Enlisting FUD (fear, uncertainty and doubt) to argue for security budgets was commonly practiced by many security pros back in the day. It's not a useful tactic nowadays, although more widespread hype about cybersecurity threats is common in mainstream coverage and some marketing collateral directed at executives less knowledgeable about industry happenings.
At RiskSec 2019 on May 8, Mark Eggleston, VP, CISO and Privacy Officer at Health Partners Plans will share insights and guidance on how to navigate through the growing noise to truly understand the state of the industry, the real cybersecurity needs of your organizations and how best to address them. The following is a Q&A with Eggleston:
SC: Fear, Uncertainty and Doubt (FUD) -- is it still alive and kicking or have we as an industry gotten past this? Why or why not? Are there some corporate CISOs still struggling to get buy-in of cybersecurity resiliency and risk management plans at this point from their C-level executives and boards?
Eggleston : FUD is certainly alive and kicking, but on the decline in most reputable organizations. The reason why is that CISOs have become business enablers vs naysayers. Fear, Uncertainty and Doubt is just no way to run a rodeo! It might get you initial attention, but not in a good way. Today’s leading CISOs must empower business growth and view risk as an opportunity – after all it is where the most reward is. Best method to gain executive buy-in and support is start with a conversation to explore and define what matters to your executive team. For example, are we at risk and if so, where? Where are we (in our risk posture) compared to the competition? I’ve found most executives have a sincere interest in learning more about cyber, but we as security professionals must work hard to ensure our points are brief and salient to keep executives engaged.
SC: In our current state, what are or should be some of the priorities to confront top-of-mind security challenges right now? What about a year from now?
Eggleston : Current priorities for most security professionals should include recruiting in the face of skill shortages, instilling privacy by design principles into new systems, and employing a mature framework to select and implement security controls. As we continue to embrace the cloud for maximum agility and growth, we should be ramping up our resources to strengthen cloud security controls vs perimeter security controls. For example, allocating budget to Cloud Access Security Brokers (CASB) will help business compete with agility, while providing assurances that only authorized users are using SaaS and can only manipulate data locally if their endpoint meets specific security criteria.
SC: When trying to navigate the legion of cybersecurity solution and service offerings now out there to determine what is needed in your own particular environment, what would you suggest CISOs and their teams take into account?
Eggleston : I’m eager to discuss this more at the conference. First off, take heed of what YOUR requirements are. Do not succumb to sales tactics and slick demos. Going to any vendor prior to doing your homework is like grocery shopping when you are starving – you are bound to come back with all sorts of stuff you don’t really need or that isn't good for you. Also remember, what may have worked great for a peer at another organization may not work as well for you. Typically, I start with a narrative on why my company needs to invest in the product or service, and include refined requirements. I also include use cases specific to my environment I want the vendor to demo (not the other way around). Also, given the skills shortage we all will inevitably face, ask the vendor what managed services they offer or how they ensure customers are highly successful w/o charging extra for things like training. We all want partners to enable our success, not just vendors or resellers. The former takes the time to invest in a relationship and understand your needs, while the latter can disappear after the invoice is paid. I’ve found networking with peers at events tremendously helpful to identify up and coming vendors you may not read about from the large research firms and getting unabashed reviews outside of these sources is paramount. Empowering team members to initiate skunkworks projects to toy around with tech also can help security professionals get invested in the next chosen solution, while ensuring the product is a fit in YOUR environment. Last but not least, look for products to solve a problem you have efficiently and cost effectively; do not invest in products looking for a problem to solve.
SC: In working with particular vendors, what should be the necessary top standard questions to ask?
Eggleston : I like to screen novel vendor or cold calls simply by asking that they provide me with any of the following: (a) a brief .pdf or description of what they are soliciting me – to help me efficiently view succinct product details on my time, (b) a list or some references of who they have worked with in my vertical or companies like mine – chances are I’ll know a person or place they mention so I can follow up later to get the inside scoop., (c) list of competitors. While vendors want typically do not want to defer business to their competition, this helps me understand the space they compete in, as typically I already have procured a competing solution. It is OK for them to say they are kinda like X but offer more Y too, this information just helps me get my bearings straight in the interest of time and my attention.
SC: In reviewing the current threat landscape, what should any company ensure they have covered in their risk management strategies?
Eggleston : Always address the basics first and defer the glitzy new toolsets for later. For example, know your network and what is on it (vulnerability management), ensure only authorized users have access to only the minimum necessary (access control) and assume you will be breached at some time (incident response). If you look at the overwhelming amount of prior breaches, these three controls would have stopped the majority. Additionally, as more and more companies embrace mobility this causes a lot of the legacy perimeter defenses to not be as effective as they once were, so ensuring the adoption of a zero-trust network helps ensure you only have authorized people using resources. One of the most mature and helpful technologies here is 2FA. We simply cannot rely upon a single factor like a password to be all that stands between the internet and trusted computing resources. Using 2FA helps stop credential stuffing attacks and any other attack where the password is known to others.
