In the decades since Sigmund Freud called talk therapy the “talking cure,” analysts' couches have been filled with patients pouring their hearts out as they strive to find answers, right their lives and experience breakthroughs that will keep them from repeating past mistakes.
Turns out, as the banking DDoS attacks of 2012-2013 proved, Freud's favored technique is good therapy for organizations trying to ward off cyber attacks and strengthen their security postures as well.
An unanticipated feature of the financial services DDoS attacks was their effectiveness in bringing together victims, forging a never-before-seen level of communication among corporate victims, with government, within the organizations and extending out even to customers. The attacks taught different lessons about communication to those different factions.
Stephen Fried was CISO of the People's United Bank during the 2012-2013 attacks, and since then has lectured about security responses to major disruptive events. “I always tell audiences that to be an effective communicator you have to speak the language of the person on the other side of the communication,” he explains. “That means that if you're trying to convey risk information to the C-suite, you need to frame that risk in the context of the things they're worried about.”
Executives are concerned above all with issues like impact on revenue, customer loyalty and retention, legal and regulatory compliance and profitable growth. If you can make them understand the basic connection between information security and those fundamental concerns, they will pay close attention to what you have to say. However, Fried notes, “If you start the conversation by talking about lowering risk by feeding your NIDS logs into your SIEM system, you've lost them at ‘hello.'”
Sam Curry, chief technology and security officer for Arbor Networks, a Burlington Mass.-based provider of advanced threat protection solutions, agrees, adding that a problem for CISOs in the past has been proving their worth to the rest of the C-suite. In a strange turn of events, the uptick in recent attacks provided CISOs the opportunity to demonstrate their value to the rest of their companies' executive-level leadership.
“For security, the main challenge has been proving they're aligned with the CIO, let alone the business,” Curry says. “The language of security is often alien, even within IT.” Suddenly the questions of what a DDoS was or why nation-states and hacktivists were interested in private networks were in need of answers that could clarify the issues for all stakeholders.
Bill Nelson (left), president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for collaboration on critical security threats, points out that the 2012-2013 attacks fundamentally changed organizational communications for the better, beginning by heightening the role of CISOs within organizations. In many companies, he notes, CISOs or chief information risk officers now speak to boards of directors monthly.
“They're almost pre-empting the next crisis because they're in front of the board, looking at the organization's risk assessment and explaining the risks they're facing, actions they're taking to mitigate those risks, and identifying areas where they can't prevent risks, but can certainly respond and detect appropriately.”
Fried agrees that the amount of change since the wave of attacks in 2012-2013 has been impressive. “The DDoS events signified the first time that most banks had to communicate their security issues to the general public, and most were unprepared to do so. Even if they weren't directly affected by the attacks, most banks had to field questions from their boards, their customers and regulators on what they were planning to do to protect themselves.”
The discussions that needed to take place – about the effect of system availability on revenue stream, threat and vulnerability analysis related to customer impact and the relationship between business continuity and reputation management – were foreign to the C-suite, Fried says. “Prior to the attacks, most of those discussions – if they took place at all – would never have made it beyond the confines of the IT or risk management groups. Now they're a normal part of regular reporting to the C-suite, executive leadership, and the board.”
Curry notes that companies which survived the recent attacks most comfortably were those in which CISOs had a friendly relationship with their fellow executives. This is an important lesson in an age of increasingly depersonalized workplaces. “The most effective CISOs found a way to tap into contacts,” he says.
The banks that had good personal relationships and could talk person-to-person found allies quickly which could help them be heard, he adds. This effectiveness involved translating, so the language of security made sense, and gave them credibility.
Meanwhile, the attacks were a trial-by-fire for teaching companies how to discuss data breaches with their clients and with the media. Media-relations departments had to decide how much information to make available.
However, more important than communicating with the media was the discovery of how important it is for companies in the same industry to communicate with each other. Curry offers the analogy of a beehive, in which the survival of the colony is more important than the survival of individual bees, who die when they sting. This “hive effect,” is what protected the financial-services sector during the period of attacks. There is a tipping point, Curry says, after which selfish behavior (like keeping all of your company's information to yourself) no longer provides a benefit.
Faiza Kacem, senior IT manager of the National Bank of Canada, says that one result of the attacks has been a greater understanding of the value of protecting the hive. “Globally, companies are more willing to share cybersecurity incidents and even initiatives, and the C-levels are made aware of what is at stake,” she says.
Though financial-services companies guard their information very closely, they learned quickly in the midst of the onslaught that there is little risk in publicizing information about ongoing attacks – and, in fact, many learned that a secure community overall leads to secure individual companies.
“We actually formed a response team made up of just those institutions that were being attacked so they could share best practices with each other and they could determine what worked and what didn't to mitigate that threat,” says FS-ISAC's Nelson. “If you have an incident response team and now you're part of a group that's sharing information with multiple banks, broker dealers and other companies, your intelligence capability expanded twenty-fold because you had the whole industry helping you.”
Dave Larson (left), CTO and VP of product for Corero Network Security, a Hudson, Mass.-based provider of security solutions, says the incursions proved that it's not so much the attacks that are changing, but the responses to them.
“Distributed-denial-of-service attacks have been around for more than a decade,” he says. “Organizations that have learned from their experiences are sharing their findings, lessons learned and plans for better protection with their industry peers.”
Kacem says that the advantage of the whole industry working together has been widely noted. She lauds FC-ISAC – and its Canadian counterpart, CFI-CIRT – for their efforts to encourage information sharing.
These advantages are being reflected on the legislative scale, all the way up to President Obama's State of the Union Address, during which he made a sustained appeal for a bipartisan cybersecurity strategy, stressing the need for information sharing between public and private sectors. Not long after that, he signed an executive order encouraging information sharing between businesses and the government. Lawmakers answered his call by passing a bipartisan info-sharing bill in April.
The public is finally waking up to the reality of the cyberwarfare landscape in which anyone can be attacked and the price of mounting an attack is dropping. As the value of networks goes up, the value to attackers of denying you access to those networks also rises accordingly.
Five steps to open communications
- Learn the language of the C-suite: Explain security threats in a general business vocabulary without becoming too technical.
- Keep execs up to speed about threats before a true crisis emerges: Regular briefings between CISO and board members are crucial.
- Develop alliances within your company so that you have friends outside of the IT department who will understand if you call on them for help in a crisis situation.
- Develop plans for how to deal with both clients and with the media in the event of an attack or breach.
- Participate in defensive alliances and join information-sharing initiatives, like FS-ISAC, to help protect your industry as a whole.