CIO Manifesto We again gathered an eclectic mix of IT execs including some CISOs, CTOs etc, in a secret bunker to discuss whether we’re winning the security battle. OK, the “bunker” was a meeting room under the Soho Hotel, but not only are we not winning, it is not even clear what winning actually means.
Our IT execs happily admitted (under conditions of strict anonymity) that security theatre is now a vital part of their jobs, meaning that they unleash shock and awe to get the budgets they need to fight the battle that they know they will never actually win.
The Target breach, where 70 million customer records were taken, cost the CEO his job partly because the litigation, as well as loss of customer trust, finished off an already wounded C-suite executive.
This gets their full attention, which is important because so many board members simply don’t get IT. Or as several of our execs shared, they think they understand tech “because they’re young” and think the financial management systems are basically Facebook with fewer selfies. So if you need a bigger security budget, read up on Target and arm yourself with it.
A lot of boards still think that security is a product, like a USB stick - or, worse still, an anti-virus tool like they use at home. Our IT execs were really quite scornful of the way that AV is over-sold to semi-technical management who regard installation as the job done. AV is necessary but the execs bemoaned the long time for updates as well as the hassle, which includes the way every couple of months some AV product decides that a Windows DLL is a virus and bricks the whole machine.
More than one of them questioned the sustainability of the traditional model, yet no new one is readily visible.
As well as being scathing about AV vendors, pen(etration) testers came in for a bit of abuse. They aren’t as valued as they think they are and are often seen as a necessary evil who just produce lists of problems, all of which they claim are critical. They are seen as incapable of classifying any threat as “medium”. Some of the largest outfits even go as far as to run their own pen testers whilst acknowledging that being in-house means they are a bit behind the curve in exposure to the latest issues.
The next theatrical part of being a CISO is being audited, where inevitably we get sucked into doing things merely so that auditors can tick boxes. Of course, when it is a big IT vendor or accountancy firm doing the audit, they are looking to find the sort of hole that they can sell you consultancy to fix, even if the business risk is pretty small. ISO 27001 auditing was seen as less bad because you can justify your decisions, PCI-DSS being less flexible in practice.
Everyone is a Target
I made the mistake of saying to one CISO, “so you’re not an obvious target” and was curtly informed that one well-known guy who works with them has received many death threats and, all by himself, seriously upgrades their threat level. This marked a different angle for some of the execs, whose systems contain highly sensitive data like healthcare and education - and where women seem to be particular targets for religious fanatics. Geopolitics is changing the nature of the threats our IT execs are experiencing, even if you think they might be too small or obscure for anyone to bother.
My big data is bigger than your big data
Classical security management works on the basis of balancing the damage of a breach versus the cost of preventing it and the necessity of proving to the board that you’re getting a good return on your security investment. In the final analysis, crooks are running a business and will seek out the softest targets they can. The problem here is costing up the damage.
The execs who worked in retail saw regular “drip drip” identity frauds, each causing a loss that is only one step up from shoplifting. This is usually only detected after the goods have been delivered and the crooks had done a runner. They saw this as a great candidate for big data analytics, but not in a good way. Yes, fraud detection can get a bit better, but a riser in the hierarchy of fear amongst our IT execs was the feeling that sophisticated analytics can be brought to bear.
Free and cheap BI allows criminals to impersonate customers and carry out better spearphishing attacks. NoSQL is replacing being able to drive away fast as a skill for bank robbers. The execs were clear that taking a narrow ROI model for budget allocation is going to bite you hard, since if you just look at nibbles of shoplifting level attacks and price up your security on that basis, you will get hit by a Black Swan that will bite your whole leg off.
This is hard to calculate for several reasons. Firstly, when something is rare, you don’t have many events to base experience on. Then there are the complexities of risk transfer and insurance, where large risks are often shared between end user firms, banks and insurers. That can mean that a “large” consequence event may occur in your systems but actually impact others, or vice versa.
To make any guesstimate you need to analyse your business from a different perspective, taking into account the web of contracts and relationships it lives in. You may not be the first one to do this because organised crime is getting better at identifying vulnerable systems and business processes and the IT execs are already seeing attacks from black hat business analysts.
Cards are the most frequent wound by which banks bleed money. Chip and pin has made card fraud an almost negligible issue in Europe, as opposed to the USA where their medieval card security has enriched many crooks. This bodes well for the new wave of phone-based payments systems since they cannot help but look better in comparison. 2 factor authentication (2FA) has yet to catch on or even seriously be pushed by the banks because the average customer hates the inconvenience.
This attitude is kept strong because consumers bear little of the cost of card fraud and are generally clueless about security, both for their cards and corporate IT. Millennials are, if anything, worse than us old people, choosing passwords that are the name of their cat - or if they’re real technocrats, sticking a number on the end. Home working means that nearly competent users can accidentally route dodgy or actually criminal traffic across the corporate network.
Although they see it mainly as a police issue, the IT execs are getting a good education in the criminal economy and, although they were rational in cynicism in the speculative numbers we get told, they do know that there is now an ecosystem. They’ve seen evidence of BI and service industries of cleaning and verifying lists simply because that is being carried out through attacks on their systems.
They also gave good advice for anyone hoping to prosper in an InfoSec career, since they are the people hiring and promoting you. They value “tool ninjas”, people who have mastered every detail of bleeding edge tools, but more important is the ability to communicate what you are doing.
Half of being an expert is consultancy, even if it is not part of your job title. You must give good advice in a way that people want to follow for their own good, which means putting it in a business context, rather than obsessing about theoretical vulnerabilities. Be clear that you can’t skip the tech knowhow, but you amplify it by explanation.