Thanks to frameworks like PCI-DSS, most enterprise security programs have evolved to a familiar common baseline. Such resemblance has its advantages – especially when considering partnerships and third-party arrangements. We can thus agree that most security teams by now have learned to perform the basics reasonably well. Suggestions for improvement must therefore go beyond obvious methods.
As a result, the best guidance an analyst can offer CISO-led teams will include ideas that transcend conventional frameworks. The hope is that by introducing new concepts – or reinforcing old ones, we can help enterprise security teams gain some advantage over their adversary. This is especially important in 2021, where we all know that nation-state and criminal offensive actors will be at the top of their game.
In this article, we provide our top five ideas for enterprise security teams to consider for incorporation into their programs. The ideas stem from the myriad of hours (and hours) (and more hours) spent by the TAG Cyber team in 2020 working with commercial vendors, enterprise security professionals, and government agencies. The ideas thus emerge from the trenches, versus some ivory tower. We hope they are helpful to you.
Idea 1: Localize Your Security Compliance
As enterprise infrastructure has tended to grow more complex, the associated enterprise security compliance obligation has also increased in complexity. It is not uncommon for a company or agency to have a massive team of experts who focus their time and energy on compliance – full-time. This has also become big business for GRC tool vendors who provide big tools to help teams get their arms around this big problem.
Here is our idea: Perhaps you might consider focusing on a divide-and-conquer approach to security compliance. Think small and local in your compliance work, versus large and overarching. Just as books are divided into chapters, and plays are divided into scenes and acts, perhaps you might break up your massive compliance initiatives into smaller pieces, perhaps aligned with the micro-segments and distributed workloads you are moving to cloud.
You will need to translate this idea into a proper implementation for your compliance work – and we know that not every situation will warrant this type of strategy. But we are quite certain that good opportunities will arise for you to accomplish large compliance objectives through orchestration of many smaller ones, operated locally – perhaps by your BISOs, to reach the type of completeness that is required by most auditors and assessors.
Idea 2: Crowdsource Your Security Testing
The most familiar and canonical unit of cyber defense has always been testing. This began with early security functional tests for operating systems (“Does the system generate logs for this-event or that?”), and has evolved to include expert penetration testing performed by well-meaning hackers (“We gained access to your payment processing system and here’s how we did it!”). Testing remains an essential component of every enterprise security program.
One area, however, where you might not be taking enough advantage of the available benefit involves crowdsourcing portions of your test activity. Evolved from early bug bounty programs, modern crowdsourcing provides a diverse perspective on your vulnerabilities, and can be quite cost-effective. Sufficient commercial support exists today for this function that it seems inexcusable to not be taking advantage of this control.
The foundation justification is that a diversity of techniques, tactics, backgrounds, expertise levels, and motivations will help uncover unforeseen exploitable vulnerabilities in your infrastructure. It’s been our experience as analysts and consultants that every team that has engaged in such crowdsourcing finds something critical that requires fixing. It might be a good idea in 2021 to fill this hole in your program, if it exists.
Idea 3: Simplify Your Security Dashboard
One disadvantage to serving as a TAG Cyber consultant to senior executive teams and corporate boards is the massive onslaught of dashboards one becomes subjected to. Every company seems to have dozens of dashboards for reporting data to leadership, and the design goal appears to be 100% coverage of every square inch on the PowerPoint screen. Unused real estate on the screen seems almost illegal.
Our idea is that perhaps this approach is wrong – and while we cannot comment intelligently on areas such as real estate, human resources, and finance, we can comment on enterprise cyber security. And we can report that the dashboards being used are too complex. This might result from commercial dashboard vendors competing based on reporting features, or it could stem from CISOs wanting to maintain dashboard parity with their peers.
That said, we strongly recommend simplifying your enterprise security dashboard in 2021. Find the three or four main points that you’d like to make and focus on these in your reporting. And yes – we truly mean three or four main points. This might involve recruiting, or it might involve security analytics, or it might involve compliance. But remember: For your dashboard, keep it simple. Simplify your dashboard.
Idea 4: Expose Complexity to Executives
The biggest mistake we see on a day-to-day basis in the communications between CISOs and other executives is the over-simplification used to convey security concepts to non-security leaders. In the best case, this involves a bit too much baby-talk (“Security is really just people doing the right thing”) and in the worst case, it involves embarrassing condescension during briefings (“A firewall is like a big door into our company”).
Here is our suggestion: Though you might sometimes suspect otherwise, the truth is that senior executives and board directors really are intelligent people. In most cases, they have survived decades of business problems, corporate conundrums, and significant issues. They can understand complex topics – and there is no reason under the sun why cyber security issues should be no different. They do not require over-simplification.
To that end, we strongly recommend that you really let it fly during briefings in 2021. Go ahead and mention your new micro-segmented orchestration – and go ahead and reference how you use machine-learning based tools to discover new variants – and do not hold back one iota in referencing NIST 8000-53 rev 5 (let ‘em look it up). The result is that executives will come to respect the complexity of what we do for a living – and this will be good for your budget.
Idea 5: Expand Your Security Internships
It is commonly reported (including from the ad-board on the C-Train to Brooklyn) that a skills shortage exists in cyber security. While it is tempting to reject such commentary as marketing for retained search or excuses from failed CISOs, we must grudgingly agree that the claim is mostly true. It has in fact been quite difficult for enterprise security teams to find good talent in cyber security, especially for technical positions.
To that end, we would like to remind enterprise and government teams that young people studying computer science at the university level are like sponges when exposed to good technology from capable mentors. We thus recommend that you consider increasing the intensity, scale, coverage, and investment in your internship program in 2021. This is especially true for larger companies with more leeway in their budget.
But please do not place these interns in virtual cubicles doing busy-work. Challenge them to solve real problems. Have them simplify that dashboard we referenced earlier in this article. Have them prototype cloud-workload compliance tools we also mentioned above. When we give interns bad jobs, they get the wrong idea about what we do. Use 2021 to put real creative energy into your internship program – and you will help us all.