Translating “security geek” to Business
Clearly, ‘geeks’ and executives speak a very different language. I remember witnessing some executive conversations early in my career that were utterly confounding! We were speaking past each other, and it wasn’t very helpful. So, I wanted to explain the key service focus for Indelible in a way that I hope makes mores sense to those that haven’t necessarily lived Cybersecurity for the past 20 years.
Enterprise Risk Management Program
One of the challenges with IT security is the perception that it’s “an IT problem”. Looking at how companies manage risk at the corporate level, it’s clear someone with the technical expertise and experience needs to be in the conversation (in the same way we would look to the CFO to help understand Market Risk like currency exchange, liquidity, credit spread, etc), but I think there is a frequent failed assumption in that the CISO truly understands the business. In some cases, he/she may not have a security background, and remains “out of sorts”.
Is your information security organization and strategy aligned to your business?
Are you compliant where you need to be?
Can you explain this to the board? Can you prove it in a way that makes sense to them? [the litmus: how restrictive is your security budget if typical spend is 6% – 8% of the IT budget?)
Do you feel it is generally understood what IT systems support business critical processes? Are they adequately protected? How do you know?
Maybe you need a vCISO arrangement that yields both cost effectiveness and world-class advice – or you want consultative support for your CISO. Consultants have typically worked on many environments, so a lot of their value comes from that perspective.
Industrial Control Systems
There is a 20+ year chasm between OT and IT in most cases.. If you have fabs, plants, manage water or electricity, refine something – you have OT environments. These environments tend to have different requirements from a typical IT environment, and they are what represents how the company makes money. If we break them – everyone gest thrown out of the pool.
Is there true separation between IT and OT (in a world where the term “air gap” seems to have taken on a different meaning)?
Does anyone look at the site HazOp manuals and consider how catastrophic incidents could manifest in the real world through Cyber? (e.g. computers control mixing, temperature, pressure, and process, and these computers become more connected everyday. How might a hacker release a cloud of toxic gas that could harm employees or the neighbouring town?)
Incident Response (a.k.a “Detect and Respond”)
I have spent a lot of time just pondering security, so at one point, when considering the question “why we do we care about security?”, it dawned on me that it all comes down the incident. We want to either avoid/preventthem, or we want to detect and respond such that an incident has no serious impact on our business. Most of us in the industry feel you can only invest so many dollars in avoid before you have to accept that bad things really do happen to good people. So, what is IR, and are we doing it? If youdon’t have a dedicated security team, than it’s a definite NO. If you do, and you don’t have something like a SOC with someone researching threat landscape, and handling and reporting on inbound attacks, then it’s a “probably not”.
What is IR? It’s a capability that, put simply, is about the previously mentioned detect and respond.
Do you have a hunt team or capably that you have either built or contracted? (keep in mind that “hunting” is not using known IoC’s to find evil in your environment. It’s applying what we know about what attackers do to the things we see to identify infected endpoints. E.g. A known Windows 7 computer is connecting to the proxy with a browser calling itself “Chameleon Web Browser v1.7” – probably not..).
Do you have a threat intelligence capability? Sometimes we take someone who seems smart and says they want to do this for you, but can they really deliver? It’s a specific skill set… How many of us work on our own car, or fix our own computer – or try to do our own electrical and plumbing?? Why would we assume the outcome would be good if the person delivering doesn’t have experience?
Is there someone in charge of ensuring lessons learned post-incident are baked into tools and process?
Do you have people that know how to pick apart malware, or do deep host/network forensics (disk, memory, and protocol analysis)?
My hope is that this explanation makes the technical description of these services more accessible to a wider audience.