7 Assumptions CIOs Make that Impact Cybersecurity

CIO Review Team

We've all heard the question "what keeps you up at night?" And of course every vendor and consult­ant has exactly what's needed let us get some much needed shut-eye. All of their technologies and strategies play a role in the concepts below. Seasoned CIOs will look at this list and see them as obvious. Unfortunately, many assume these happen in their organization when re­ality may be different. Here are seven basic assumptions that a CIO should double-check to better manage risk:

Every member of the IT and cybersecurity teams know where the crown jewels are Just because the CIO and senior IT staff know it, that doesn't mean the incident response analysts, application developers, and help desk technicians do - these are the pros on the front lines and are in the best position to de­tect a breach early, or prevent it altogether. Answering these three questions for them can fill that knowledge gap (just remember that even though everyone knows where the jewels are, they don't necessarily need access):

• Where are the priority systems? Think through the en­tire ecosystem of user’s interaction with those systems. For example, key servers, databases, applications, core routers, or dedicated VPN to your Cloud Services Pro­vider. Consider even your endpoints and mobile devices since these are commodity technologies, enable users to easily and securely backup and retrieve their critical local working files in case the hardware needs to be unexpect­edly replaced.

• Where are critical/sensitive data warehoused? Many Security Operations Centers, and in particular managed security services providers, monitor networks with only a vague notion about how to prioritize and triage incidents. They are prioritizing based on the severity of the event as defined in default settings that do not weigh potential impact since there’s no context about the affected data. Most SIEMs can easily apply these weightings so ensure your team uses them properly.

• How to track intellectual property? Several tools allow organizations to identify controlled information in tran­sit and at rest. Digital watermarks, file hashes, header/ footer strings, and DLP are a few options to do just that. Additionally, consider the impact of cloud storage like Amazon S3, Box, Google Docs, or DropBox. If your organization uses these, deliberately apply the security settings available. For cloud services you don’t leverage, keep an eye on (or even restrict) their use from inside your organization.

Good operations and maintenance just happens

The recent Equifax breach was just the latest in a long string of examples where routine O&M would have been worth the savings in time, money, and reputation. If your IT shop full of heroes that constantly tackle break/fix tasks, that’s a strong indicator that change management is subpar. Put time in your team's project schedule to han­dle the inevitable O&M tasks. How much time you ask? Just look into how late the last few major projects were or how long lower priority projects got shifted to the right.

Operational teams have visibility

Unify visibility wherever practical. Consider integration of ticketing systems and IT workflow orchestration. The field has improved over the years, but all the operational stakeholders must be part of the selection. Key data fields can make or break an orchestration solution, and your organization’s various operational teams can tell you what their unique need for those fields are. Achieving unifi­cation is particularly challenging for organizations going through mergers. If the company is one that regularly buys smaller companies, it’s best to invest in security or IT Service management tools that offer a wide range of integration capabilities.

"Security must befully integrated into the overall design from the onset"

Most cybersecurity organizations segregate security sys­tems from the production systems. Over time, there’s an increased cost to maintain a separate security infrastruc­ture, Active Directory domain, and hardware or VMs. Depending on the risk profile of the systems being moni­tored, there may be opportunities to separate these logi­cally with the right ability to control access, monitor, and respond.

Professional development is thoughtfully invested

Sending someone to NewStuffCon because they did a great job isn’t the best value. If you don’t know where to start, NIST main­tains the National Initiative for Cybersecu­rity Education (NICE) framework that can help you structure a comprehensive educa­tion plan. Some progressive vendors are bundling specialized cybersecurity training with other services like phishing exercises. Fi­nally, cross training IT personnel can give your team exposure to cybersecurity skills they can apply to their spe­cific areas of expertise.

Real cybersecurity incidents are used to review plans

Cybersecurity incidents are inevitable. Your incident response team should pe­riodically select key inci­dents, particularly those that got leadership at­tention, and review how the event happened and how it was identified, analyzed, contained, remediated, and communicated. Analyze activities that deviated from the plan. Real life experiences are always more effectively in­ternalized than the best laid plans.

Adequate time and effort go into planning

Security is an integral part of IT architecture, and the converse of that is true as well. Too often, organizations develop system designs, send off the final draft diagrams for security to review, and then become frustrated at the numerous changes. Security should be fully integrated into the overall design from the onset.

Developing requirements is worth the time and ef­fort. If a requirement is defined as a specific technology, keep clarifying until the requirement is spelled out as an expected design function and/or outcome. Consider the risk tolerance of the organization and risk profile of the system. Don't develop security requirements that ex­ceed the needs of the system (for example, encrypt­ing data that’s publicly shared anyway.)

Managers know the difference between "best practices" and opinion

This is usually synonymous with, "this is the way we've always done it". A true best practice will be documented in guidelines from reputable professional organizations and will have im­plementation standards. There is a rea­son why they are endorsed by large constituencies within a profes­sion. The individual opinions of key team members are valuable but people must be able to articulate their rea­soning, not necessary on the spot during a heated meet­ing but at least over many discussions with colleagues during planning.