A very big problem for any company is that fact that their users, the business people, can just go buy stuff. They have no idea of what they’re doing, nor do they really care. They look at a software package and say, “Oh, I want that. That will help me with my job.” They don’t care—they don’t even think about the security aspects of that. And in many cases, they can load it and use it. And that is a huge risk, from a cybersecurity standpoint. And yet, stopping them is impossible.
CTO, Manufacturing Company
Lucky Amos. He may have married a cheating murderess but at least she got her just deserts, rotting the rest of her life away in prison. And as for Amos? He happily remarried. They have a beautiful family together. He found happiness and fulfillment in his career. Although he still encountered life’s typical challenges along the way, he managed to emerge stronger and smarter after each one. Surer of his value. More secure in his identity. And no longer satisfied to allow society to look right through him, walk right by him, and never know he was there.
* * *
For my fellow fans of the musical Chicago, you know that I made up that storybook ending for Amos. In the musical, the best he can hope for is a fleeting moment of acknowledgment by his wife’s seedy lawyer before exiting the stage—and story.
But he doesn’t have to exit my imagination. In my ending for Amos, I’m rewriting his future. Why shouldn’t he have a great life? In my mind’s eye, Amos turns tragedy into triumph and reclaims his destiny. He realizes he’s worth a lot more than others would give him credit for. And he compels others to recognize his value, refusing to retreat quietly to the shadows.
In the same way, I want CISOs to rewrite their future. It will require them to learn to speak the language of the boardroom. It will entail that they loosen the reins on employees to gain more control over their environments. And it will mandate they take up arms as the culture leaders their companies need.
In the book Brain Rules, John Medina states the following, “We do not see with our eyes. We see with our brains.”1 He points to a fascinating study where wine connoisseurs were given white wine mixed with red, tasteless, odorless dye. Of course, the subjects had no idea that researchers manipulated the white wine in this way. The latter wanted to measure the power of vision in affecting all other senses. Would the aficionados rely on the combination of their other senses—including taste and smell—to spot the counterfeits right in front of their noses?
Not so much. When the wine tasters encountered the fake reds, they described their experience using vocabulary associated with authentic reds. As Medina notes in his book, “Visual processing doesn’t just assist in the perception of our world. It dominates the perception of our world”2 [emphasis mine].
Perhaps that’s why our business world is brimming with visual cues. We have scorecards that reflect performance, fancy presentations to share information, and real-time dashboards that give us instant feedback on a multitude of metrics across functional areas.
When McAfee spun out from Intel as an independent company in 2017, our CEO Chris Young quickly mobilized to gather and analyze critical metrics across the company to give him complete visibility into the business. I was thrilled to showcase what the marketing and communications team was delivering on behalf of McAfee. I was confident we had at least an interesting story to share—we were gaining momentum in generating viable pipeline and our brand-building efforts were starting to bear fruit.
I dutifully submitted my team’s dashboard week in and week out. Chris is a very engaged leader with a studious eye for detail. So I’d get questions from him regularly about the team’s performance. Those questions would instruct what additional information we’d include in the next week’s submission. And the virtuous circle continued.
Until, one day, I realized something was missing in my team’s dashboards. In our case, it wasn’t a data point or metric. It was the signal. It shouldn’t come as a surprise that dashboards can fall victim to providing too much detail such that the noise drowns out the message. But that wasn’t so in our case. We had judiciously pruned our metrics to ensure we weren’t competing with ourselves with too many distractions.
Instead, we had created too much noise by not serving the most critical sense of all—vision—with the visual graphs included in our dashboards.
The revelation came to me by way of Chris himself. It turns out Chris has an aversion to one of the most popular charts of our time (and on my team’s dashboards)—the pie chart. At first, I thought he was just being persnickety. Then I realized he wasn’t alone in his derision.
A simple Google search reveals contempt for the pie chart among many. Some agree it’s the Nickelback of data visualization3 (my apologies to any die-hard Nickelback fan reading this!). If that sort of music isn’t your thing and you’re partial to comic book heroes, critics say it’s the Aquaman of charts. As they would argue: Do you really need Aquaman when Superman can do all that he can and then some?4
Chris would put it more diplomatically. Pie charts often contain too much information crowded in minuscule slices with no perspective of how data has changed over time. The pie chart does one thing—and one thing only—represent something as a portion to the whole. Other graphs, such as stacked column charts, do the same—and they show perspective of a trend over time.
I use this example to put a finer point on the need for CISOs to become fluent in another language—that of the CEO and the board. I certainly am not saying that CISOs are the proverbial Aquamen of Corporate America, just that they can’t afford to remain experts in only their domain. To become the Supermen and Superwomen of their companies, they can learn some lessons from the pie chart:
Let me explain. CISOs have multiple frameworks for examining the threats in their environment. These models dissect the anatomy of an attack—a critically important (and challenging) endeavor for CISOs to assess how and where adversaries maneuver. If a CISO understands the enemy’s ways across the life of an attack, he can defend his organization with commensurate tactics, techniques, and procedures to evade it. And he can find vulnerabilities in his environment by applying one of several attack frameworks to his company’s cybersecurity defenses.
In contrast, boards deal in risk management (e.g., What can go wrong?). They do so as part of a much larger conversation that includes corporate strategy (How will we create value?), business models (How does strategy translate into value?), and key performance indicators (How will we measure our performance?).6
Certainly, a cyberattack on the firm poses risk, sometimes significant. But notice that CISOs must make at least two connections to translate their language into that of the board. First, they must string the beads from risk to strategy. A risk out of context of strategic importance, value creation, or corporate measurements is the equivalent of giving the board a pie chart of your results—it only shows one small sliver of the total picture.
Second, CISOs must translate the threat into risk. This requires understanding the board’s risk tolerance for high-priority assets, how a potential attack challenges this tolerance, and the consequences (financial or otherwise) that may result.
If this seems like a high bar, it is. Stanford reports that most companies do not integrate risk management and strategy. Further, 50 percent have no enterprise risk management in place.7 The good news for CISOs? You’ll be a pleasant exception to these rules when you effectively communicate the company’s cybersecurity posture in your board’s language.
CISOs deserve access to the boardroom, as I argued in Chapter 2. But once a CISO gains entry, the way he crafts and delivers his message will likely determine whether he is invited to the party again. Learn the language and the style of the boardroom to avoid being cast aside, along with those one-dimensional pie charts.
In 2014, enterprises were losing control. They were being engulfed by an all-out crusade; IT departments consumed by its fury; Security caught in its crosshairs. At the heart of the frenzy? Well-intentioned employees were requiring the same access to always-on, on-demand technologies in the workplace as they had come to expect at home. By 2014, the verdict was in. The “consumerization of IT” trend was anything but. It was here to stay.
That same year, IDG Enterprise researched the effect of the phenomenon on organizations. At the time, 40 percent of companies predicted the obsession for consumerized technology in the workplace would inflict negative security outcomes.8 Their concerns were valid. Consider this slippery slope: 90 percent of organizations in 2014 reported that employees were using consumer or individual services at work— 41 percent without IT’s approval.
Not surprisingly, the organizations in question were committed to action. Over half created policies for accessing and sharing corporate data on mobile devices and/or through cloud-based services. Roughly one-third had invested in a secure service for file sharing. Still others had implemented a sanctioned enterprise collaboration tool.
Fast-forward a few years to McAfee’s 2019 Cloud Adoption and Risk Report. Rather than ask respondents for their opinions or plans for cloud consumption (cloud is a huge component of the consumerization of IT trend), McAfee checks how many files are actually secure in the cloud. (We do this by looking at the enterprise policy set on each file. For example, the enterprise determines the sensitivity of the file and we use anonymized, aggregated data to determine whether usage matches policy.)
The results suggest the runaway train of consumerized IT jumped its track a while back:
In addition to the exploding consumerization of IT movement happening in 2014, there was another race afoot. Developers were using public cloud environments more and more to create applications for their companies.
This is where securing the cloud became even trickier. As CISOs know, their organizations bear more risk as they move from software-as-a-service (SaaS) to platform-as-a-service (PaaS) to infrastructure-as-a-service (IaaS) cloud varieties. While the protection of data is consistent across all three, CISOs assume greater responsibility for securing the underlying infrastructure components of the cloud as their companies move from one to the next.
For instance, the same 2019 McAfee cloud report reveals that the average enterprise has 14 IaaS or PaaS misconfigurations currently running. What kind of misconfiguration? The kind that leaves the public cloud infrastructure—the same that must be protected to secure the enterprise’s data—open for access.
To be clear, these security vulnerabilities are not laid at the feet of the public cloud providers in question. They are the fault of the companies using these services without understanding how to secure them properly. And that buck ultimately stops at the CISO.
Organizations battened down the hatches when confronted with the reality of the consumerization of IT. There’s no way to know whether, in doing so, they unintentionally fueled its fire or they were simply outmatched by the genie they attempted to put back in the bottle. Said another way, did employees simply bypass the policies that frustrated their productivity? Or did the policies help curtail bad behavior only to be outstripped by cloud growth on the other side? While the answer is likely a bit of both, our McAfee research suggests organizations are losing more control of securing their data stored in the cloud than what we saw just a couple of years ago.
I’ve given each organizational stakeholder prescriptive advice for how she can play her part in bolstering her company’s overall security. But you won’t find me advising employees to stop using the popular cloud-based services they’ve come to love. That’s because I know that such advice will fall on deaf ears. Until enterprise IT services catch up to providing the experience of alternatives available to Joe Q. Public, employees will continue consuming the latter. They’ll simply do so without IT’s knowledge, let alone permission, making the challenge even greater (remember the nearly 2,000 cloud services in use unbeknownst to IT teams in the average company I mentioned in Chapter 2—evidence that “shadow IT” can cast a long shadow indeed).
A few months ago, there was quite a buzz at my office. Someone had posted flyers throughout with the following message, “We’re going to need a bigger boat.” Jaws enthusiasts immediately spotted the reference to the famous line from the movie. But other than that, any explanation as to what it could mean for land-dwelling McAfee employees was nonexistent.
The rumor mill swirled with wild speculation. Were we relocating to a bigger office? Were we merging with or acquiring a company? Was the parking lot expanding? (Yes, parking at the office can be challenging at times.)
Imagine our surprise when we discovered the culprits behind the message—none other than our CISO organization. The teaser campaign kicked off a companywide initiative to refresh cybersecurity awareness at McAfee. Specifically, the “bigger boat” reference was a play on words to phishing (clever!). As the CISO organization sent phishing emails to employees, some took the bait. When they did, they were alerted to the error and encouraged to report all suspicious emails to the security team (through a convenient “report phishing” plug-in to our email application that also coincided with the launch of the campaign).
Our CISO went even further. Each member of the executive team received monthly reports on his team’s performance. What percentage of his team took the phish? Of those who didn’t, what percentage went the proactive extra mile and reported the suspiciously planted email to the security team?
As the campaign continued, the signage on campus shifted to reminder messages on how to spot and report phishing. Awareness across the company grew. Leaders (including me) used the reports to give our teams constructive feedback on how we could improve or where to keep up the good work.
I even found myself on more heightened alert, waiting to spot a “phish” from our security team and ready to report it immediately. In leaving my house one morning to go to work, I checked my phone for any emails needing my immediate attention. I saw one from our CEO, Chris. But I could tell immediately it was way off. It asked that I reply to him via email since he couldn’t reach me via phone.
As I grabbed my keys and ran out the door, I thought to myself, That phishing campaign at work started out so cleverly. But this fake phish from Chris really wasn’t great. Too easy to spot.
As soon as I got to the office, I dutifully reported the phish. To my surprise, I didn’t get the usual congratulatory message popup from our security team saying I had passed the test. That’s odd. I’ll need to let them know that their immediate response is off. Next time I see our CISO, I’ll mention it. . . .
But I wouldn’t have that opportunity. That’s because, in less than 10 minutes, I received an email from our security team. But it wasn’t the “good on you for spotting the fake phish” email I was expecting. Turns out, it was a real phish I reported. Our cybersecurity team investigated it in minutes and responded with immediate steps to take in case I had responded (which I hadn’t).
You would expect such a multifaceted campaign from a marketing or HR team. You might not immediately think of your cybersecurity team in the same light. But if our CISOs and their teams don’t assume the mantle of evangelizing culture, how can they expect their business counterparts to do the same with cybersecurity? CISOs must meet them more than halfway if a culture of cybersecurity is to take root.
CISOs have a wealth of resources on best-in-class practices in their trade. This W.I.S.D.O.M. isn’t for those looking for deep-dive technical advice. That makes it no less important. This prescription is about connecting your value to that of the business. It requires CISOs to both cover the basics and stretch beyond their departmental walls.
Sound cybersecurity hygiene is nonnegotiable. CISOs must ensure the basics are covered and cybersecurity hygiene is at the top of that list of “things to do.” This is a case where common sense isn’t always so common. In one of the biggest breaches to date, the failure was due to a known vulnerability that was unpatched. Even more interesting about the postmortem on this attack: The email roster used to notify security administrators of the vulnerability neglected to include those who “needed to know.” So the unpatched vulnerability caused the breach. And an out-of-date email distribution group of security administrators led to the unpatched vulnerability. It’s just one notable example of how the devil truly is in the details for cybersecurity professionals.
Because your infrastructure continues to expand both physically and virtually, sound patching requires an inventory of all possible servers in use or otherwise. Zombie servers, those that haven’t been used in at least six months, are an example. They can make up a significant percentage of an enterprise’s infrastructure. Up to 30 percent of all virtual servers are comatose.9 Since nobody is using them, it’s also likely that nobody is actively securing them.
You can’t secure what you can’t see. Your people also can’t patch what you don’t promote. In addition to an inventory of all assets and their patch status, review your internal communications plan for notifying administrators of a vulnerability.
Staying on hygiene, inventory your cybersecurity defenses for shelfware. When you find a defensive technology your company purchased but has not installed, find out why. Is the solution no longer needed? Or has time not been on your organization’s side to implement it? If the latter, work the project plan with your own team or with a professional services company to ensure your precious investment is not rotting on the shelf (and leaving you exposed, to boot!).
Next, configurations matter. You could have the best hygiene in patching vulnerabilities. You could be second-to-none in installing all cybersecurity technologies you purchase. But if you’ve improperly configured your security products, hackers will crawl through the gaps. While you’re inventorying your patch status, your notification lists, and your shelfware, take stock of the configurations on your existing products to ensure nothing has changed since the last time you looked at them (which may go as far back as when your organization first installed them).
Additionally, back up your data. While backed-up data won’t protect you against all attack varieties (data exfiltration being a prime example), ransomware is ineffective against organizations with regularly backed-up data and systems. With a robust backup system in place, it’s possible to ignore ransomware demands and restore all files with relatively low downtime. It’s worth evaluating which of your assets you simply cannot do without, and then determining how to back up the data and systems to an acceptable degree.
Of course, backups are useful for other reasons, like being able to restore an earlier configuration or earlier version of a document. This can be particularly helpful in the case of data weaponization, where hackers manipulate data for deception or other reasons. Having regularly archived records allows an organization to retrieve an earlier, accurate version of the data if necessary.
Make sure to test your backup system periodically to ensure the data you’ve been archiving is, in fact, being stored—yes, this type of backup failure has been known to happen. Use encryption to securely back up all data—yes, at least one company received a black eye for its nonencrypted data logs.
If you find yourself in a cybersecurity department that is not directly aligned with your brethren in IT, maintaining sound hygiene is exponentially more difficult. Unfortunately, the relationship between CISOs and CIOs sometimes resembles that of feuding family members more than kissing cousins. As cybersecurity has moved into adolescence, it has struggled to create and maintain an independence separate from its IT parent.
Much of the conflict arises from competing objectives between cybersecurity and IT teams. IT is about keeping critical systems running and deploying technology in support of the business. Cybersecurity is about protecting the organization’s assets. Sometimes, those outcomes may be at odds with one another. For instance, a CISO may stall or stop a technology that poses a risk to the organization. A CIO may resent this barrier, particularly if his incentives are aligned to a timely deployment schedule.
There has been much debate through the years as to the ideal CIO/CISO relationship. In 40 percent of companies, the CISO reports to the CIO, rather than to the CEO or CFO.10 Some criticize this relationship, citing organizational conflict as a key concern. Still others have argued that such a structure statistically results in more downtime and higher financial losses due to cybersecurity incidents.11
What this age-old debate reveals is that CISOs and CIOs must be aligned within the spirit, not simply the letter, of the law. This requires CISOs to engage CIOs on metrics and goals, regardless of whether the former reports to the latter or the two are peers sitting around the same table. In particular, the roles and responsibilities for proper cybersecurity hygiene—including patching, backups, multifactor authentication, and the like—must be established and agreed upon at the beginning of each planning cycle. If the two functions share a budget, the leaders must identify and allocate what portion will serve IT versus cybersecurity. In addition to run-rate budget carveouts for each, perhaps any new IT project is ascribed a cybersecurity tax to fund and protect new technologies. As discussed for other functions, CISOs and CIOs should agree to key performance indicators (KPIs) and service level agreements (SLAs) to prioritize efforts and resolve disputes when they arise.
Finally, managing this list alone is challenging work (it’s one of the reasons cybersecurity hygiene is so difficult to practice). Conduct regular penetration testing on your environment, preferably using third parties. These companies will help you find unknown vulnerabilities (in your cybersecurity hygiene or in otherwise lacking defenses) before bad actors do.
Next, invest in technologies that drive your business value up and that of your adversaries down. Specifically, businesses are moving to the cloud. More importantly, employees are moving to the cloud. So unless your organization is completely restricted (and some, such as large government agencies, are), chances are you won’t be able to stop employees from accessing potentially dangerous applications or services in the workplace.
If you can’t beat them, join them. Rather than resist the move to cloud, embrace it. Consider Cloud Access Security Brokers (CASB) as one potential solution. Essentially, CASB technologies give security organizations visibility of and control over cloud services in use by their organizations (sanctioned or otherwise). They can detect security configuration errors in cloud controls (such as a publicly readable and/or writeable storage bucket). They may allow organizations to set consistent security policies across any cloud environment. In short, they allow organizations to secure the popular cloud services employees are using. And they allow CISOs to support their companies’ transformation agendas while ensuring security remains at their center.
Now, about impacting your adversary’s value negatively. I said earlier that there’s no such thing as playing offense in cybersecurity. That’s true. Defenders, by their very definition, don’t strike first. But they can still confuse their enemies.
The art of deception in war goes all the way back to Sun Tzu. In cybersecurity, carefully disguised decoys that appear to be treasure troves planted in your infrastructure do a few things. First, they give you additional data points through which to track your enemy’s patterns. Second, they distract your enemy from the real treasure you are interested in protecting. Finally, they waste your enemy’s time and resources on wild goose chases. This last point is really about as close to playing offense as cybersecurity teams can get.
Use artificial intelligence (AI) capabilities to identify the most advanced threats and address the talent shortage—but know its limitations. AI is the latest buzzword technology in cybersecurity. To be sure, it promises to help cyber defenders find the most sophisticated threats in their environment quickly, pairing the scale of machines with the problem-solving capabilities of humans. But beware of cybersecurity marketers disguised in sheep’s clothing. While AI promises to help strapped CISOs do more with less, it comes at a cost—false positives. Given AI uses sophisticated analytics to determine the likelihood of a threat, it renders a probability, not certainty, that one in fact exists. That means AI will be wrong at least some of the time.
On the flip side, those tried-and-true signature-based detection models I mentioned in Chapter 2 can also be wrong. A zero-day threat that has not yet been identified has no signature in a threat database. If your organization is unfortunate enough to be Patient Zero, that false negative can cause real harm. While AI may find the zero-day threat overlooked by signature detection, it does so by also capturing false positives (there’s no such thing as a perfect detection model).
You may think that false positives are a lot less harmful than false negatives. It depends on how you look at it. False positives divert a security organization’s limited time and attention away from true positives. Much like the deception technology I mentioned earlier distracts adversaries, false positives are a considerable drain on an organization’s cybersecurity resources.
A Ponemon study12 explored how insidious false positives can be. The average organization faces 17,000 threat alerts weekly. Of those, a mere 19 percent were deemed worthy for action. Ponemon concluded the average large company spends $1.3 million chasing false positives—equivalent to almost 21,000 hours of wasted time.
Adding to the complexity of this topic is a new threat category called adversarial machine learning (AML). Bad actors are at it once again, innovating in ways to create chaos or harm for their victims. With AML, adversaries manipulate inputs to otherwise sound machine learning models. The “garbage-in, garbage-out” premise applies as much in the realm of cybersecurity as in any other realm of IT. A machine learning model is only as good as its inputs. If the inputs are faulty (or tampered with), the model’s accuracy suffers.
At a recent tradeshow, McAfee showed how the slightest changes to pixels in an image, imperceptible to a human eye, could confuse a machine learning model into classifying a picture of a penguin as . . . a frying pan! Frying pans and penguins may be harmless in the real world. But imagine the same poisoning of pixels in a digital stop sign that an autonomous car now registers as a speed limit sign, and you can imagine how dark the use cases in this area can get.
Enemies can potentially inflict the same confusion to malware classification engines. By introducing slight variants to highly sensitive machine-learning models, adversaries can disorient cybersecurity professionals. They can slam these first responders with a rash of false positives, perhaps deadening their sense of urgency to respond in the process (in much the same way nuisance fire alarms have been shown to do in multi-tenant buildings13 ). Then, when the adversary is confident her victim’s shields have been lowered, she wages her real assault.
AI, like any technology, is a weapon in both your company’s cybersecurity arsenal and your enemies’ arsenals. It doesn’t mean we should avoid AI. Rather, we need to understand its potential and limitations.
For example, there’s no avoiding the talent shortage. On one hand, AI allows cybersecurity defenders to address more threats by delegating to machines tasks that would otherwise require human intervention. That said, AI will also increase false positives and is subject to adversarial poisoning. If either of these possibilities is left unattended, AI will sap some of the productivity gains it created in the first place. Threats come in all varieties. Defenses must do the same. This problem requires teaming humans with machines. It also requires pairing various threat detection models—artificial intelligence and signature-based—to maximize efficacy and minimize the occurrence of false positives.
Finally, carry the culture flag for cybersecurity at your company. This requires two efforts. First, a CISO has to be able to speak the language of the board. Boardrooms speak the language of risk—and it’s always connected to company strategy. Work with business unit leaders, your CFO, and CEO to identify and prioritize the most strategic assets in the company. For each, identify the consequences of a breach. Finally, provide its current vulnerability. Immediately prioritize the high-priority/high-vulnerability assets for get-well plans. When invited to the boardroom, use this framework as your guide to define how your cybersecurity strategy maps to that of the broader company.
In addition to spreading a culture of security vertically, do so horizontally through the organization’s employees. Take up arms with your HR counterparts in delivering effective training to raise employee awareness in their roles (just like McAfee’s CISO did with his phishing campaign). Find a way to make cybersecurity more than just an annual training event or a checklist of questions employees answer upon joining the company. Hire a communications expert on your team, working with your marketing department to define the role and skill set for the position. Have your communication ambassador work with Marketing and HR to develop effective internal campaigns that make cybersecurity part of everyone’s day job.
* * *
It’s time for CISOs to embrace their role at the executive table. It’s time they nurture a cybersecurity culture that extends far beyond IT. It’s time for new partnerships with key stakeholders—namely HR and Marketing—to drive cybersecurity awareness up and security vulnerability down. It’s time to rewrite the end of the CISO’s story. Thanks to many progressive CISOs already leading the way, the rest of the cast need not imagine their storybook ending. It’s already becoming a reality.