& How to Beat Them - By Will Robus, CEO of Highland Defense
Admittedly I’m new to the cybersecurity industry. I have spent my career in advanced technology development and deployment, in public sector as well as private, so tech is very much a part of my professional DNA. Maybe almost half.
The other half of my DNA is solving problems. Building and delivering amidst the largest of obstacles. I’ve even tried healthcare for a while (but unfortunately that industry is stack of problems that I’m not sure anyone can solve). One of the things that attracted me to cybersecurity and a big reason we started Highland Defense is the dynamic challenges that all companies face in trying to get ahead of would-be attackers to keep their companies safe from breach or loss.
I’ve spent a lot of time over the last two years trying to understand these challenges from a leadership perspective. To “get in the heads” of CISOs & understand how they see the world from their screen, what their goals are, and what their agenda is for executing what they believe will be the difference maker for their organizations.
Gathering data from as many CISOs as I could, I've listened to many podcasts and interviews, these conversations are very insightful. I’m usually left impressed at the savvy and fundamental approaches that are detailed in the conversations. Articles and interviews are helpful too. (I will confess that I get most excited when I read a quote from a CISO that aligns with how we are attacking the challenges of cybersecurity at Highland Defense.) Finally, one-on-one conversations with CISOs are the most informative, however even if it’s not a sales pitch, I’m still a security vendor, and I imagine they edit their responses accordingly.
What follows in this article is my current observation of the goals and challenges CISOs face daily, based on the last two years of my subjective research.
A CISOs #1 Concern – Close the Gap
If I summed up what a CISO’s job description is in one line it would be this:
A CISO is responsible for closing the gap between existing security risks at an organization, and that organization’s ability to mitigate or eliminate those risks.
A CISO has limited resources to accomplish this; limited time, limited money, limited talent. A CISO has an agenda, a battle plan, a path that organizes technology, people, and processes via objectives and budgets. An agenda of priorities they communicate up to the CEO & the board, then delegate across their direct reports & their teams.
Sounds simple. Make a plan. Get buy-in for that that plan. Fund & staff the plan. So why aren’t all CISOs crushing it? Why is the average tenure of a CISO at a Fortune 500 only about two years?
Simple? Yes.
Easy? Rarely.
A CISOs #1 Problem – Agenda Killers
As every leader knows, things rarely work out how you expect them to. As the proverb reminds us: “The best laid plans of mice & men often go awry.”
Salespeople love to ask and CISOs hate to the answer the question “What do you need? What are your biggest problems?” I’ve received all kinds of answers to this question – from the frustration of the day to “I want you to tell me the biggest problem that I have that I don’t know about yet!”
The truth is – CISOs are very capable leaders with strong teams of strategic, managerial, and technical talent. However, the “nature of the beast” is the everyday realities of internal and external change and complexity. We’ve summarized these CISO agenda killers into 5 distinct forces.
Agenda Killer #1 – Business Transformation
Wouldn’t it be much easier to complete all of your security projects and roll-outs if the business just stood still for a little while? Of course it would, but that’s not reality. The meta stakeholder of a security organization is the business itself, and the business only grows if it is moving ahead. This means there will be constant change; new business lines, deprecation of old business lines, mergers, acquisitions, joint ventures, key supplier on-boarding. Just getting the business to consider security in these types of business transformations can be a challenge.
Delivering security in an ever changing business context is a constant battle.
Agenda Killer #2 – Technology Transformation
Coming right alongside of business transformation is technology transformation. All of those newly acquired operating companies have their own tech stacks and infrastructure that instantly become the new problem of the CISO. There is also the nagging issue of tech debt – legacy systems, aging infrastructure long past its useful life, or simply bad decisions made by previous leaders that current leaders were forced to inherit. I’d also like to introduce the idea of entropy here. Because of technology scope and infrastructure changes, CISO cannot afford to keep doing what they are today and expect to be secure tomorrow.
There is a constant decay of security as time progresses – the natural trade-off of successful business and technology transformation.
Agenda Killer #3 – Attacker Evolution
On top of the complexity and change introduced internally at an organization, there is the constantly evolving threats of external attackers as well as insiders to manage as well. ATPs and hacker groups are continually refining their approaches. From a pure economic standpoint, the cost of launching or automating a new attack, even with age-old techniques, is very, very small vs. the costs a company incurs to maintain adequate defenses (see entropy above).
From a speed and volume standpoint – it’s hard for security leaders to not feel outmanned and outgunned at times.
Agenda Killer #4 – Talent Market
We are all aware of the tight labor market for cybersecurity talent. Technical talent is difficult to find in any industry, as well as expensive to acquire and retain. Cybersecurity is especially challenging, I believe because it requires a mashup of technical skills, not commonly found in other traditional IT roles. A good cybersecurity professional needs to understand all aspects of the IT environment, endpoints, network traffic, web traffic, email domains, IAM, as well as database architecture and application layer security. This is hard to “teach” as it usually comes from on the job experience.
Our company is focused on leveraging Splunk to deliver world class security, and our CTO Stuart McIntosh frequently tells me “It’s easy to teach someone Splunk, but it’s a lot harder to teach someone security.”
Agenda Killer #5 – Security Solutions Transformation
Finally, as if the first four agenda killers weren’t enough, we have a constant onslaught of security solutions that will “solve the problems”. Vendors hawking thousands of solutions, accelerating activity in startup investment and acquisitions, not to mention the churn of “buzzwords of the year” that are promising a new silver bullet to all that ails a CISOs security program. There is a lot to keep up on, which is followed by the constant fear of investing in the wrong solution for tomorrow (and creating your own technical debt in the future).
A CISO could spend 100% of their time just keeping up on the latest and greatest solutions for what ails their security program.
What we can do about it
I opened the article with my admission of cybersecurity naivety. With that naivety however comes the unique value of a fresh perspective. A new set of eyes to see for the first-time what others have been looking at for a long time.
Naturally, we at Highland Defense have some ideas on how to overcome these obstacles.
We design these considerations into our products and services, as well as work closely with our customers coaching them to get better at overcoming these challenges. This enables them to push the security agendas for their security organization and their CISOs forward.
We believe in a wholistic approach that requires a sound technical approach (ideally grounded in first principles) and also requires designs to mitigate or eliminate the agenda killers above.
The Highland Defense Approach
In summary, we believe the way to eliminate these CISO agenda killers are by deploying three distinct and complementary approaches.
1) Infrastructure - Aggregate and normalize ALL of your data
2) Security Solutions – Centralize security tooling and related data
3) Process – Integrate security teams and their processes w/ the data and solutions from step 1 & 2
In a previous article about the future of threat detection I outlined three keys to achieving exponential returns around threat detection and alerting. Turns out that logic can apply here as well
1) Infrastructure – Blow it up (Aggregate and normalize ALL of your data)
2) Security Solutions – Stitch it up (Centralize and integrate security tooling and related data)
3) Process – Roll it up (Integrate security teams and their processes w/ the data and solutions from step 1 & 2)
I’ll detail these in a future article, but for now a preview of how these approaches mitigate the 5 agenda killers we identified earlier.
The Biggest problem that CISO’s may not realize
In our experience working with Fortune 500 companies, the biggest issue we see across the organization is team alignment. This isn’t to say there are bad leaders or teams, it’s actually just a fall-out of the 5 agenda killers above – the friction and overhead created by constant change and growing complexity. The same can be said for security technology and operational processes. And when things are out of sync, sometimes because of competing priorities, everyone suffers, cost goes up, and we see the agenda killers flex their power to stall or kill progress.
So how do these three approaches resolve this?
1) Data aggregation and normalization – tech is tech, data is data, and by classifying these as “what type of data” is this and “who is this really” we essentially commoditize the source of the data, making the specific technology unimportant. For example – firewall data is firewall data – if we can read Cisco firewall data the same as Palo Alto data – does it matter which one we have in the environment? Deploy this approach as a framework – and we have endless scalability. New acquisition? No problem – drop their data into the framework and let’s start securing them.
This approach takes big bite out of the business transformation and technical transformation agenda killers
2) Centralized and integrated security tooling & data – Attackers win by gaining a foothold and exploiting – regardless of the tactic or technique. By centralizing the security tools you can see everything through a single lens, more importantly see all of the ripples as they cross IT stacks and security solutions. You own your entire environment – the attackers do not – use your home field advantage. By pushing this further and integrating them, speed can be on your side. Fewer clicks, less “finding” and more doing.
This approach coupled with the previous commoditizes security tooling and data as well, greatly reducing technical transformation and attacker evolution agenda killers.
3) Process integration with security teams – We now have commoditized infrastructure data and commoditized security data in a central place. By “stitching it all together” with integrated processes (a unified framework with built in lifecycle management), all of sudden we have alignment between technology & teams.
The result of a successful framework is instant bandwidth for your security talent, aligned with clear ways to contribute and defined paths to execute the CISOs agenda.
This rounds out to address the final agenda killers: talent market and security solutions transformation.
To Create a Solution, we must first define the problem
The thoughts in this article are simply my current views based on the last two years of subjective research. And again, I’m a cybersecurity newbie. I completely expect these views to evolve over time, if not change in their entirety.
Please give me the gift of your thoughts and feedback based on your knowledge & experience. I welcome comments of validation and rebuke. Our core belief is that we will only win the war of securing every company by working together for the benefit of all.
Cross posted on Linked-In: https://www.linkedin.com/pulse/cisos-5-agenda-killers-outpost-security