A project manager in a school district was giving the IT department a hard time because it hadn’t warned the district about the Heartbleed vulnerability.
The security manager was thinking something to the effect of, “We didn’t warn anyone about Heartbleed because we are
not using SSL!” Perhaps not coincidentally, that exchange became a catalyst for implementing that security measure soon thereafter.
That story is a good illustration of something your CISO might be thinking but can’t, or perhaps is reluctant, to say aloud. It was one of many anecdotes shared by Wendy Nather of Duo Security in her 2017 RSA Conference session.
Her eclectic mix of stories and sarcasm really underscores the value of a CISO and the dynamic nature of cybersecurity work. Below is our take based on several such anecdotes from her presentation, which stood out for us.
1) Yes, that password policy is probably stupid.
Why do organizations require users to change passwords every three months? Because at the time a system was implemented – a time before rainbow tables – some smart person had calculated it took about 90 days to “crack a password.”
The policy addressed a real risk then, even if it’s not entirely applicable today. However, this leads us to a more important point: Usually, there are good reasons for security policies even if they aren’t readily apparent to users. Some “smart person made tradeoffs that you hadn’t considered.”
So, while users might have a point about the password policy, and UX is among the growing list of CISO duties, right now, IT has bigger security issues to face.
Now stop whining and go change your password!
2) That vulnerability is going to take a year to fix.
There are several reasons why it takes so long to fix a known vulnerability.
First, the CIO doesn’t have people just “sitting around waiting to fix something.” IT resources are tightly planned and sometimes resources are allocated even years in advance.
Second, most organizations have a wide variance in how they view risk. Someone else might see the risk and probability of another vulnerability and deem that merits a higher spot on the priorities list.
Third, and finally, fixing a vulnerability often requires a whole lot more than just editing code. Changing code often requires a process that includes vetting by a change review board, testing and quality assurance. It often takes just six weeks to fix code, but up to a year to put it into production.
3) Sometimes, “cheeseburger risk management” makes businesses sense.
What is cheeseburger risk management? According to Ms. Nather, it’s when you wait to have a heart attack before foregoing cheeseburgers for healthier food options.
Sometimes businesses take this approach to cybersecurity too. For example, she told a story of a CIO being briefed on an impending attack. He opted to wait until the actual attack began before taking action.
Why? Because cybersecurity is expensive. If you implement a prevention strategy that costs $1 million per year, and the attack doesn’t unfold until the second year, you might come out ahead by waiting.
4) Someone else’s breach can bring good CISO fortune.
After a spate of retail breaches resulted in media coverage, congressional interest, and possible legislation, one CISO got a budget of $2.5 million approved in just three days. The funding was used to roll out encrypted card readers to some 2,200 retail locations.
“Sometimes we have to wait for a breach to get justification for what we know needs to be done,” Ms. Nather said, quoting an anonymous CISO. “When we’re lucky, it’s someone else’s breach.”
5) Yes, this organization is a special snowflake.
It’s hard for CISO to obtain comparative benchmarks because it’s very hard to understand which companies are true peers. This is because IT evolves around personalities and company politics.
For example, in one organization it became forbidden to mention “SSL VPNs” to a CIO because of a historical disaster. Indeed, every organization is just as different as a special snowflake.
6) Every organization has a security “Kraken.”
Every business has an IT system laden with vulnerabilities, and while everyone knows about the problem, it still doesn’t get fixed for lack of budget or internal politics.
This system is the technological equivalent of a Kraken. The “Kraken” is a mythical monster, which among other attributions, was unleashed by the gods to destroy humanity in the 2010 movie “Clash of the Titans.”
“Every organization has a Kraken,” according to Ms. Nather.
Your CISO can’t say it out loud, but he or she might be thinking ‘unleash the Kraken!’
“If you are appalled, you haven’t been paying attention,” she said.
Her full session – What CISOs Wish They Could Say Out Loud – was recorded and is embedded nearby. It runs just about 40 minutes and she outlines several recommendations for CISOs, security researchers, and cybersecurity vendors.
Photo Credit: Pixabay (CC0 1.0)
If you enjoyed this post, you might also like: Cybersecurity: The Best Defense is a Good Offense