In part one of our six-part blog series on improving your cybersecurity strategy, we discuss how the industry’s reliance on a hyper-compartmentalized approach is making everyone less secure, and we share the four key questions every CISO should able to answer.
IT infrastructure often grows up with a company. New tools, applications, systems, and user profiles are bolted onto the greater whole as the need for them emerges, usually without being given much strategic consideration. Organizational silos spring up around these additions as teams discover that each new tool requires new skills to deploy and maintain. Before long, the entire operation can resemble a ramshackle old house onto which each generation of homeowner has attached a new room.
Threats lurk in the dark corners. Unforeseen vulnerabilities, aging tech, distributed data centers, network sprawl, greedy insiders, and gullible users thrive. With the components of enterprise IT infrastructure scattered and compartmentalized, it’s difficult for any one person or team to achieve holistic visibility into the entire network.
Lack of visibility makes it difficult to find these siloed threat vectors, and even tougher to address them once they are found. That’s because, in most cases, the tools and tactics available are only designed to tackle specific and unintegrated areas of concern. We often see security tools being deployed scattershot throughout the organization. We see teams in operations, applications security, DevOps, network security, machine learning, high performance computing teams, Security Operations Center (SOC), and auditing and compliance all pursuing and deploying their own discrete tools. And there is no shortage of security tools. More than 600 vendors were on the expo floor at the RSA Conference 2018.
While these issues are nothing new, addressing them has never been more urgent as the attack surface continues to expand. In our work with IT and cybersecurity professionals, we often hear about the challenges of protecting all the isolated apps -- and the distributed computing and storage platforms -- in use throughout the enterprise. Operational technology (OT) and internet of things (IoT) devices introduce their own sets of problems, since these internet-connected solutions are often deployed outside the auspices of the IT organization.
In most cases, organizations end up integrating apps through APIs and putting a multitude of clouds under a single management platform purview in order to manage the lot of them at once. But even this approach is only a stopgap. It’s no substitute for a holistic cybersecurity strategy which emphasizes visibility across the network and applies granular insights about the threats that may be lurking among them, so organizations can effectively prioritize responses. We call this approach Cyber Exposure.
Cyber Exposure is an emerging discipline for managing and measuring cybersecurity risk in the digital era. Cyber Exposure transforms security from static and siloed visibility to dynamic and holistic visibility across the modern attack surface. It’s the foundation upon which to build a cybersecurity strategy that accommodates the entirety of the modern attack surface.
Four questions every CISO should be ready to answer
Building a holistic cybersecurity strategy using the discipline of Cyber Exposure enables you to answer each of these four questions about your organization at any point in time:
- How secure - and exposed - are we? Answering this question requires visibility into all aspects of the organization's attack surface -- including cloud resources, containers, industrial control systems, and mobile devices, which may or may not be on the radar of IT. It involves taking inventory of where specific threats to your company exist. For example, if your organization is particularly diligent about deploying patches, then the latest Windows vulnerability may not be as big a concern as it would be for an enterprise that hasn’t patched its systems in seven years. By coming to terms with where your exposures are – or where they are likely to be – you reveal the larger picture of what’s at risk.
- What should we prioritize? The answers to this question should be based on a combination of threat intelligence to understand the exploitability of the issue and asset criticality to understand the business context of the asset. Effective prioritization of vulnerabilities needs to take in the business context in order to optimize your efforts, resources, and budget. It enables you to zero in on protecting the vulnerable areas likely to cost your organization the most in terms of labor, penalties, time, recovery, and reputation. It also helps reduce alert fatigue, as you can then prioritize how your team responds to vulnerabilties based on how critical the affected assets are to your business and the likelihood a given vulnerability will be exploited.
- How are we reducing exposure over time? Your ability to answer this question is a measure of your progress. You’ll need to identify the metrics and KPIs against which you’ll measure your efforts. Such metrics should be viewable by business unit, geography and asset type. The goal is to understand how your exposure profile is changing month to month, quarter to quarter, and year to year, so you can help your business-side colleagues and the c-suite understand whether the company’s investments in cybersecurity are paying off.
- How do we compare to our peers? Answering this question forces you out of your company’s internal bubble to help you understand how your cybersecurity practices stack up against those of others in your field, as well as those in other industries. How your organization ranks against industry peers, and against best-in-class security, is an important dialogue for every Board of Directors to have to drive a more strategic discussion and help ensure the board is upholding their fiduciary responsibility in providing the proper risk oversight for the company. Cyber risk is no different than other business risks and should be managed and measured the same way.
Your ability to accurately answer these four questions is vital to understanding the total risk exposure and the effectiveness of your cybersecurity measures. But if you’re dealing with a heavily compartmentalized IT infrastructure, it may seem daunting to know where to even start moving toward a more holistic strategy.
Three cybersecurity practices you can implement today
Here are three tips you can begin using today to help you begin your journey toward a holistic cybersecurity strategy.
In part two of our six-part blog series on improving your cybersecurity strategy, we’ll explore in more detail how to prepare your organization to answer the question “Where are we exposed.”
- Read the ebook: Cyber Exposure for Dummies
- Download the guide: Reducing Cyber Exposure: 5 Key Learnings from the CISO POV