3 cybersecurity 'truths' that every CISO must know

 

Connecting state and local government leaders

At the recent RSA Conference’s Public Sector Day, government CISOs discussed how agencies can embrace innovation while still protecting their networks and assets.

For government chief information security officers, today’s cybersecurity landscape continues to shift. As local, state and federal agencies launch digital transformation initiatives, they embrace a wealth of exciting new innovations. Yet in the process, they expand their attack surface and increase their threat risk, and that can get pretty scary. Especially for the CISOs.

In moderating a panel discussion titled “CISO & CIO Perspectives” during the recent RSA Conference’s “Public Sector Day” in San Francisco, I and audience members were able to learn new “truths” about the cybersecurity trends and challenges that agencies at all levels of government are facing, as presented by local, state and federal CISOs from across the country who participated in the session. We also talked about ways to address the challenges. Here are panel “truths” that stood out, along with response recommendations to make them, well, a little less intimidating:

1. The C-suite is getting more involved. In a recent Conference Board survey of CEOs and C-suite executives, cybersecurity ranked as the No. 1 external concern. As a result, we expect to see more involvement from these top leaders, as they ask their CISOs more questions about risks and request more metrics to demonstrate how their organization stacks up against malware, ransomware, breaches and other attacks. It’s critical for them to increase their participation as they pursue innovation such as mobility, the internet of things, artificial intelligence and robotic process automation --  and they must ensure that these initiatives are protected.

Interestingly enough, one panel participant -- a CISO from a large and wealthy suburban county in the Mid-Atlantic -- said he briefs his agency heads on whether a proposed IoT product meets the county government’s security requirements. If not, the head requesting the product signs off to agree to cover any resulting costs from an attack -- as opposed to holding IT financially responsible.

While the anecdote focuses on IoT, it remains relevant in all discussions about risk management and innovation, as this kind of policy-making and collaboration would benefit any government organization committed to a digital transformation. The county CISO was essentially saying, “Cybersecurity isn’t an IT thing. It’s a we thing. If you feel the reward factor of acquiring this product exceeds the risk -- and we subsequently suffer a breach -- you own the cost.”

Such policies apply risk assessment to the innovation equation, i.e., when confronted with the possible costs, decision-makers will consider cybersecurity as a higher priority. They may take a step back and ask, “Is this really the right tech investment for us? Is it worth it?” With greater due diligence, they may find solutions that bring similar or equivalent value, yet less potential for a compromise.

2. IoT is inescapable. Thanks to the widespread availability of commercial off-the-shelf tech products, there’s no putting the genie back into the bottle. IoT drives practically everything sold in the commercial world today -- from smart buildings to printers to refrigerators to thermostats to alarm systems to videoconferencing tools to virtually everything else that a public-sector organization uses.

To effectively secure the IoT ecosystem, agencies must establish optimal visibility and controls -- investing in these capabilities at the beginning of IoT acquisitions and deployments instead of figuring it out after the fact, “on the fly.” IoT manufacturers think “speed to market” first, with security as an afterthought (at best). Agencies are responsible for ensuring the products are secure when they connect to the network and remain secure while they are connected. The Department of Defense has a name for this principle: “Comply to Connect and Remain.”

3. It’s all about hygiene. We can discuss at length about how sophisticated the techniques of today’s cyber attackers have become, but ultimately, the vast majority of attacks are enabled by poor basic cyber hygiene. Without good basics, preferably guided by controls described by the National Institute of Standards and Technology, budget investment in the latest products won’t make a significant impact. This dilemma has been likened to outfitting a home with sophisticated, high-tech door locks, only to leave every window wide open.

NIST and CIS outline the basic cyber questions organizations should be able to answer:

  • What are my IT assets and what missions do they support -- and where?
  • What is on my network? What activity do I need to know about -- right now?
  • What are my key apps/services and where are they located? How are we protecting them? By patching? Configuration management? By 24/7/365 monitoring? Automated threat analytics? Are these assets compliant with my policies?

These questions underscore the criticality of continuous visibility/monitoring and remediation. Through 2020, 99% of vulnerabilities exploited will be the ones known by security and IT professionals for at least one year, according to Gartner. The Equifax breach -- which exposed the Social Security numbers and other sensitive data of 143 million Americans -- was linked to a single software vulnerability for which a patch was available, but not installed, on a handful of servers that were not being managed because they had essentially been forgotten about.

But many enterprises don’t even do a very good job patching the IT assets they know about, let alone the many IT assets that are missed by traditional security tools.  Without complete visibility and continuous monitoring, public-sector IT teams will never gain the enterprisewide view required to see all the assets that must be managed. As the Equifax situation illustrates, the smallest gap can lead to a massive compromise. With continuous monitoring, teams know at all times what activity is on their network, and what they have to do to defend data assets and comply with existing regulations. Most federal agencies are implementing such capabilities through the Continuous Diagnostics and Mitigation program, but there are some that have not taken this part of the mandate as seriously as they should.

Government CISOs are not hired to impede innovation. In essence, they are there to enhance it. They recognize that modern advances help employees better serve the public with “smarter, faster, better” tools. But they also realize that -- without effective cross-department collaboration, thorough risk assessment/management and complete visibility/continuous monitoring -- the consequences can not only undo the productive value of the tools, but can undermine the fundamental mission of the agency. When CISOs and agency heads commit fully to basics, especially visibility, the “truths” out there about threats don’t seem quite so scary.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.