topreads

on SECURITYROUNDTABLE.org

Simplify

WHY LESS IS MORE WHEN IT COMES TO CYBERSECURITY

  • Hoarding Applications and Tools Makes No Sense
  • When Every Company Is a Data Company, Reality Bites
  • The Winning Combination for Your SOC

BE A PART OF OUR EXECUTIVE COMMUNITY

Cybersecurity for Business Leaders

SUBSCRIBE TO OUR NEWSLETTER

SecurityRoundtable.org

LETTER FROM THE CIO

Keep It Simple, Like Leonardo da Vinci

No discussion of the Renaissance—arguably the most important era in human history—would be complete without the inclusion of Leonard da Vinci. No individual personified the term “Renaissance man” more than da Vinci—artist, author, architect, inventor, scientist, and more.

An aphorism attributed to him—“Simplicity is the ultimate sophistication”—is especially relevant today. It should inspire us to rethink, re-architect, and redesign how we build cutting-edge cybersecurity defenses that go far beyond the next shiny new tool. Simplicity is often the foundation for tackling complex problems and solving them to achieve sustained results in the most efficient way possible.

That’s why we’ve devoted the second edition of our quarterly magazine to the concept of simplicity. In this issue, we selected top reads from SecurityRoundtable.org to focus on why simplicity is the groundwork to building effective cybersecurity strategies.

For business leaders who have to deal with complexity, this concept is key. And by simplicity, I don’t mean simple. In fact, we must set ambitious, even audacious, goals for ensuring the continuous, long-term security of our data, our systems, our operations, and our people.

This is particularly important when we think about the rapidly changing nature of risk—everything from a rapid adoption of public cloud to mobile and agile workforce, “tool sprawl,” connected operational networks, increasingly automated adversary, the dark web, and the maze of compliance mandates.

It’s also critical as we embrace innovation and agility through iterative development, infrastructure and security as code, and virtualized workforces—exciting opportunities that, nonetheless, have the potential to create more complexity unless we lead with simpler approaches.

Simplicity is what helps our SecOps and business teams deal with the bombardment of technology that may give our organizations more opportunities for advancement, but also ups the stakes for cybersecurity. With hundreds of companies offering cybersecurity hardware, software, and services, it’s tougher than ever for organizations like yours to sort through it all to discern what works—and what works best.

The notion of “defense in depth”—for years, the basis for most organizations’ cybersecurity strategies—no longer is effective. The very nature of our heterogeneous environments leads to dangerous and often-overlooked gaps in coverage, creating yawning vulnerability gaps. And we can’t solve the problem by ramping up our hiring efforts for two big reasons: the 3-million-person global cybersecurity skills shortage, and the increased use of bots, algorithms, machine learning, and very cheap and widely available exploit kits by cyberattackers.

Moreover, security operations centers (SOCs) are not effective as they are overwhelmed by event overload and a manual approach to an automated adversary. We need to simplify and transform security architecture and operations, and we need to do it now.

The articles in this magazine offer practical, real-world discussion into the role simplicity plays in making organizations more secure, from “de-cluttering” the dozens or even hundreds of security tools dotted throughout your infrastructure to how to prioritize risk and improve fundamental cyber hygiene.

Take a page from da Vinci—use simplicity to tame the beast.

Navenn Zutshi

Chief Information Officer

Palo Alto Networks

Contributors

  • Mario Chiock, a Schlumberger Fellow, served as chief information security officer at Schlumberger, where he was responsible for developing the company’s worldwide cybersecurity strategy. He is widely recognized for his leadership in cybersecurity. Chiock serves on the advisory boards of Palo Alto Networks, Onapsis, and Qualys.

  • Sam Greengard is the author of The Internet of Things (MIT Press, 2015) and the AARP Crash Course in Finding the Work You Love: The Essential Guide to Reinventing Your Life (Sterling, 2008). He is also a regular contributor to many other business and technology publications.

  • Rick Howard is the chief security officer at Palo Alto Networks where he is responsible for the company’s internal security program, oversight of its Threat Intelligence Team, and development of thought leadership for the cybersecurity community.

  • John Kindervag is field chief technology officer at Palo Alto Networks. Previously he was vice president and principal analyst on the Security and Risk Team at Forrester Research. John is considered one of the world’s foremost cybersecurity experts and is widely known for creating the Zero Trust model of cybersecurity.

  • Lucas Moody is vice president and chief information security officer at Palo Alto Networks. He leads efforts to protect the company’s information and technology assets while partnering with product management to contribute to continued product innovations.

  • Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.

  • Al Perlman, cofounder of New Reality Media, is an award-winning technology journalist. For the past dozen years, he has focused on the intersection between business and technology, with an emphasis on digital transformation, cloud computing, cybersecurity, and IT infrastructure.

  • Jamison Utter is a senior business development manager at Palo Alto Networks. He has spent his entire career in security and worked in prominent online retail companies, technology giants, and telecommunications carriers.

  • Naveen Zutshi is senior vice president and chief information officer at Palo Alto Networks. He oversees the company’s information technology solutions, driving a comprehensive strategy that delivers on scale, agility and innovation.

TABLE OF CONTENTS

14

FEATURE ARTICLE

What’s Old Is New: Back to Security Basics With Good Cyber Hygiene

NAVEEN ZUTSHI

  • 3

    Letter from the CSO

    NAVEEN ZUTSHI
  • 6

    Eight Steps to Simplify Cybersecurity

    MARIO CHIOCK
  • 8

    When Every Company Is a Data Company, Reality Bites

    RICK HOWARD
  • 10

    Hoarding Applications and Tools Makes No Sense: It’s Time to De-Clutter

    MIKE PERKOWSKI
  • 12

    A Wake-Up Call for Zero Trust: Interview With Tony Scott, Former Federal CIO

    JOHN KINDERVAG
  • 13

    Why Automation, Why Now?

    LUCAS MOODY
  • 18

    The Winning Combination for Your SOC

    AL PERLMAN
  • 20

    Everything Can’t Be Urgent: Why You Need to Prioritize Cyber Risks

    MIKE PERKOWSKI
  • 22

    Don’t Let Cyber-Intelligence Turn Into Cyber-Ignorance

    SAM GREENGARD
  • 24

    It’s Easy to Spend Other People’s Money, but Are Your Cybersecurity Investments Paying Off?

    MIKE PERKOWSKI
  • 26

    There’s No Such Thing as an ‘IoT Strategy’

    JAMISON UTTER

Eight Steps to Simplify Cybersecurity

BY MARIO CHIOCK

C omplexity has become a growing problem for cybersecurity during the past few years. As the threat environment has gotten more sophisticated, organizations have typically responded by adding new tools to their security stack—often to the point where complexity is increasing risk, rather than reducing it. Research from Palo Alto Networks indicates that large organizations and enterprises are using more than 130 tools on average, and even mid-size companies are using 50 to 60 tools.

When it comes to cybersecurity in 2019 and beyond, less is more. Even in these challenging times—especially in these challenging times—cybersecurity leaders must take control of their environments and reduce complexity by using fewer tools and ensuring they can more efficiently and effectively use the ones they already have. They must also rely on more automation, fewer vendors, and higher levels of integration and orchestration.

While reducing complexity may sound hard, in reality it can be relatively simple—with the proper approach and a commitment to a vendor ecosystem that stresses integration and orchestration.

Based on my experience at the front lines of cybersecurity across more than three decades, here are eight steps I recommend to help simplify cybersecurity and be better prepared to manage risk now and in the future.

  • 1.Shrink the stack. Having fewer tools that you know how to use properly is much better than having too many things that you don’t know what to do with. Also, by shrinking the number of tools, you will be able to reduce complexity by working with fewer vendors.
  • 2.Automate wherever possible. Any processes that are repetitious and can be automated should be automated. Prime examples include log analysis and incident response.
  • 3.Integrate. I try to avoid buying any security product that does not automatically integrate or orchestrate with others. I prefer to have one vendor that does 10 different things, rather than a single vendor that does one thing but does not integrate with my other solutions.
  • 4.Orchestrate. For example, today we have different logs for different security tools. We keep making more copies of the same logs. In order to make them useful, we need them in a centralized location where we can centralize enforcement while simplifying and streamlining the workflow.
  • 5.Measure. While you want to keep things simple, you also want to measure them. If a process takes 10 steps, can you reduce that to three? Six Sigma certification is something I look for in security professionals because it ensures a focus on both simplicity and transparency.
  • 6.Communicate. If you’re in cybersecurity, make sure the non-technical business executives understand what you are trying to do. Also, try not to make policies and procedures too complicated. If you don’t keep things simple, people may avoid doing the right thing, which can make your organization more vulnerable.
  • 7.Educate. Everyone in the organization should understand what you are doing and why. Awareness is critical in cybersecurity. If you can make it fun, try that. Instead of quizzing people on cybersecurity, make it more like a trivia contest where you give away prizes to individuals who can demonstrate that they are well informed and doing the right things.
  • 8.Practice good hygiene. By practicing good cybersecurity hygiene, you make things much simpler for your cybersecurity team. You always know, for example, that operating systems are patched and current, data and configuration files are backed up, and secure passwords are being used. Failure to follow best practices can lead to gaps in protection, which adds complexity and results in time spent fixing problems that should never have occurred in the first place.

Today, most organizations are using multiple clouds in addition to their on-premises data centers. In addition, we are seeing exponential growth in data through innovations such as the internet of things and artificial intelligence. And the workforce is changing right before our eyes, becoming more mobile and global at the same time.

By taking a less-is-more approach, we have the opportunity to be smarter and more agile in ensuring that we are doing the best job possible to protect our organizations, customers, employees, and partners.

When Every Company Is a Data Company, Reality Bites

BY RICK HOWARD

You’ve all heard the statistics about the growth of digital data:

  • 2.5 quintillion bytes of data are created each day
  • 90% of the world’s data was generated in just the past two years
  • The “global datasphere” will grow from 33 zettabytes in 2018 to 175 zettabytes by 2025; remember that a zettabyte is one billion terabytes, which is equal to one billion megabytes

There are a lot of reasons why we have so much data: more computing devices; tons of connected things; really inexpensive compute power and data storage; sophisticated data mining tools; cloud computing; massive regulatory footprints; tech-savvy users and employees; demanding data-retention policies, and more.

While this obviously creates big challenges for organizations, it also has resulted in fantastic business opportunities and new ways of serving businesses, consumers, communities, and societies in general. Without a doubt, nearly every company is now a data company.

American Airlines gave us a glimpse of this 30 years ago when it rolled out its revolutionary SABRE airline reservation system. American’s legendary CIO, Max Hopper, had the foresight to know that American had to be more than an airline; it had to be a company that used data for competitive advantage.

Today, many companies look and act in traditional manners but have transformed into data companies. Media outlets no longer just sell advertising; they sell access to buying intentions of their readers and visitors. Healthcare providers don’t just treat illnesses and make patients well; they develop insights on a treasure trove of data about everything from population health to the spread of infectious diseases. Retailers don’t just sell goods in stores; they collect, analyze, and share data on buyer behavior, preferences, and actions—even intelligence on merchandise theft.

A Data Revolution

But when every company becomes a data company, the stakes are raised—substantially—for protecting data against cyber risk.

The amount, diversity, and velocity of data have changed in revolutionary ways over my career. When I started in the information security space in the early 1990s, we only had to worry about the perimeter. We built a large electronic wall at the edge of the network, and eventually, that wall safely separated our data from the perils of the internet. We figuratively circled the wagons around our data, typically in a single headquarters facility where our data resided—in data centers, on local area networks, and on desktop computers. Security wasn’t necessarily easy, but it was relatively simple to plan for and implement.

But when Amazon Web Services was formed a decade ago, followed by other public cloud platforms, everything changed. Soon, it was acceptable, and even desirable, for us to use personal devices, web-based applications, cloud services, and unsecured networks to do our work. And since we were now doing work virtually around the clock, our organizations didn’t mind what they assumed to be a modestly upgraded set of cybersecurity threat vectors.

Oops

Now, we have to confront a difficult reality: Not only is our data at greater risk than ever, but the very viability of our organizations is under unprecedented attack.

The fortunes of shareholders, customers, trading partners, employees, and the entire connected business ecosystem hang in the balance if we don’t get this right. All companies now are data companies, and that means that all companies must rethink their cybersecurity strategy.

Why? And how?

Data Silos Everywhere

One of the most important things to realize is that we now have data silos everywhere. As those data silos have emerged and expanded, organizations have put in place a litany of security tools to deal with what they’ve believed to be unique security issues for each data silo.

Frankly, it has become a mess: Small organizations often have around 10 to 15 distinct security tools to monitor and manage, while it’s fairly typical for large enterprises to have 150 or more. Your InfoSec teams have to understand, manage, anticipate, and remediate cybersecurity problems for each of those data silos, using distinct and disparate tools.

What a morass this has become—especially when we add in all the cloud services our employees and users take advantage of, each with its own sets of data and its own security tools.

Of course, not every industry is in the same risky position when it comes to protecting their data and ensuring their viability as data companies. Technology-based companies are likely to be in the best position—even if they usually have the most data to content with—because they’ve seen the development of higher levels of risk up close.

Other industries that have been highly dependent on data—financial services, healthcare, and logistics, for instance—have already begun re-architecting their security frameworks.

Playing Catch-up?

Then there are industries where organizations are playing catch-up to their massive data growth and heightened security risks. Sadly, one of the most at-risk industries when it comes to ensuring their futures as data-driven organizations is government, a segment where the sophisticated and innovative use of data can have massive upsides for our societies. At the federal or national level, governments often understand the risk, but their bureaucracies impede their ability to address the problem in a timely manner. And local governments may be slightly nimbler, but they face a familiar problem: The lack of sufficient financial and personnel resources to suitably address the risks.

So, what should organizations do in order to properly secure their status as data companies?

First, organizations should reimagine their cybersecurity defensive posture—perhaps radically so, if data is becoming a critical point of differentiation for your organization. Prevention controls must be deployed at every phase of the much-discussed intrusion kill chain. That’s become increasingly difficult with the expansion of data silos and new threat vectors that span far beyond the perimeter. That means a platform approach to securing all those “data lakes” that have evolved in recent years, where a common security framework is deployed in each and every data lake. It’s more efficient to manage, less expensive to procure, and faster to deploy.

Second, you need to move away from the multi-security-solution-vendor paradigm that has spread like kudzu over the years. Having a different vendor for dozens or even hundreds of point products for cybersecurity is a losing proposition. Your InfoSec team has to be certified on dozens of vendors’ solutions and then retrained on a regular basis to maintain that certification.

Plus, there’s the stark reality that having multiple vendors’ point products doesn’t promote redundancy and reinforcement; quite the contrary. Since those different vendors designed their solutions for specific problems, those products were never going to work seamlessly together.

Third, business executives have to understand that, in order to become a data company, you actually have to store and have easy access to all that data. The good news is that, because data storage today is really cheap—both in your physical data centers and in the cloud—you have access to more data than ever. And powerful analytics tools allow you to find the needle in the haystack that can make the difference between really understanding your customers and guessing what they want.

But that puts the onus back on your CISO and the SecOps teams to reliably, efficiently, and affordably secure all that data. As we’ve often discussed on SecurityRoundtable.org, you don’t do that simply by hiring more security engineers, for several reasons.

One, there is a big and growing gap between security skills required and talent available. Two, the bad guys are using sophisticated machine learning tools to spot vulnerabilities and exploit them, and you need to counter software and automation with, well, software and automation.

So, as you plot your strategy to harness all that massive data in order to transform your company into a data company, don’t forget to reconstruct your cybersecurity strategy in lockstep. If you don’t, the possibility of drowning in your data lake may be the least of your problems.

Hoarding Applications and Tools Makes No Sense: It’s Time to De-Clutter

BY MIKE PERKOWSKI

You’ve probably heard the cliché, “He with the most toys when he dies, wins.” The same cannot be said for software applications and security tools, however.

There is no honor–and no sense–in having the largest portfolio of applications and tools. That’s because having too many programs and tools is expensive, complex to manage, and extremely vulnerable to cybersecurity problems. So if your technical teams are being asked to manage sprawling empires of applications and security tools, at very least you might want to do some spring cleaning. Or, you might want to take a more strategic approach, and dramatically rethink, re-prioritize, and re-architect your software portfolios. And let’s be clear: This is not just a job for your CIO or CISO. It’s something business executives must get behind and show real leadership.

Whatever approach you decide, do it as soon as possible. Maintaining your status quo–and letting application and tool sprawl become an even bigger problem–is a ticket to organizational chaos.

There was a time, not that long ago, when bigger was better in IT: bigger data centers, bigger hardware infrastructure, bigger enterprise applications, bigger networks, and bigger portfolios of software packages and security tools. Got a problem? There’s an app (or a tool) for that.

Just how many apps does a typical enterprise have in use? That has become increasingly difficult to pinpoint due to a variety of factors, including shadow IT, the pervasive use of public cloud applications, and the ubiquitous bring-your-own-device/application trend. One data point put this number at 508 applications–and that figure was from four years ago. Undoubtedly, the popularity of public cloud services has caused that number to skyrocket in recent years. In fact, research indicates that the average enterprise uses an astonishing 91 cloud services just for marketing.

The implications of this “application bloat” are too important to ignore, given the costs for subscriptions, maintenance, support and more.

“The days of measuring your effectiveness and readiness by the number of applications you’re managing are over,” said Naveen Zutshi, Palo Alto Networks’ Chief Information Officer. “It’s an antiquated, completely wrong approach because ‘bigness’ in this area is actually a boat anchor. It makes the organization less nimble, less able to respond quickly to new opportunities and new threats. And it ends up a colossal waste of effort, personnel, and money.”

“Colossal” also is an apt term to describe many enterprises’ applications portfolio. The sources of software applications are more numerous and diverse than ever: hundreds or even thousands of off-the-shelf applications, home-grown programs, SaaS-based apps and, with alarming frequency, software that seems to magically take root in shadow IT efforts.

Any decent-sized organizations is likely to have thousands of applications located in corporate data centers, stand-alone departmental systems, remote computing centers and, of course, the cloud. The cloud, in particular, is a huge contributor to the number of new applications emerging throughout the enterprise: Research indicates that the average enterprise is deploying and running applications in nearly 5 different clouds.

And security tools present a similarly challenging scenario. Data compiled in a survey with banking industry cybersecurity leaders notes that more than a third of organizations are using between 51 and 100 security tools. That’s a stunning number: What organizations have the time and personnel to manage that many security tools? Or, put another way, why would you even want to?

So, what should business leaders, CIOs, CISOs, and their teams do about this?

“Just like you clean up your home from time to time as you discover that you’ve accumulated things you either no longer use or can’t remember why you got them in the first place, you have to tidy up your applications portfolio and your security tool kits,” said Zutshi.

“Collecting more and more of these programs and tools over time inevitably leads to operational complexity, duplication of efforts, and wasted budget,” he added. “And from a security standpoint, the difficulty in understanding and managing all these applications often leads to increased vulnerabilities in your security posture. You might have redundancies and you might have gaps, but you often simply don’t know.”

Once executives understand that they have this problem and that it poses a significant set of challenges, it’s time to take action. And those actions should include:

  • Take a full, comprehensive inventory of all applications and tools. This seems like a simple place to start, but it’s not simple to actually pull off, considering that those applications can reside–or hide–anywhere on your infrastructure, in the cloud, or even on an employee’s home network. And be sure to account for software and tools that have “magically” made their way into your portfolio through shadow IT.
  • Establish the economic value. You’ll need to calculate the financial benefit of having that application or tool, versus the cost to purchase, deploy, and manage it. And if your technical teams can quantify the financial benefit, it might be a good sign that you need to get rid of that tool.
  • Create a cybersecurity value-to-risk matrix. Some security tools may be doing their jobs well, but they might be deployed against a risk that no longer is that imposing to the enterprise. And modern cybersecurity tools have become much more multi-functional, rendering legacy point products obsolete. Consider replacing those single-purpose tools with multi-faceted security platforms that address multiple needs and are far more flexible.

As you conduct your applications and tools inventory, and after you calculate the economic value of each application and tool, you’ll need to find a way to reconcile all these findings and establish a viable action plan for each. You must be able to assess each application and tool and determine if the organization should:

  • Keep it. The product either fills a strategic role and is working well, or provides a unique capability that cannot be easily replicated or improved by another existing solution in your portfolio.
  • Modernize it. After your inventory, you’ll undoubtedly discover that the organization is maintaining (and still paying charges for, by the way) a lot of old stuff. Again, if it’s something that you still need, you may determine that you need to either modernize it or, perhaps, replace it with a different product from a different supplier to do the same thing, but in a more efficient, agile, scalable, and secure manner.
  • Toss it. Just because you finished paying for an app or a tool years ago doesn’t mean it doesn’t cost you anything. There are likely maintenance fees, per-user fees, or subscription costs still showing up, so don’t be hesitant to get rid of an older product just because you think it’s “free.”
  • If the tool or program no longer plays an important role in your business operation, or its functions are largely performed by other, modernized tools you’ve added, make the decision to end-of-life it, and don’t look back.

Think about how good you feel when you go through your closets, storage spaces, or garage at home, and you clean up old stuff you no longer need. You can get that same feeling of satisfaction when you do a full inventory of your applications and tools, rationalize their ongoing value, and make a decision on their future.

After all, you can’t take it with you.

A WAKE-UP CALL FOR

ZEROTRUST

Interview with Tony Scott, Former Federal CIO

By John Kindervag

The breach of the U.S. Office of Personnel Management (OPM) in 2014 and 2015 was a cybersecurity wake-up call, not just in the government sector, but across private industry as well. The breach bared deep vulnerabilities in existing cybersecurity models and exposed security clearance background investigation information on approximately 21.5 million former and current government employees.

For Tony Scott, who was federal CIO when the breach was discovered (but after it had taken place), this was a watershed moment, and a harsh welcome to his new job.

It was also a critical turning point in raising the awareness of the Zero Trust model of cybersecurity, an architectural model I created in 2009 while at Forrester Research. The government’s official report on the OPM breach provided specific guidance for federal agencies to promote a Zero Trust security model.

Without getting too deep into the technical weeds, Zero Trust eliminates the idea of a trusted internal network and an untrusted external network. Instead, all traffic and users are treated as untrusted. All resources are accessed in a secure manner, and all traffic is logged and inspected. Security, therefore, becomes ubiquitous throughout the infrastructure.

Tony, who is back in the private sector as CEO of the Tony Scott Group, was federal CIO at the time the OPM report was issued. Based on his experiences in the government and as former CIO of technology pioneers such as VMware, Microsoft and Disney, Tony has become an ardent supporter of Zero Trust.

I feel honored to have spent some time chatting with Tony recently and sharing our conversation with readers on SecurityRoundtable.org.

Tell us about your experience with the OPM breach and how it led you to Zero Trust.

The OPM breach happened before I joined the government, but it wasn’t really discovered until I was there a couple of months. It had the effect of focusing our attention on cybersecurity very quickly. We started looking at the root causes for the OPM intrusion and looked beyond OPM to other agencies. Is there potential for the same problem there? It was, to say the least, an eye-opening experience. It caused us to look even more broadly—how did we get here, why do we have such old legacy systems, why is security so darn hard in the federal government. That led me to a number of places and foremost was the need for Zero Trust.

What is it about Zero Trust that attracted your attention and earned your enthusiasm?

The biggest advantage is that it explicitly allows the collection and transfer of information by design, versus open models that basically let you transfer everything, including stuff that is either unnecessary or bad. The core design principle that’s built into most technology is that you can connect anything. It’s very rare that we find challenges in connecting and transferring. But what we fail to do in design is ask the next obvious question. What SHOULD we connect? Zero Trust starts to get to solving that very important second question: I can connect it, but should I connect it?

How did you come to Zero Trust?

When I was CIO at VMware, we were one of the companies that was pioneering micro- segmentation in the network space, which kind of has a Zero Trust concept behind it. So, I had already seen the benefits of that.

When I started looking at the root causes of the OPM attack, I realized that most of the technology the government was using—and frankly, the same thing applies in the public sector—was designed and implemented way before there were the kinds of security and privacy concerns that we have now.

Most of technology was designed for maximum interoperability, not Zero Trust. Interoperability is great when you want it and need it, but when it comes to cybersecurity it occurred to me that this is actually the opposite of what we really want. That was really the beginning of Zero Trust for me in the federal government.

Was Zero Trust something you started right away?

OPM was an eye-opener for everybody, so we first launched a number of things to right the ship. For example, much faster adoption of two-factor authentication; reducing the number of systems administrators; reducing the number of people with privileged access. Basic hygiene to reduce the attack surface. After the initial purge, we started talking about the longer term whether there were more structural, fundamental things that could be done. Zero Trust was one of the elemental building blocks.

Obviously, Zero Trust was a new concept. How did you get people to buy into it?

The first thing is creating awareness. This is a long journey. First you have to get mindshare. You do that by talking to people through education, reinforcing the message, highlighting good examples.

Second, you see certain opportunities. The government is so big, you can’t even think of trying to eat everything in one bite. But there are new initiatives, new programs, places where significant changes are warranted. Those become the insertion oints for new ways of thinking and new technology. So, initially there are key initiatives that allow you to gain momentum over some period of time.

How do you characterize the value of Zero Trust in business terms?

With Zero Trust you get a dramatically improved cybersecurity footprint at dramatically lower costs. Those are two great places to start. Of course, you have to implement it the right way, maintain and support it. But better cybersecurity and lower costs are definitely the beginnings of a winning hand.

Tony Scott

What message would you give to a CIO or other decision-makers in business or government today about Zero Trust?

First, this is a conversation you want to have with your teams. Do you understand what Zero Trust is, the importance of it, how it can help to dramatically improve cybersecurity in your environment?

Second, if you “get it” and want to do it, what help do you need? Quite often that can be a need for funding, sponsorship, education, technology, personnel. I’ve always found that responsible leaders find ways to satisfy those needs and conditions if it’s something they truly believe in.

Third, pick your spots. Not all business cases are equal. Figure out a healthy way of prioritizing. Find the most compelling use cases. This is one of the most important and necessary steps to take early in the journey.

Thank you, Tony. It’s been a pleasure talking with you. Before we close, is there any other advice you would want to give to business and cybersecurity leaders in government and the private sector?

There’s a fundamental concept I have learned over and over again as a CIO. It’s the ageold joke: “How do you get to Carnegie Hall? Practice, practice, practice.” It’s the same in building a strong cybersecurity environment: Practice, practice, practice.

In cybersecurity, you have to build up a set of skills and an environment and do that over and over and over again. You’ll get really good at it over time. My advice to organizations with Zero Trust is start practicing as soon as possible. There’s a tendency in the industry to do too much analysis and too little implementation. I certainly favor appropriate analysis, but I say let’s focus on implementation and getting the job done.

WHAT’S OLD IS NEW

BACK TO SECURITY BASICS WITH GOOD CYBER HYGIENE

BY NAVEEN ZUTSHI

14

All of us involved in technology are hard-wired to love, admire, and covet tools. Hardware, software, firmware–the more tools the better. After all, no one wants to get caught without the right tool for the right job. Has there ever been a CIO or CISO, confronted by their CFO to cost-justify yet another tool, who hasn’t trotted out the cautionary phrase, “When the only tool you have is a hammer, every problem looks like a nail.”

But, it is critical that CISOs and CIOs take caution to not fall into the “shiny tool syndrome,” where we think that every new cybersecurity problem we encounter can only be addressed by the latest and greatest new tool. Ofcourse, cybersecurity tools are great and are getting better all the time. And, as someone who works at a company where we are justifiably proud of the quality and innovation we put into our cybersecurity tools, I think we all need to stay on top of the latest in cybersecurity remedies.

Sometimes, however, it’s best to stick to the basics, the fundamental blocking and tackling that all organizations–regardless of size, industry, budget, or security challenge–must have deeply ingrained into their day-today processes. Good cyber hygiene practices may not be sexy, but they are absolutely essential and crucial to defending your crown jewels.

And there’s a profound, compelling reason why: We all are in more peril of becoming the next cybersecurity victim whose mistakes result in blaring headlines and become cautionary tales at industry conferences. The problem is getting worse every day.

Why? There are many reasons, but the most fundamental one is the fact that the attack surface continues to expand at an alarming rate. There are more endpoints than ever, thanks to trends like bring your own device, the Internet of Things, and the digitalization of critical infrastructure. Research indicates that a typical IT department manages more than 27,000 endpoints, and that more than half of them transmit sensitive data. The proliferation of cloud services also means that people can and do work from any location at any time as long as they have an internet connection, meaning that employees, customers, partners, and vendors all are accessing critical data through a web of interconnected devices.

With that many potential points of entry, we all have to ensure that, in additional to having the right cybersecurity tools, we are sticking to fundamental, tried-and-true cyber hygiene practices to limit the risk of attack, speed the process of detection, and ensure reliable, consistent remediation.

So, what constitutes good cyber hygiene?

  • Committing to, and following, a really robust vulnerability pathing process. Within 24 hours of identifying a vulnerability, all critical systems should be patched; within 72 hours, all systems must be patched.
  • Compensating controls for unpatched systems are a must.
  • Automating detection, prevention, and remediation is essential; humans no longer can keep up with cyber risk and the relentless wave of incursion attempts–most of which are automated, themselves.
  • Adopting a zero-test security architecture, where every piece of network traffic is inspected and applications must be white-listed before they can be accessed over the network.

Improving and increasing visibility into all application usage. You must know when and where applications are being used, and who is using them. This becomes trickier with all the web-based applications our enterprises are using, but it’s more essential than ever. Suitable controls must be put in place to improve visibility and automated steps have to take immediate action when issues are identified.

C-suite executives and board members also must be active participants in cyber hygiene blocking and tackling. (And not just because business leaders have been known, from time to time, to cut some corners when it comes to their own cyber hygiene.) Business executives should press their CISO and CIO for clear answers to fundamental questions about cyber hygiene practices and risk:

  • What are the most fundamental cyber hygiene practices that everyone who touches our network has to follow?
  • What are we doing to reduce the attack surface, even as we continue to add endpoints?
  • What metrics are we using to measure our vulnerabilities, and what do the statistical trendlines look?
  • Do we need to add more controls on application usage, especially SaaS applications, to ensure everyone is following the fundamental rules of cyber hygiene?
  • When our business units start up new IoT projects, what safeguards need to be put in place to limit the potential exposure of these new endpoints?

Practicing good cyber hygiene is not the panacea for preventing data breaches, just like jogging regularly won’t prevent a heart attack by itself. But just like it’s easy to imagine that a sedentary lifestyle contributes to health risk, I can guarantee that bad cyber hygiene will promote the potential of catastrophic cyber risk–even if you have all the shiny new tools on the market.

16

TOP READS ON SECURITYROUNDTABLE.ORG | may 2019 | ISSUE 02

Why Automation, Why Now?

BY LUCAS MOODY

Automation has always played a role in cybersecurity. If you think about basic antivirus software, it typically works in the background, automatically scanning devices for aberrations that might indicate the presence of malware or other intrusions.

But we are long past the days when basic antivirus software could offer the breadth of protection required to meet the challenges of today’s highly sophisticated threat environment. We are at a turning point in the use of automation in our overall approach to cybersecurity.

We must ensure that we are using automation, as well as machine learning and artificial intelligence, to simplify and accelerate our ability to respond to attacks. Our security operations centers (SOCs) are under constant siege, and they can no longer rely on manual operations to deal with attackers who are using automation to scale at an unprecedented pace. If we don’t automate our SOCs to reduce complexity, we simply can’t keep up.

We must also ensure that we can build automation into cybersecurity as forethought and not just as afterthought. This will allow us to reduce the pressure and complexity involved in detecting and responding to attacks as our adversaries become more innovative.

This critical shift toward embracing automation is a function of the growth of our digital world, which changes the ways in which we are attacked and the ways in which we must detect, predict, and respond to attacks. Our adversaries can access the same inexpensive compute resources that are available to us in the cloud. They can go to the dark web and buy tools that are both inexpensive and highly effective.

Because these adversaries have easy access to compute resources, they can scale exponentially, using automation to launch attacks on a massive scale. In addition, they can leverage technologies such as machine learning and artificial intelligence to be more agile and innovative. And motivation has perhaps never been higher, with the participation of nation-states not just out for money but to generally wreak havoc wherever possible.

This paradigm is not going to change, so organizations have to change their approach to cybersecurity and automation. At Palo Alto Networks, we often talk about using machines to fight machines. There is a simple reason for this approach: It is truly the only way to deal with today’s threats.

When our adversaries can scale their resources simply, exponentially, and inexpensively by adding more compute power, we can’t respond by hiring more and more people. It’s an equation that doesn’t work. The only way is to respond in kind, leveraging automation in our SOCs so we are fighting machines with machines.

For business leaders and board members, this means being prepared to ask the right questions of cybersecurity leaders and to instill a culture of cybersecurity that starts right at the top. From a practical standpoint, critical questions to ask include:

  • Is the organization incorporating automation at every step of cybersecurity? This often starts in the development of new applications and services. If cybersecurity is not included early through approaches like DevSecOps, it will be harder and more expensive to add automation capabilities later in the process.
  • Is the organization using automation to correlate data, and does it have the technology foundation to ensure that the data is complete and current—i.e., from every possible source, including endpoints, networks, and multiple clouds (public, private, and hybrid), as well as all mobile devices, including those in the internet of things?
  • Can the SOC access a centralized, holistic view of all activity, leveraging automation to reveal the root causes of attacks with actionable forensic detail to accelerate and streamline event triage, incident investigation, and response?
  • Do your cybersecurity tools leverage machine learning and artificial intelligence to empower security analysts to reduce complexity by shifting from manual investigation to proactive protection? Do these tools allow the SOC to respond faster to attacks with deeper insights, allowing the organization to reduce risk by keeping pace with the volume and sophistication of today’s advanced threats?

As a business leader, whether in the boardroom or executive suite, cybersecurity is becoming a more critical factor in ensuring that you meet your fiduciary responsibilities to the organization. By staying informed about key cybersecurity trends, such as automation, and asking the right questions of your teams, you can play an active role in setting the right tone and culture for your organization.

Are your cybersecurity security teams fighting machines with machines? Are cybersecurity and automation integrated into your development processes? Are your SOCs leveraging automation, machine learning, artificial intelligence, and other modern technologies to strengthen protections, reduce complexity, and lower risk?

Why automation, why now? For cybersecurity, it’s no longer a question; it’s an imperative.

The Winning Combination for Your SOC

BY AL PERLMAN

Security operations centers (SOCs) are command central in the constant war to keep organizations safe from cybersecurity attacks. Their role has changed significantly as the threat environment become more sophisticated. In the past, SOCs were fundamentally a set of operators responding to alarms. That model no longer works.

Adversaries are using automation to scale exponentially, and organizations can’t just scale linearly with more people responding to more alarms, unless the ultimate goal is to have SOCs be filled with thousands of workers working 24 hours a day.

Automation in cybersecurity can make life easier and reduce risk for SOC personnel in several key ways:

  • 1.Correlating data: With automation and machine learning, data sequencing can happen faster, more efficiently, and more accurately. In today’s environment, manual approaches no longer work in dealing with the volume, variety, and velocity of data.
  • 2. Generating protections faster than attacks can spread: Manually creating a set of protections for different security technologies and enforcement points is complicated and time consuming. Automation expedites the process of creating protections without straining resources—while also keeping pace with the attack.
  • 3.Implementing protections faster than attacks can progress: Using automation to distribute protections is the only way to move faster than and stop an automated and well-coordinated attack. Automated, big attack sequencing, and automated generation and distribution of protections, simplifies and accelerates the ability of SOC personnel to respond to an attack and predict the next step of an unknown attack.
  • 4.Detecting infections already in your network: Manually correlating and analyzing data across your networks, endpoints, and clouds is difficult to scale. Automation simplifies the process and allows for faster analysis, detection, and, if necessary, intervention.

While automation simplifies a wide number of processes for the SOC, it does not obviate, eliminate, or even mitigate the need for skilled people. In fact, it increases the pressure on organizations to hire and retain the best people.

According to a study from the Ponemon Institute, 44% of IT and IT security practitioners said automation would increase the need to hire people with more advanced technical skills. Only 23% said automation would reduce the headcount of their IT security function.

Automation helps the talented people in your SOCs do a better job by offloading time-consuming and risky manual functions. The three activities cited most often for automation in the Ponemon research were:

  • Log analysis
  • Threat hunting
  • Incident response

By taking on these important functions, automation helps SOC workers be more productive and strategic. Nearly 70 percent of companies said automation lets cybersecurity security staff “focus on more serious vulnerabilities and overall network security.”2 This is particularly critical at a time when 75 percent of organizations say their IT security functions are understaffed.

Finding and Retaining Talent

As important as automation is, it is still used in support of the people within your SOCs and not as a replacement for them.

According to Ponemon, 67% of IT security leaders believe automation is not capable of performing tasks that IT security staff can do; 55% say automation will never replace intuition and hands-on experience; 51% say human intervention is necessary for network protection, and 46% say automation will add complexity to jobs.

In this environment, how do you ensure that your organization is attracting, training and retaining the right people? How do you find cybersecurity professionals who can leverage automation in a way that helps the organization discover threats before they can be unleashed to inflict harm?

We asked Lucas Moody, vice president and chief information security officer at Palo Alto Networks, to identify some of the characteristics he looks for in individuals so his SOCs can maximize talent and automation.

Among the first things Moody wants to know about individuals are:

  • Are they highly technical, and do they have a fundamental interest and curiosity in keeping up with the latest technologies?
  • Are they the type of people who won’t let a problem go unsolved, who will keep pounding away until they have the right answer?

“Cybersecurity today is the story of the hunt,” Moody says. “The modus operandi of the most successful people is that they won’t let go once they are on the trail. They are also highly technical, with a strong breadth of knowledge across IT and cybersecurity.”

“The mindset, culture, and core competencies are different in the modern SOC,” Moody adds. “We want to be able to handle the easy stuff with automation and the difficult stuff with strong minds and strong people.”

We are a long way away from the science fiction of intelligent machines replacing humans, if indeed such a scenario ever comes to fruition. In the meantime, we need the best people on the front lines of cybersecurity, and we need to provide them with the tools to do their jobs and eliminate tasks that can be done more efficiently by machines.

With the right amount of automation, we can fight machines with machines. With the right people, we can add intelligence, intuition, experience, knowledge, and grit. For many organizations looking ahead to the future, this will be a winning combination.

Everything Can’t Be Urgent: Why You Need to Prioritize Cyber Risks

BY MIKE PERKOWSKI

When you were a kid, your parents were always in your face: Eat your vegetables. Do your homework. Stop playing that videogame..

When you became an adult, all the pundits had urgent advice for you: Eat healthier. Work out more. Save for your retirement.

And now, as a business executive trying to assess cyber risk, the sense of urgency can seem overwhelming: Don’t let employees use public cloud services at work. Make sure all your endpoints are secure. Watch out for zero-day threats.

When it comes to dealing with escalating and expanding cyber threats, it’s easy to be overwhelmed. The potential for disaster is well understood, but you never seem to have enough personnel or budget to handle it all in real time. Somewhere, a bad actor is watching, seeing if you’re going to leave something open or overlook a weak point. And then they’ll move in on you, plundering your most valuable asset: Data.

What do you do first? In today’s breakneck pace of cyberattacks and expanding threat vectors, no one can survive without a strong sense of risk prioritization. This is not some lofty goal you heard in B-school, or when you attended that executive training course. It’s not a simulation or tabletop exercise; it’s real world.

You may think you covered the bases when you and the board approved the CISO’s urgent request for a bigger budget so they could deploy modernized tools to monitor security events. Think again. I guarantee you that your SecOps team is in the midst of severe “alert overload.” How bad is it? Really bad. In the banking industry, for instance, research conducted with bank security leaders say their teams have to sort through hundreds of thousands of security alerts every day.

A big driver in establishing the right priorities is to remain agile in the face of rapid change in cyber threats, technology defenses, business conditions, and organizational goals.

For instance, the U.S. Department of Homeland Security recently codified a new cybersecurity risk prioritization policy with the underlying principle that “not all cybersecurity risks are equal, and that it and other agencies must prioritize those risks in their approach.”

How can business leaders help steer their organizations clear of this mess, without micro-managing their CISO and their SecOps teams? “Leaders aren’t just paid to make decisions on what to do; it’s just as important for them to make decisions on what not to do,” said Naveen Zutshi, chief information officer at Palo Alto Networks.

“The pace of business has never been faster, and it will only continue to accelerate,” he pointed out. “You have to run faster than ever just to stay in place, and you have to go twice as fast to get to the next place. And if you are not smart in setting and sticking to security priorities, your SecOps and IT teams will be overwhelmed and overrun.”

So, what are some of the key steps in establishing a smart, actionable set of cyber risk priorities?

“Start with the crown jewels–data on your employees and your customers,” said Zutshi. “If those are compromised, you may not be able to recover as an organization.” Then there are numerous other mission-critical priorities, such as protecting intellectual property and anything else that acts as a source of competitive advantage for your organization or threatens your business continuity if its availability is interrupted for any meaningful period of time.

Lose your email for an hour or two? Inconvenient, but not an end-of-life event for your organization. Find out that your customer lists and their payment card metadata have been breached, or that you’ve lost your ability to take online orders for a day? Call that emergency board meeting right now.

While it’s logical to put issues such as regulatory compliance, legal risks, and corporate governance on your “must-protect-at-all-costs” lists, the reality is that those issues will take care of themselves if you are doing the right job prioritizing the data and other digital assets. That’s not to say they don’t matter, but they are the result of a lack of prioritization, not a cause of your problem.

Of course, every business-unit head in your organization will have a different definition of “if this is breached the world will end.” Your head of sales will demand that CRM systems are the most important priority, your VP of manufacturing will threaten to quit unless you put robotic factory automation systems at the top of your list, and the CEO may decide protecting virtual public networks so he or she can continue to work at home two days a week is a must-have.

That’s why cyber risk prioritization has to be assessed in a big-picture context, tied to critical business goals and weighed against a realistic threat-versus-resources examination. Of course, that’s done at the C-level, probably with significant input from the board, and it must be communicated clearly to all involved.

“Business leaders have to simplify the message to one that aligns with business priorities,” said Zutshi. “What are the one or two things that are really strategic, that we can’t afford to be without for any very small windows?”

Then, there is going to be a very long list under those top-tier priorities, all of which will vie for attention and resources. In this second tier, it still remains essential to prioritize, but everyone in the organization needs clear, consistent signals that certain activities and areas take precedence when applying budgets, personnel, tools, and brainpower.

What else should business leaders do in creating the right priorities in tackling the fast-growing list of cyber threats?

  • Hold all personnel accountable–with clearly defined metrics–for meeting the cybersecurity priorities.
  • Be flexible to adapt to rapidly changing business conditions that could force a re-ordering of tactical priorities. (Your strategic business goals aren’t likely to change, but the tactics your teams employee need to accommodate unforeseen changes.)
  • Don’t get in the way of your teams. Set the priorities, communicate them, and let your good people do their jobs.
  • Be mindful of the fact that “executive wants,” when communicated to your SecOps and IT teams, have a funny way of getting translated into a priority–even if it really doesn’t rise to the level of strategic. “Hey, the boss wouldn’t have asked me to do this if it wasn’t critical.”

Finally, be sure to keep in mind that a critical goal of making smart decisions in prioritizing cybersecurity risk is to make sure your people can do their best work without getting frustrated and burned out.

“It’s very demotivating for employees to have a lot of work-in-progress items,” said Zutshi. “They take pride in getting work done and in helping to advance the organization’s goals. If they’re juggling too many things and not finishing their critical tasks, their productivity will erode and their work satisfaction will, too.”

Don’t Let Cyber-Intelligence Turn Into Cyber-Ignorance

BY SAM GREENGARD

It’s an all too common scenario: Despite large investments in cybersecurity technology and discussions on how to improve enterprise protection, cracks, gaps, and real-world problems spring up. Phrases like “endless meetings” and “silos of excellence” have become commonplace. It’s challenging for any organization, especially a large global company, to manage both strategic and tactical efforts for enterprise risk management.

One of the problems organizations face in the cybersecurity arena is a focus on outcomes rather than output. This creates a number of potential stumbling points, which can undermine a security program and weaken a company’s defenses. Here are 7 common pitfalls to avoid in managing your organization’s cyber risk:

  • 1.Readiness. It’s critical to understand how mature a cybersecurity program is and where key gaps exist. This revolves heavily around people, processes and technology. Ken Dunham, MSS Technical Director at Optiv, says that it’s particularly important to avoid shiny objects. A misguided approach and the wrong tools can “create a lot of noise and lead to a lot of wasted resources.” He says it’s important to shore up an organization’s weaknesses, streamline integration of teams, workflow, people and technology before adding on other components, including an intelligence program.
  • 2. Ambiguity. It’s certainly no news bulletin that successful leaders align specific goals, processes and people with specific outcomes to guide a business to success. But the devil is in the details. If you are going to focus on cyber intelligence it’s vital to be specific in regard to plans and processes. For example, it’s advisable to focus on intelligence outcomes such as your organization’s information incident responders receiving related indicators of compromise (IOCs) within 30 minutes of an incident.
  • “The most important thing to understand is that threat intelligence is not a part time job or something to take casually. It requires an ongoing commitment and resources,” Dunham says. As a rule, organizations benefit from checking off goals before moving onto other objectives.
  • 3.A lack of direction. Today’s cybersecurity environment is complex–and getting more complex by the day. It would have been unimaginable to embark on the Oregon Trail without an experienced guide. It would be implausible to fly a jet without a seasoned pilot. Similarly, organizations require outside expertise–and an outside perspective. But not any expert can address the challenge of building a cyber threat intelligence framework. There are essentially two main types of intel experts in the industry today: those that fall into the geopolitical/actor/military group and those that are more technically savvy. An organization requires counsel from both areas, but it’s wise to start with a technical orientation. That’s where enterprises typically get the most wins immediately for an emergent intel program.
  • 4.A reliance on IT to solve security problems. Adding outside perspectives and expertise is a good start; however, it’s also wise to tap different groups of stakeholders for a broader perspective. “It’s very easy to misinterpret data and wind up wasting time and money,” Dunham says. Yet, simply assigning the brightest and best IT specialists to the task isn’t wise. “They’re not going to know what to do. Likewise, security people don’t always understand the nuances of IT. So, both groups must work together in the common pursuit of protecting the enterprise,” Dunham says. The takeaway? IT is wired to make things work. Security is wired to defend things. The goal should be to hire accordingly and ensure that staff has experienced security leaders involved in decisions.
  • 5.Creating silos of excellence. Whether by accident or design, silos introduce risks in the cybersecurity arena. In fact, in organizations where siloed cyber threat intelligence teams operate, success is often elusive. Not only is there a lack of crucial communication, but it’s also next to impossible to push critical information to key stakeholders in the executive suite. A security program–and cybersecurity intelligence–must ultimately apply to larger business goals, objectives and mission. Executives should understand the value of cyber threat intelligence and how to best to approach the challenges related to it in order to lower risk for the company. This requires key constituents to involve stakeholders in updates and in operations–typically on a monthly basis (at a minimum). Yet, it’s also important to ensure that the organization has a high level of operational coordination in place, particularly when a crisis occurs. According to Dunham, an organization should consider establishing a war room where teams have pre-defined people, roles, policies and processes for handling a crisis.
  • 6.A lack of focus.It’s understandable that organizations have trouble prioritizing cybersecurity and cyber intelligence, but it is possible to build a strategic framework that directs resources where they are needed, as they are needed. Once an organization conducts a thorough inventory and analysis–including classifying the value of data and other resources–it’s possible to take a smarter and more cost-efficient approach to processes, people and actions. An enterprise can address needs and requirements realistically–and without becoming overwhelmed or getting bogged down by a single threat or security event.
  • 7.Viewing AI as the magic elixir.Artificial intelligence (AI) plays an increasingly valuable role in cyber intelligence. “The concept of understanding risks and anticipating attacks is entirely valid,” Dunham says. However, artificial intelligence won’t solve all of an organization’s security problems. “In reality, it’s not particularly easy to use. It can create a lot of noise and lead to a lot of wasted resources.” When threat intelligence is used effectively, it can help an enterprise focus on actual and immediate risks and channel resources more efficiently. It can give you a much better idea of where threats originate, what methods attackers use, and what risks are associated with these attempted breaches,” he says. The bottom line is that AI must be woven into the fabric of security practices, if it is used at all. It’s often better to channel resources to more immediate issues such as patch management, authentication methods and third-party risks.”

In the end, a cyber intelligence initiative may also require the purchase or development of additional tools, technologies and solutions.

It might also force an organization to pivot and rethink the way it approaches security in general. The constant among all of this is a need for unwavering commitment. Taking intelligence to a smarter level often takes two or three years–along with continual adjustments. Developing a plan and putting the right strategic and tactical elements in place can prove to be transformative. “Cyber intelligence is not a part-time job or something to take casually. It requires an ongoing commitment and resources,” Dunham says.

It’s Easy to Spend Other People’s Money, but Are Your Cybersecurity Investments Paying Off?

BY MIKE PERKOWSKI

Department store mogul John Wanamaker once famously said, “I know half of the money I spend on advertising is wasted, and the trouble is that I don’t know which half.”

I imagine a lot of business leaders occasionally have the same thought about their spending on cybersecurity initiatives. They know they must fully fund cybersecurity defense efforts in the face of new, rapidly evolving, and potentially devastating threats, and increased cybersecurity spending usually gets support in the corner office and in the board room. But that’s not to say that organizational leaders are sure what’s paying off and what isn’t.

“One of the biggest challenges we face in cybersecurity is determining how to measure the impact of your cybersecurity spending against business goals in delivering return on investment,” according to Naveen Zutshi, chief information officer at Palo Alto Networks. “CEOs and board members have been asking about the impact of all our security spending, and those are important questions to answer: Have we reduced our risk posture? Do our customers trust our brand more? Are we protecting the right things today, and are we properly aligned with the foreseeable future risks?”

So, how much of the approximately $114 billion expected to be spent on cybersecurity in 2018 is hitting the mark, and how much is delivering less-than-optimal results? And, more to the point, how will you make that determination?

One of the first steps is to acknowledge that there are both direct and indirect costs of security events. Research indicates that the global average cost of a data breach now is $148 per compromised record, and that the total cost, per-capital cost and average size of a data breach have all increased year-over-year. For data breaches where more than 50,000 records are compromised, the average cost is an eye-opening $6.9 million, and “mega-breaches”–those with more than 1 million compromised records–cost an average of $39.5 million.

There’s no debating the hard-dollar economic impact of cybersecurity in all its many strains. Take just one: synthetic identity fraud, creating a fake identity to access good or services. The economic impact on financial institutions is massive; recent research from the Aite Group notes that this one malevolent former of ID fraud is responsible for as much as 30% of all credit write-offs, resulting in annual losses of as much as $9 billion. And that’s just one slice of one slice of the overall cybersecurity threat landscape.

But for some organizations, the indirect costs may be even greater. After all, what is a brand reputation worth if customers lose trust on an organization’s ability to protect their most personal information? And the financial penalties incurred due to compliance violations or legal damages suffered in a lawsuit can pale against the impact of blaring headlines or scolding pundits railing against a company, government, or industry for failing to safeguard its most sensitive data.

Determining true ROI for your cybersecurity investments must take into not only what attacks were suppressed before extensive damage was done and records were exfiltrated, but also which ones were blocked before they ever made it over the firewall. To do that, you need to make sure your monitoring and management systems are based on a comprehensive platform architecture, rather than on a hodgepodge of point products with little or no coordination among them.

It also means you have to embrace automation in a big way, so as to mitigate the need to throw more and more bodies at a problem that can and should be handled with predictive analytics tools, as well as artificial intelligence and machine learning. You cannot build an army of security analysts big enough to fight off the bad guys. Many have tried, and it cannot be done, because the state of the art in cybercrime is moving way too fast for manual approaches to work.

This is a critical element in determining cybersecurity ROI, because so much of the economic impact of cyber events–from garden-variety malware and phishing to advanced persistent threats and malevolent ransomware–is based on what is likely to happen in the near future as attackers employ increasingly stealth and sophisticated techniques to attack new, vulnerable sources.

Think of all those new kinds of endpoints proliferating your organization’s landscape. Notebooks, tablets, and smartphones under your BYOD policies. Cloud-based services, from file-sync-and-share to SaaS applications relied on throughout the organization. And, of course, the flood of connected things that hackers target in weaponizing seemingly innocent copiers, door alarms, and RFID-enabled loading docks.

Organizations can also start to get a handle on developing a more sophisticated, more accurate ROI profile of cybersecurity investments by undertaking forensic analysis of recent security events. That kind of analysis can be done by expert security consultants, but there also are some pretty good digital tools you can deploy on your own analysis.

Whatever ROI analysis approach you take, it’s also important to evaluate your findings in context. What do other organizations of your size experience when using a particular intrusion-detection strategy? Or, others in your industry? That’s not to say that you should make decisions simply by mirroring what others are doing–after all, every organization’s challenges and business goals are unique. What may be a satisfactory ROI figure for one organization can be pitiful for another.

And, ROI must be measured and evaluated in a business context: How do our cybersecurity investments map to our business goals? That way, you can determine if a seemingly big-ticket investment is a better choice than a couple of smaller, less expensive decisions–or the other way around. After all, if your number-one business goal is to provide a superior online shopping experience, you’ll likely become more comfortable investing in a seemingly expensive identity theft detection-and-prevention solution than you might if your top goal is to increase inventory turns.

Finally, spending money on cybersecurity–just like spending money on everything from marketing promotions to new headquarters facilities–must be framed against a critical issue: Security and IT organizations are ultimately spending other people’s money. “You’re making tough, essential choices on how best to use shareholders’ money,” said Zutshi. “And it’s not just a decision made by the CIO or CISO; all business executives and board members have a fiduciary responsibility to make decisions on cybersecurity spending that help them achieve specific business outcomes.”

And unless you have clear, relevant metrics on the impact of your cybersecurity spending and its alignment against key business goals, you don’t know if your money is well-spent or wasted.

Just like John Wanamaker feared.

There’s No Such Thing as an ‘IoT Strategy’

BY JAMISON UTTER

Irecently warned business executives and board members of the three myths of the Internet of Things, why aligning cybersecurity with those myths can be detrimental to your organization, and how to avoid being distracted by shiny objects when looking to take advantage of IoT business opportunities.

Now, I want to warn you about another myth–specifically, the myth of IoT strategy. Let me put it to you as plainly as I can: There is no such thing as an IoT strategy.

In fact, you can’t have an IoT strategy in the same way you can’t have a global economic strategy. IoT, like economics, or education, or any other set of processes, is different in every geography, in every industry, in every organization, in every use case. No one implements IoT the same way across an entire industry; hey, it’s not even implemented the same way across different applications in the same organization.

IoT is what I like to call a business enhancer–a really powerful one, in fact. But as a process, it doesn’t stand alone. It has to work in concert with different software, digital infrastructure, physical infrastructure, workflows, and people.

How IoT Works in the Real World

Let’s take one specific example: automobile manufacturing. The organization is likely deploying IoT in robotics-based manufacturing lines, physical supply chains, in-car braking and safety features, building management, identity management and access control, parts inventory, asset tracking, and data center power and cooling. IoT applies to all of those use cases, but not in the same way at all. You can’t throw a blanket over that automobile manufacturer’s IoT applications and say they have a single, comprehensive IoT strategy.

For business executives, CISOs, board members and anyone else involved in planning and delivering cybersecurity for IoT use cases, this is incredibly important. Your IoT cybersecurity plan has to be specific to each use case, because the applications, deployment process, and management protocols are so different.

Instead, when it comes to cybersecurity, it’s smart to think of IoT as a core element of an organization’s overall digital strategy. Otherwise, you’re just setting up more silos, like we did in the 1990s with enterprise applications like CRM, ERP, supply chain management, and business intelligence. Rather than understanding how they needed to share data sets, IT organizations and their business-unit clients set up a stove-piped architecture that was inefficient, difficult to manage, and financially wasteful.

We can’t let the same thing happen with cybersecurity. IoT has to be part of the business as a whole, rather than part of IT.

Tips for Business Leaders on IoT and Cybersecurity

So, what can and should business leaders do instead of embarking down the rabbit hole of “IoT strategy?”

  • First, remember that IoT requires a partnership at levels that are unique, uncommon in the way organizations traditionally have operated. Businesses, IT, and security functions have to come together from the start to talk about the business goals and challenges, and build solutions with a clear understanding of what “success” means. Maybe it’s taking touch points out of the supply chain, or improving physical plant safety, or filling orders faster. And you can’t accomplish those or any other business goals if cybersecurity isn’t at the table from inception point.
  • Second, since many of your sophisticated IoT applications are going to be built and managed by third-party integrators, your cybersecurity team has to be part of all operational meetings and project management updates. And you have to give your cybersecurity team the authority to raise concerns all the way to the top of the organization if necessary, regardless of whose feathers they are going to ruffle.
  • Third, you have to make sure your CISO and their cyber team can properly quantify risk and weigh it against potential business upsides. Being a good cybersecurity professional no longer is only about waving red flags about vulnerabilities; the best cybersecurity people are the ones who analyze, understand, and make recommendations based on risks and rewards

Keeping IoT Real

Lately, I’ve seen more business cards with a title something like “Director, IoT Strategy” on them. More times than not, the first words out of my mouth when I meet something with that kind of title on my card is to say something snarky like, “What do you actually do?”

While the answers vary, it reminds me a little bit about the way people would ask the same kind of question of the new breed of Chief Information Security Officers about 15 years ago. It was something new, and while the title gave you a hint of what they might do, it didn’t always mean the same thing to everyone. In some cases, the CISO was an IT security technologist, while in others they might be an outgrowth from physical security and investigations.

The point here is that, while every organization sees the benefits of IoT differently, and implements IoT use cases in unique ways, looking at IoT as a strategy misses a real opportunity to truly integrate IoT processes into operational technology and in digitally enabled business opportunities.

So when you think of the role IoT will play for your organization, be sure to put it into its proper context–as a business enabler, not an end-all to itself.

And don’t forget the cybersecurity angle. No one wants your loading dock sensors downloading customer information to someone else’s private cloud.

CYBERSECURITY FOR BUSINESS LEADERS

See what other executives are reading to stay ahead of the digital transformation