.
A Zero Trust security model more effectively adapts to the complexities of modern environments, with an emphasis on three principles:
A key to Zero Trust deployment is understanding that it’s a journey, best implemented in stages and then continuously managed for improvements.
“People still have this idea that they can buy a Zero Trust technology, hit the Zero Trust button, and all of a sudden, things will morph into a Zero Trust end state,” says Cunningham. “That’s just not how it works.”
If you’ve yet to begin the journey, a Zero Trust readiness assessment is a good starting point. Microsoft’s Zero Trust maturity model will let you assess your current environment across identities, devices, applications, data, infrastructure, and networks.
“If you take care of that, and make sure the device is healthy, you’re eliminating the largest threat you have, which is users being the avenue of exploitation,” he says. “Look for those simple fixes that make the biggest impact.”
As you move into advanced Zero Trust capabilities, it may be time to move your security foundation to the cloud, which provides the most dynamic environment for things like network micro-segmentation. “The cloud is where you will wind up living in some way, shape, or form, so why not leverage the capabilities there to build that Zero Trust infrastructure?” Cunningham explains. “Don’t try and throw a Porsche engine into your Peugeot and think you have a Porsche.”
3
Measure and adapt on the fly
2
Sequence your activities
1
Keep it simple
A smarter path toward Zero Trust security in 2020
Our experts offer a few additional tips for your Zero Trust journey.
Our experts have shown that there are many paths to smarter security in the year ahead. Each can serve as important components of a broader security strategy.
“We need to continue to push the idea that security and risk is not owned by the ‘Security and Risk Department’ but by the business,” says Arsenault. “And that involves enabling the business to make their own best decisions around security that are consistent with all the values and policies we have in place.”
The onus will continue to fall on CISOs to put the foundational pieces in place to help their business move faster, with whatever their acceptable level of risk may be.
“Business has to go fast,” says Cunningham. “It has to be dynamic. We need to think about how we can enable the business, and then do everything we can to push that forward.”
The bottom line
Visit Microsoft’s hub of information and solutions for smarter security in 2020 and beyond:
https://www.microsoft.com/security/business
CISOs who have earned a seat at the table with senior leadership, including the board, have learned to speak the language of the business. “They’re talking about how security enables business and they’re doing it with a focus on strategy,” says Chase Cunningham, Principal Analyst at Forrester. “Don’t bring security into the equation. Talk to them about sales — you put a strategy in place and then you execute, and you have milestones along the way. And then you explain that security is the exact same thing: You’re securing the enterprise so you can gain more customers and grow the business. If you can apply your contextual twist on the narrative that way, they get it.”
Less “nerd speak,” more
business context.
Security and IT must be “completely attached at the hip,” says Bragdon. That requires the early involvement of security in new technology initiatives. “We have an old analogy in security that says it’s cheaper to build it in up front than it is to paint it on after the fact,” says Bragdon. “Make sure you’re engaging with your IT and business leaders to understand how they’re using technology and how they plan to use it in the future, so that you can build security into any initiative from the beginning.”
Align with IT across all aspects of the technology stack.
Some tension between business, IT, and security teams can actually be a good thing, because it forces compromise that leads to better balance. “Embrace the conflict and manage it in a constructive, professional way,” says Scott Foote, Managing Director and CISO at Phenomenati. “Teach people that we’re not looking for an absolute win in either direction. What we’re looking for are balanced decisions between cost benefit and risk.” Adds Cunningham: “The sweet spot is around continuity and not interrupting operations. It’s best when we are the enablers, not the detractors.”
Balance security and productivity to enable the business.
“This allows the CISO to line up all of the infrastructure they have and prioritize according to its importance to the business,” says Foote. “Ask: If we lose it, or if it gets compromised, how serious an impact is that to the business?”
Conduct a business impact analysis
This step looks at the probability of threats, vulnerabilities, and their consequences/business impact. “You can’t defend against everything,” Foote says. “So, where are you going to focus in terms of investments that will make a difference to the business’s bottom line?”
Develop a risk assessment
Here, the “attached at the hip” IT/security conversation comes into play. The discussion should include security controls, mitigation plans, and who accepts/avoids/transfers risks. And it must include a documentation trail. “When or if they wind up being sued for a data breach, they’ll be held to the ‘reasonable person standard,’ which determines if the risk decisions made were appropriate or willfully negligent,” says Foote. “A documented risk-level agreement protects you two, three, five years down the road.”
Create a risk-level agreement.
“Automation is one of these things that has to be massaged,” says Bragdon. “You need to have people who are watching it; who are looking at the product of the automation and understanding how it actually fits into your overall strategy to manage risk in the business.” Adds Dimitriadis: “You still need the right skills in order to configure AI and in order to guide AI into serving the business goals.”
Don’t set it and forget it.
AI won’t replace your analysts — in some ways, it makes them more valuable in areas that require deeper insight, business context, and other critical thinking. “There will always be a portion of business decisions that have to be escalated to someone who’s going to make a decision like: ‘Can we afford to take our whole customer database offline for four to six hours while we mitigate this attack?’ You don’t want a decision like that automated,” says Foote.
Augment AI with human intelligence.
“It’s easy to get caught up in all the things that you can’t do with Zero Trust,” says Arsenault. “Stop thinking of the tactic and think of the vision: The security goal you’re trying to achieve balanced with the user experience.”
Keep it simple
Zero Trust may be a journey, but that doesn’t mean nothing is ever completed. Your roadmap should have discrete milestones for completing the major components. “Don’t do 75% of an MFA rollout and then move onto device health checks,” says Cunningham. “You’ll end up with 15 projects going in parallel and never get to the end state.” Instead, for each initiative, “push it to the end state and check the box, then move on to the next thing,” he says.
Sequence your activities
Track your progress and adjust as needed. Shortly after Microsoft rolled out its Windows Hello biometric authentication technology across the organization in an effort to eliminate password logins, it discovered that half of the employees were still using passwords. Looking at the data, Arsenault’s team discovered that even though individuals had registered for biometric access, a default in the user-experience workflow caused them to continue using the old password system. Once that was adjusted, success skyrocketed: 90% of the workforce logs in without entering a password.
Measure and adapt on the fly
“All the board does is wrestle with risk,” says Foote. “They want to hear that we as security professionals are embracing this side of the business.” He advises being able to demonstrate a balanced approach, including cost-benefit analysis and due diligence on investments.
Commit to board-level communication
Verify explicitly: always authenticate and authorize
Use least-privileged access: limit user access with just-in-time and just-enough-access
Assume breach: minimize breach radius by segmenting access by network, user, devices, and app awareness
Bob Bragdon explains why IT and security must be attached at the hip.
Chris Dimitriadis stresses the need to embed security controls in every IT project.
Scott Foote says a bit of tension between security and IT is a good thing.
Bret Arsenault explains Microsoft’s approach to eliminating reliance on passwords.
Scott Foote reminds us that AI isn’t failure proof.
Chase Cunningham explains the “force multiplier” benefits of AI in security.
Bob Bragdon explains why automation requires ongoing optimization.
Chris Dimitriadis discusses the benefits of AI for SIEM.
Bob Bragdon discusses the importance of building a culture of security.
Bret Arsenault explains the benefits of cloud-based security.
Chase Cunningham says there’s no magic button for Zero Trust.
Bret Arsenault explains why Zero Trust is more about user experience than security.
Chase Cunningham on the “gotchas” to avoid when deploying a Zero Trust model.
Chase Cunningham shares a Zero Trust case study.
Bob Bragdon says security is a story of “lather, rinse, repeat”.
The latter is especially worrisome for Cunningham:
Zero Trust maturity model
Cunningham recommends an initial focus on identity and access management, followed by device management. Next-level identity and access management includes functionality such as multi-factor authentication (MFA) and single sign-on.
CISO Spotlight Series
(ISC) , 2019 Cybersecurity Workforce Study
The Hackett Group, “World-Class IT: Redefining Performance in a Digital Era,” Nov. 2019
Symantec, 2019 Internet Security Threat Report
CSO, “2020 cybersecurity trends: 9 threats to watch,” Dec. 12, 2019
CSO, “Voice AI becomes an accessory to CEO fraud,” September 2019
Forrester, Predictions 2020
1
2
2
3
4
5
6
2
3
4
5
6
1
