Interview with the Cyber Startup Observatory. The Cybersecurity Leaders section recognises the commitment, dedication, vision and contribution of top-notch global cybersecurity professionals to the industry. Every week, we will be interviewing CISOs / CIOs and other Cybersecurity Leadersthat are defining and implement the cybersecurity strategy in leading financial institutions, healthcare corporations, e-commerce companies, SMEs/SMBs, the public sector, consulting and technology, law enforcement, the transportation industry and many other verticals where it is absolutely crucial to get cybersecurity right.Interview with the Cybersecurity Observatory.
Chris Hodson – CISO, EMEA @ Tanium
Chris Hodson is the CISO, EMEA at Tanium. Chris is an information security, data privacy and risk management leader with an SME background in strategy, architecture and design. He possesses 18 years’ professional experience obtained across the financial, retail, energy and media industry sectors. In early 2016, Chris made the move from end-user into the vendor space with Zscaler, where he operated as CISO, EMEA and Data Protection Officer. As a CISO, Chris is a trusted advisor to executives, board members and other stakeholders, helping them define well-balanced strategies for managing risk and improving business outcomes. Chris holds an MSc in Cybersecurity from Royal Holloway University London and retains an active role in the Infosec industry through directorship of the IISP and membership of CompTIA’s Cyber Security Committee.
Are there any common business roadblocks that prevent security practices from being implemented?
In short, yes. The biggest security roadblock is enterprise continuity. Too often the business functions don’t understand how and where the cybersecurity team adds true business value. Conversely, the security team are there to design controls commensurate with information classification, and if business owners are not engaged in activities such as Business Impact Analysis (BIA) and data classification, how do the security guys know which controls to apply to which assets?
Time to market is another potential roadblock. This is certainly true in organisations where business units are looking to maximise first-mover advantage and ‘fail fast’. Such a paradigm requires the security function to work as a tiger-team, embedded in project deliverables and providing light-touch, consultative security. The waterfall model of security assurance is sub-optimal in a lot of companies, exacerbating the opinion that Infosec is the ‘department of no’!
Funding is always a cybersecurity impediment. CISOs are being asks to better rationalize their capabilities, ensuring that technical solutions are appropriate for the threats and vulnerabilities which present themselves to a business. To overcome financial constraints, many companies are looking to automation solutions which offer a solution to manual, expensive, time-consuming operations – Incident response (IR) activity, for example. When a high-fidelity alert fires, allowing an automation engine to automatically quarantine an endpoint or change a configuration parameter.
When speaking the language of the board, are there certain phrases the CISO should be using?
Yes, those which resonate with their leaders, but a one-size-fits-all approach is doomed to failure. Boards one to be kept abreast of potential risks which could impact their bottom line. What resonates in one boardroom, might not be relevant in another.
Again, and again, one key issue surfaces: the need for CISOs to deliver meaningful metrics to their Board of Directors. Boards that are not comprised of security professionals are increasingly funding new cybersecurity programs and initiatives without understanding what information they want or need. They call for metrics, and the CISO is left wondering which metrics to present that will mean something to the board.
To understand which metrics CISOs should deliver, CISOs need repeatable processes and an understanding of risk management. CISOs need to meet board members where they “live” — meaning they need to be talking about the same objectives if the metrics are to make sense.
Business leaders are more interested in are risks to their organisations than fancy threat dashboards. Executives want to understand the high-impact risks and impediments that get in the way of their companies being successful. But the fancy dashboard doesn’t prove that security is actually working. It’s a “can’t see the forest for the trees” problem — that is, the flurry of alerts and the charts we make to show them may be hiding the true high-risk security impacts.
We (CISOs) should be concerned that we aren’t measuring the things that matter. This comes at a time when organisations are undergoing digital transformation and taking more and more of their business to the cloud or environments they don’t completely control. Unfortunately, this transformation presents new opportunities for criminals too. The breadth of capabilities and commitment of the bad guys has changed seismically. This is tough for executives outside of the cyber world to understand. Five years ago, they signed the checks for antivirus programs and a few hundred one-time password fobs; now their security teams are demanding sandboxing, decryption capabilities, security analysis platforms, IPS. The threat landscape is now almost unrecognisable to that of yesteryear and increasingly difficult to convey at the board level.
What advice do you have for security leaders?
Choose your battles wisely as budgets for cybersecurity are tight. A challenge with our profession is that it is incredibly hard to ‘prove a negative’. Some CISOs go in with the scare-tactics, invariably based on fines or worst-case downtime scenarios in the event of a cyber-attack. In my experience, a strategy based exclusively on fear might obtain year one investment but is of limited efficiency when longer-term planning. Your company invests in a layered set of security controls, two years down the line, you haven’t been breached, and the C-suite inevitably asks why they need to invest in all of this ‘cyber-stuff’. You told them that GDPR would result in 4% of their global revenue in fines, you spoke about the possibility of nation states stealing all kinds of sensitive intellectual property. Neither happened (to your knowledge), what do you do?
Sometimes, a wake-up call is necessary. There must be a ‘carrot and stick’ approach. Focus on the threats and vulnerabilities which are contextual to your environment. Adopt the role of trusted board advisor rather than draconian scaremonger. It may have taken years to get a seat in the boardroom conversation, don’t lose it by crying wolf!
Another piece of advice is hiring your team based on a broad range of skills. Don’t be afraid to bring in people smarter than you or with more knowledge in a particular discipline. Cybersecurity leaders have to be an inch thick and mile wide with their learning – we don’t have time to be an SME in all aspects of the profession!
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine which issues really matter to them?
The security function must remember their purpose: to lower risk in line with a company’s risk appetite. We do this by profiling the actors, events and vulnerabilities which combine to cause business impact. Risk is lowered through the application of controls which manifest themselves through people, process and technology.
If you have a control and cannot align its use too a risk-reduction measure, it is likely unnecessary. I call this approach ‘control traceability’. The best mechanism to evidence traceability is via a cybersecurity reference architecture – an artefact which documents the logical security capabilities needed to reduce risk in your company. In some cases, technical vendor solutions are overlaid to highlight what you have and why.
We should also highlight threat intelligence and the importance of learning from our peers. No one organisation can protect themselves appropriately without strategic and operational information pertaining to cybersecurity incidents in other companies.
How do you make sure you know what new projects are on the road map and that security is baked in from the process side?
Cloud technologies, continuous integration (CI), and DevOps are no longer the new guys in the room. Organisations are experiencing tangible cost savings, quality improvement and time to market with tools like CI. Unfortunately, the security team can often be left behind in this DevOps whirlwind. In a world of two-week sprints it’s no longer suitable for infosec to be engaged at the end of a project. Most CISOs I deal with are trying to work in a much more cross-functional fashion, embedding themselves into project teams and offering guidance much earlier in the development lifecycle.
Organisations need to gather all the business units involved in digital transformation around a single table – including network architects and security – to create joint processes and workflows. In this way, you’ll make progress right from the start. You’ll also, inevitably save money and improve the organisational perception of the security function.
Many companies I work with are considering (or have implemented) the role of the ‘Business Information Security Officer’ (BISO). A security leader dedicated to a specific business unit. The rationale is simple: contextualised security consultancy. The BISO understands the sensitive assets, business processes and technology used within their department – engagement can be faster and more effective via this approach.
You’ve been in the industry for 15 years. What are some of the biggest changes you’ve seen in terms of not only threats but also how cybersecurity is viewed in an organisation and wider society?
For me, it was some time in 2017 which was a watershed time for our industry; perceptions of cybersecurity changed indelibly. It was the dinner party tipping point. I shall explain:
I used to dread the “so, what do you do?” conversation. You know the one, it takes place at dinner parties, the pub and first dates. It is the dialogue uttered to fill silences and pass the time while you are waiting for the kids to leave the classroom. There are particular vocations ubiquitously understood: milkman, surgeons and electricians, everyone knows what he or she does. Until recently, if you said that you worked in cybersecurity, you may as well have said that you designed the hadron collider. The layman hears “something to do with IT”. I assert that such disinterest is based on one over-arching belief: cybersecurity just doesn’t affect me.
Cybersecurity is now a boardroom discussion in almost all organisations. For the second year in a row, cyber-attacks were identified as one of the top risks by the World Economic Forum (WEF) a starkly different position to my early days in the industry where many business leaders deferred risks introduced by technology to those in IT. The IT function delivers capabilities to enable business operation. The CISO is responsible for highlighting areas which could result in business disruption.
In my 15 years on the job, the primary challenge for the security leader remains the same – providing visibility and control. Visibility of their assets, data, vulnerabilities and nefarious actors looking to affect the confidentiality, integrity and/or availability of the aforementioned. In 2019, the challenges with visibility and control are exacerbated by heterogeneous ecosystems, cloud computing and IoT. Against a headwind of regulatory pressure for expedient reporting, CISOs are often unable to provide high-veracity, timely data pertaining to their environment.
Across my time in the industry, I’ve seen a major shift in societal acceptance of cybercrime and data breaches. In 2019, it is unlikely that an organisation will be chastised (by the public/media) for a cyber-attack. It is, however, vital that a company can detect, respond and remediate in the inevitable event of business disruption. In many cases, these retrospective processes are the measurements by which cybersecurity maturity is qualified by outsiders.
Security leaders of today need to apply a structured methodology for cyber risk management. Despite all of the advancement in technology, the processes I used 10 years ago, are still as relevant today:
- Qualify Assets
- Profile Threat
- Assess Vulnerabilities
- Apply Controls.
We cannot apply the same level of security to everything (to do so would be very expensive and may increase friction in the user experience, which is unnecessary). We will apply stronger controls to systems and apps that contain stuff/data that we care about it.
At this point, we know what we are protecting and we know who is connecting and from which devices. Next, we need to better understand who is attacking us. In an ideal world, the security professional would provide a percentage likelihood of a data breach, but in reality, cyber security presents a volume of variables that cannot be measured as absolutes.
From my experience, assessing vulnerabilities is our biggest challenge. As security professionals, we talk about “people, process, and technology” often. Unfortunately, we focus too heavily on technology, nowhere more so than with vulnerability management. If we take an automated vulnerability scanner and point it at a network, invariably we’ll see metrics of a sort. But much is the response is a cacophony of noise – lot of warnings, with no way to prioritize them.
When considering controls, ask yourself, “Is it worth it?” from a cost perspective or from an efficacy-of-solution perspective.
Controls are there to lessen the impact or likelihood of a risk occurring. Controls do not have to be absolute. It’s unusual for a control to remove a risk entirely. We’re looking to lessen the risk to a palatable level. Who sets this bar? It’s the business!