Last week, Illumio joined a select group of invitees at SecurityWeek’s CISO Forum to discuss a challenge that every security team seems to share: how to cut through the hype surrounding cybersecurity and invest to keep their organizations safe. It’s always been hard to know what is real and what is snake oil in security, but with all the buzzwords and FUD today, it’s harder than ever.
The CISO Forum aimed to help organizations tackle this problem by bringing together a range of speakers from vendors, security teams, VC firms, and other industry experts. Illumio itself was there in force, with our Head of Cybersecurity Strategy Nathaniel Gleicher and CTO PJ Kirner taking part in panel discussions. There was plenty to learn from the sessions, but we heard several key lessons from the speakers and panels throughout the two-day event:
ORGANIZATIONS HAVE TO WORK TOGETHER TO BE SECURE
As much as we say that security is a team sport, one point that we heard at the forum again and again was that different parts of the security organization often do little to collaborate in the face of serious threats. Silos and stovepipes can thwart even the best-designed security plan. Communication is key to ensuring that everyone knows the challenges they face, what needs protecting, and how they’re performing. This means that the key components of security – the cybersecurity team, the application owner, and the infrastructure team – have to work together. One useful recommendation was to have leadership hold regularly scheduled meetings with multiple teams, so that everyone knows what everyone else is facing, and can pitch in.
Lesson: We generally think of cybersecurity as a technology challenge, but it's also an organizational challenge. If you can't get your organization working together, the best technology in the world isn't going to keep you safe.
MAKING ORGANIZATIONS (AND PEOPLE) RESPONSIBLE MAKES YOU MORE SECURE
Security teams don’t operate in vacuums, and CISOs know all too well that implementing security requires buy-in from the C-Suite all the way down the organizational chart.
We heard from the CISO of a federal agency about the steps needed to take an organization from a failing grade in security inspections to passing in just six months: not only do IT teams need to take ownership of their respective technical area by assuming the risk of non-compliance, leadership also needs to share some of this risk and responsibility. In particular, the principals—the C-Suite—need to learn about and be engaged with the language and processes of security. In this case, it involved educating the entire agency about STIGs and the organization's actual information security posture. This way, leadership can be counted on to continuously invest in security teams and provide them the representation they need at higher levels.Lesson: Security depends on mobilizing people across your organization, and people respond to incentives. Secure the buy-in of senior leadership and enlist each department in the effort — then enforce performance and accountability metrics across the board.
THIRD PARTY VENDORS: TRUST BUT VERIFY
Since Target was breached through credentials stolen from a HVAC vendor, organizations have been on alert against the risks posed by third party vendors. One CISO hammered this point home during a panel on managing business risks: do your due diligence on third party vendors, and establish a real-time governance process to monitor how they are handling your data. Be prepared to walk away, too. We heard reports of at least three major M&A deals that were aborted because of security risks that were uncovered at the last minute. If a data breach occurs, all the contractual remedies in the world won't be enough to fix the reputational damage. After all, when someone finds your customers' data for sale on the dark web, it will be your organization—and not the obscure vendor that introduced the vulnerability—that takes the public hit.
Lesson: Identify potential risks and vulnerabilities posed by third party vendors and monitor their access and use of sensitive information in your systems — before and throughout the course of your relationship.
- AUTOMATION AND ORCHESTRATION ARE THE FUTURE
CISOs know all too well that the industry is suffering from a dire shortage of security professionals. We heard it from the panels and on the sidelines: no matter how big an organization may be, its security team invariably feels outnumbered and overwhelmed by the speed, diversity, and volume of threats they face—like a small group of defenders trying to repel an ever-growing and evolving army. Historically, small defenders regularly repelled much larger forces, and they did it through controlling the environment so they didn’t have to be everywhere at once. Walls, hills, rivers all did the job of defenders—making them more effective than their numbers suggested.
Automation and orchestration are critical to doing this in the data center. In fact, they're the only way that organizations can keep ahead of today’s fast-moving threats. In threat intelligence, automation tools can convert streams of alerts into actionable items for frontline staff in a SOC; in managing perimeter and lateral defenses, these tools can help automate security policies to adapt to dynamic environments.
Lesson: CISOs should look to automation and orchestration as "force-multipliers" that can help them understand and control their environment to slow down and catch attackers before they can cause serious harm.
- EMBRACE HYBRID CLOUD AS AN OPPORTUNITY TO REDESIGN FOR SECURITY
We often hear how the move to cloud and virtual environments has eroded the boundaries of the traditional corporate network, accelerating business but also creating new attack vectors. But as one speaker noted, the migration from bare metal servers to cloud environments also offers an opportunity to re-design for security—for instance, to control lateral movement by segmenting systems. Of course, it’s also a chance to apply traditional principles of security-oriented design, such as least privilege, segregation of duties, and white-list security policy. We’ve talked about these principles for years, but most organizations today are still wide open inside their perimeter. By seizing the initiative and proactively shaping the cloud environment to the advantage of your security team, CISOs can use the transition to cloud to actually become more secure—positioning their organizations to address evolving threats.
Lesson: Use your expansion to hybrid cloud as an opportunity to take advantage of new, cloud-centric security technologies.
If there was one theme that emerged from the forum, it was how important it is to be proactive even when there are so many incentives—organizational and financial—to being reactive. But by investing in solutions to empower and enable their security team today, such as controlling the environment within your data center, organizations can ensure that they prevail against the attackers of tomorrow.
For more on CISO challenges, strategies, and tips, read Illumio's conversation with Oak Hill Advisors CISO, Sajawal Haider: A "frictionless approach" to cybersecurity.