1. Sleeping-well CISO: myth or reality?
Considering the countless cyber threats that go on, what threat keeps you up at night?
This is THE one-billion-dollar question for CISOs today! People suppose we do not sleep well at night because of all the cybersecurity threats around us that target our business. Certainly it’s true that in the past three years there has been a massive increase in terms of attacks against all types of organizations. Additionally in the IT sector we are being highly targeted because we are supplying products and services to customers. Although I sleep much better than a couple of years ago.
We now have consolidated our security and have years of experience protecting ourselves and our customers.
Nevertheless, I must admit that what can wake me up at night is the “unknown”. Especially the unknown unknowns, as well described by Donald Rumsfeld. In cybersecurity there are threats that we know we know, and we protect against these threats (with mitigated success sometimes). Also, elements that we know we don’t know: for example, servers that didn’t go through the standard registration process. In this situation we can design cyber solutions and countermeasures on the known unknowns but the last category of the unknown unknowns are representing the most complex area to address for Cyber experts.
Of course, we invest in Cyber Threat Intelligence, cybersecurity knowledge, red teaming, understanding of the fast-evolving and complex landscape to protect (mapping IT systems), risk assessments and risk analysis, to ensure that we reduce to the minimum what we do not know. But still there are parts that we don’t know, we don’t know. These unknown unknowns are threats that we have no choice to “accept”, with risk to discover once they started to materialize. The only way to reduce the unknown unknowns is to constantly challenge your defense and learn from the others.
2. Know yourself: the necessity of mapping the IT system
You referred to mapping the IT system as a key action. However, many CISOs admit that there are elements of their IT system that they know they don’t know: Going forward, what are the main challenges in mapping your IT?
First of all, the mapping of the IT system is THE key element on which CISOs should focus. Many government agencies and the NIST in its Cyber security framework state it: it is what lies on the “Identify” first step. So, before all the rest – Protect, Detect, React and Recover. What comes first and should always come first is to “Identify”. During an attack it is to “Identify” what is being attacked, from where, by whom and what it does. But before an attack, in the steady times, CISOs must identify what they have and what weaknesses they have. It must be on top of their priorities. Especially today because of the digitalization and transformation changes of the IT system. Indeed, a long time ago you could just map what was inside the walls of the organizations, behind the firewalls. But now we also have the public cloud, and the supply chain. So, it is not only about mapping the infrastructure, but it is also about the application landscape, it is also through the hyperscalers, etc.
Nonetheless I have to admit that it is not always easy to do it for all organizations as, depending on their industry market (manufacturing, finance, transportation, etc.), they have different maturity in terms of mapping of their IT system.
I keep believing that it is for us an opportunity to continue to develop and innovate in order to achieve the ever-growing challenge to patch vulnerabilities in very short delays, or to address vulnerabilities inside the application landscape. The Log4J vulnerability was a challenge last year. It highlighted the absolute necessity to have a good mapping of the IT system.
Even if you have a good mapping of the IT system, has the threat landscape just got so big that it is impossible to address all the cyber risks targeting organizations?
In order to protect their organizations CISOs have different priorities. One of them being to keep investing in the technology, products and services, and in several of them because alone they are not sufficient:
- Managed EDR solution as a “must-have” solution without which it’s not possible to survive
- CMDB controls performed by the production and IT teams to maintain the inventory up-to-date
- Risk assessment, including risk management of our suppliers involved in the information system
- Vulnerability scans to understand and discover weaknesses in the information system
- EASM to ensure that we control the challenge of mapping the external attack threat surface
- Security rating tools, security score cards for understanding the information system and control our own cybersecurity ratings.
CISOs should not invest in one particular area instead of another because malicious actors know our weaknesses and they will target these weaknesses. I know by experience that attackers today are good at attacking weaknesses, and also doing the mapping of our IT system on their own. Hence, they know what you do not know, and they will target these exact elements that you don’t know about.
That is a paradigm change that occurred over the past years. Before, cyber criminals targeted their victims by market or industry. Now they know their victims – at individual scale – and have an in-depth knowledge of their victims’ strengths and weaknesses. That is why it is important for organizations to have full protection, the best possible. and have an entire coverage of the security landscape.
If today you focus only on the perimeter inside the organization, then attackers will target your external attack threat surface. On the reverse, if you have a strong external attack surface management, but you do not raise awareness on your people, then attackers will target your staff, with phishing campaigns for example. Another example: if you do not have the right EDR solution for the right monitoring, attackers will benefit from a weakness in the IT system – alike applications protected by simple passwords instead of MFA – then they will succeed to inject a malware in your IT system and will use your reaction time to propagate laterally. If we do not make our active directories bulletproof Active Directories, then attackers will design attack-path scenarios within the Active Directory to compromise the most sensitive credentials. And the examples can go on and on like that. Therefore, CISOs’ priority is on investing in the right technologies and the right experts to manage them, in order to design the best-possible protections everywhere.
A key challenge though coming from investing in all these technologies is to process the massive volume of data to obtain rating KPIs that help control the risk in your organization. In Atos’ Group Security we developed a cybersecurity dashboard to measure the understanding of the information system and the implementation of the security controls. We also implemented it for many of our customers to give them assurance and confidence in their security by having the right controls and understanding of their information system.
This is the first step of CISOs’ roadmap as defined by the NIST Framework’s steps: Identify. And then only comes the #2 challenge: Protect. Finally Detect, Respond, Recover.
3. The magic recipe: really?
What do you believe are the key ingredients for CISOs’ success?
There is no one-size-fits-all cheat sheet for CISOs.
However, a first key ingredient for success is to open to the ecosystem. Indeed, by connecting with other CISOs, getting inspired by them and their experiences, speaking with the most knowledgeable people, interacting with experts, not only the cybersecurity vendors. The goal is to be able to get inspired and replicate what worked in other organizations.
The second key ingredient is to have a good cybersecurity provider with:
- good experts in the SOC for monitoring the alerts in the SIEM
- a strong CSIRT with advanced cybersecurity knowledge and expertise
- good cybersecurity products.
Indeed, in the past five years we moved from traditional antivirus defense to solutions that are more efficient though more complex to manage. It is impossible to imagine how to do today without EDR, MDR, XDR solutions … that are effectively managed by Cyber experts.
This tooling ingredient implies the third key ingredient to CISOs’ success: training the staff. For example, as far as phishing-related risks are concerned running an anti-phishing awareness campaign for all our employees is vital.
The fourth key ingredient is to expand security internally in the organization in close relationship with the management, the CIO, the business representatives, etc. to help to protect.
4. Governance: where it all begins
Can we say that it starts with the right governance? Does the CISO have to put his gloves on and “fight” with some departments, like procurement?
Absolutely. We all need to challenge ourselves in our organization: the CISO, the CSO, the CIO … Compliance with ISO 27001 starts with the governance, with having the right people around you, and to constantly improve. Also, it means for us to be capable of accepting that we have weaknesses and to build plans to address them and to mitigate the risk. The supply chain security exemplifies it very well. For example, 4 years back from now, I had nobody in my team who was dedicated to supply chain security. We started by defining what we would like to see in all our suppliers’ contracts because it was identified as a number one priority to secure the supply chain. To do so we collaborated with the Charter of Trust to review this challenge with some of our partners and customer, but also other organizations (Siemens, Total, Tuv-Sud, NXP, …). Altogether we defined seventeen baseline-security requirements to cascade into our supply chain.
With global supply chains and the amount of security challenges, it is a team exercise within a CISO’s team, by being able to appoint security officers per geography but also per security challenge to be addressed, to have supply chain security specialists, vulnerability management specialists, people helping to map the information system, etc. But it also needs to be a team exercise outside of the security organization, with procurement, with HR, with legal and compliance departments, with the business representatives, with the IT department of course. Only with security being tackled across the organization can we manage the risks.
What can you say to CISO’s that are literally managing the cybersecurity of their organization alone?
It does not mean it will be like that forever. When I joined Atos a bit more than twenty years ago, the security department came from another department, and at that time we were really a few numbers of experts. In the early 2000s I was asked by the Europe director to manage the Code-Red virus crisis. And as the threat kept growing, we succeeded in involving the management in the understanding of the cyber threats. And that is my recommendation for the CISOs: spend a lot of time raising awareness, to be sure that the top management has a good understanding of the threats. Because once they do, then it is not possible for them not to allocate resources to protect. I concede that budget is a challenge. Thus, when budget is a challenge for the CISO, the CISO must work with the IT department, get support from legal, procurement, compliance, etc. to build a battle plan to help the organization to protect. That is why patience is a key skill to develop for a CISO today, as well as communication.