What CISOs need most: Courage in the face of security nihilism
Simon Crosby, CTO, Bromium
This year hasn't started out well for CISOs. We've seen data thefts and breaches at health care provider Anthem and U.K. banks, widespread global cyberespionage campaigns and the ongoing fallout of alleged geo-political cyber sparring that caught Sony in the crossfire. We've heard regulators' fears of a looming “Cyber Armageddon,” and learned that every major U.S. corporation has already been compromised.
There's so much bad news that one could be forgiven for thinking that security is just window dressing — that a breach is a certainty with an uncertain date. But now is the time for courage in the face of security nihilism. I advise security executives to keep a level head and disregard the drumbeat of bad news — to keep calm and focus on strategic infrastructure projects. The InfoSec industry feeds on fear and hype. Security vendors, journalists, politicians — anyone seeking a click, a vote, budget, or selling something — benefits by exaggerating your perception of risk because fear sells.
Nobody wants to see their name in the paper, but hysteria is not warranted and inaction unthinkable. The negative press amplifies our sense of fear because people are bad at assessing risk. We tend to focus on low probability events with huge impact when it's actually the more mundane events that are more likely to take us out. Everyone is wondering: Will my company be the next Sony? Industry leaders say, “It could — and likely will — happen to everyone.” But that's just not rational. Why not? Because sophisticated attacks are costly and even the bad guys have budgets.
Note that I am not asserting there is nothing to worry about. On the contrary. If your organization has assets of value you are being attacked. But panic doesn't help. What does help is being honest about what you can accomplish with the tools you've got to protect yourself and replacing what isn't working well. It takes courage to face increasingly sophisticated attacks armed with legacy detection and alarm-centric security tools, and it takes determination and vision to demand changes to your IT infrastructure. Hanging on to legacy operating systems, apps and desktop practices is a recipe for failure.
Today's CISO must play a strategic and forceful role in mandating the transition to a more secure enterprise infrastructure. There are five strategic initiatives I've seen courageous CISOs deliver. In each case, the CISO fought hard to make the business adapt when it was reluctant to do so:
Get off Windows XP.
Many organizations still have some XP dependencies, but that's no excuse for running it on desktops a year after Microsoft stopped offering support for it. Apps that are XP dependent can be delivered using VM hosted apps (a VDI feature), but XP should never be used as a desktop OS with access to untrustworthy documents or the web.
Re-think OS patching.
The CISO of a high-tech manufacturer told me that delivering complex OS patches takes six months, leaving the organization continually vulnerable. An enlightened CIO at a different firm suggested IT should get out of the business of patching altogether, saying, “We are much safer having Microsoft patch every PC, risking a couple of unhappy users whose apps won't work, versus delaying and delivering patches ourselves — all to keep the same few users from complaining.” Windows 10 will usher in a powerful new patching process that improves on this idea, while still giving enterprises control.
Use the latest browser.
The security team at a large bank told me they are planning for when Microsoft ends support for IE8 — by testing IE9. This is ridiculous! IE9 support ends on the same date — January 12, 2016. The key point, independent of your browser of choice, is to move to the latest and greatest. And the latest versions generally do a better job of compatibility with legacy dependencies, for example IE11 with Enterprise Mode.
Let apps auto-update.
Many applications and runtimes can auto-update, including Java, PDF readers, video codecs and browsers. Turn this on for all users that do not have legacy dependencies.
Make your app vendors commit to better security.
A Bromium customer is tied to client Java 1.6 for its Oracle expense claim application because their old ERP system will not work with new clients. The CISO told me he now adds a clause to all purchase agreements that requires vendors to keep their client software secure.
No matter what you do, there will always be vulnerabilities, sophisticated attackers, legacy software and users that click. Security is a journey — not an end state. It takes courage to demand that IT adopt new technologies on a timeline dictated by security needs rather than traditional business demands or costs, but helping to move the enterprise to a fundamentally more secure posture is a battle worth winning. We can't transform security overnight, but by moving forward faster we can make a much bigger difference than by trying to patch the holes in our legacy technology base and IT practice.
Simon Crosby is co-founder and CTO of Bromium. Previously, he was founder and CTO of XenSource prior to its acquisition by Citrix, and then served as CTO of the Virtualization & Management Division at Citrix.