This can be a difficult time to be a CISO. The safety community has been eagerly following multiple stories regarding Uber prior to now few weeks. From the play-by-play of their recent major hack, to last week’s guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.
The decision within the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the federal government. In response to the Recent York Times: “Stephanie M. Hinds, the US attorney for the Northern District of California, said in an announcement: ‘We is not going to tolerate concealment of necessary information from the general public by corporate executives more curious about protecting their status and that of their employers than in protecting users. Where such conduct violates the federal law, it is going to be prosecuted.'”
The federal government is sending a message to CISOs within the US — disclose and potentially lose your job, or cover up and go to jail. In the event that they disclose information to the federal government, they meet compliance regulations, but their job will probably be on the road. A breach, especially one through which personally identifiable information (PII) is compromised, will lead to a lawsuit and the CISO will likely get fired.
However the punishment for noncompliance, inability to reveal full disclosure, or any gray zone in the center is now personal (unlike other regulations where noncompliance ends in fines for the corporate). Covering up a breach, within the Uber case, after which further hiding details of the hack within the context of a federal investigation, can lead to prison time.
This case also brings to light a latest challenge for CISOs: “What did you already know?” Concealing information is a crucial a part of this case and verdict. Hiding information by saying “I didn’t know” is not a solution for a CISO with a knowledge breach — it reflects negligence at best and is at worst a lie. Security teams have to know — and almost definitely do learn about their security posture, from the various security tools they use — and what they know cannot be concealed.
The Sullivan case has enormous gravity for the safety industry. What can we expect from CISOs? Are these expectations fair?
Managing Expectations for CISOs
In response to proposed laws, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the next rules will probably be added:
- Recent Item 1.05 of Form 8-K would require SEC-reporting firms to reveal a fabric cybersecurity incident inside 4 business days of determining that a fabric incident has occurred.
- The corporate must determine the materiality of a cybersecurity incident “as soon as reasonably practicable” after discovery of the incident.
- The SEC indicated last 12 months in a cybersecurity enforcement motion that firms must maintain disclosure controls and procedures designed to make sure that all available relevant information concerning any cybersecurity incident is analyzed for timely disclosure in the corporate’s SEC reports.
- “Cybersecurity incident” means an unauthorized occurrence on or through company’s information systems that jeopardizes the confidentiality, integrity, or availability of an organization’s information systems “or any information residing therein.”
The query is, what should CISOs do? They’re already deploying multiple security solutions. On-premises, cloud, endpoint detection, firewalls, ransomware recovery, workload protection … the list goes on and on. Still, hackers get in — as in Uber’s case — often by simply nagging an worker to click on a phishing link. Tens of millions of dollars on attack prevention and “user XYZ” takes the system down.
Ways to Aid CISOs
I have been working in security for many of my profession, constructing the tools that keep hackers out. I’d wish to propose just a few ways we will help CISOs out of the complicated situation they’re in.
- Eliminate tools that alert on every potential attack or misconfiguration. A generation of alert-based security tools pinging security teams for each small thing has made the situation worse. There isn’t a way for a security team to maintain up with the lots of of alerts, mostly false alerts, that their security tools provide. They should find a way to see a real-time incoming attack, within the context of their specific assets – one that gives a sequence of events identifying immediate risk to the corporate’s most precious assets. We want to do higher to support security teams with tools that provide value, not only alerts.
- Retool. Regulators expect CISOs to find a way to detect, analyze, and understand impact of real attack events (vs. potential misconfigurations) fast. This requires retooling and rethinking much of the safety software “stack” to make sure that we’re keeping a step ahead of hackers. Using dated techniques is one area that usually ends in friction between security best practices and reality.
- Work more closely with government on the necessary regulations which can be being proposed for laws. To guard our CISOs from falling into felony territory, we want laws that protects the general public while also protecting CISOs that come forward and report data breaches. CISOs who genuinely plan for each attack scenario (and might show this planning) but find themselves outsmarted by hackers shouldn’t be penalized by the businesses they serve.
- Align security goals. Many organizations are moving too fast to give attention to security — and it is going to meet up with them. Development teams are increasingly leveraging agile techniques like CI/CD (continuous integration, delivery, and deployment) to deliver latest and progressive features quickly and maintain a competitive advantage. And security is just not a part of the dev team’s or any typical worker’s on a regular basis thought process — however it have to be. Organizations will need to have a security strategy that permeates the organization so everyone — developers, marketing, HR, finance, the board, and everybody else share the responsibility with the CISO and security teams. All employees play a task in securing data assets.
