The ABCs of a Good Cybersecurity Program and Why CISOs Struggle With Them

Recently, Gaurav Banga, Founder & CEO of Balbix sat down with forward-leaning cybersecurity leader,  Mike Britton, CISO of Abnormal Security, formerly CISO of Alliance Data for a candid conversation about why the basic A, B, Cs of infosec are so difficult for many organizations to implement. The ensuing discussion surfaced reasons that might cause you raise an eyebrow or two…

Gaurav Banga

Mike, in the last few months we’ve been having a lot of discussions, and I’ve learned a lot from you on how you and other CSOs think about what’s happened in 2020, and more recently, what’s happening in the early months of 2021. In the last few months, we have seen: SolarWinds, the Exchange Server vulnerabilities, the Colonial Pipeline attack, and several incidents that did not make the news cycle… or at least they didn’t get the same attention that these three breaches, these three incidents got. You and I have had long conversations on this topic, and I always wondered, why is it that so many organizations keep continuing to operate their InfoSec Programs like it is 1999? Why does this happen?

Mike Britton

That’s a good question. I think first and foremost it starts at the top of the organization. So, CEO, board, executive leadership. And honestly, I think a lot of it is that pervasive thought of, it’s never going to happen to me, we have other things that are more pressing. So, information security typically takes a backseat. I think once something does happen to you, if you’re an organization that’s had a breach, or you’re an organization that’s had a direct impact from one of these supply chain issues that have happened recently; I think it jolts you into action. But honestly most companies roll the dice and just assume; hey, I’m always going to be good, it’s going to happen to somebody else.

Gaurav Banga

Roll the dice… that sounds like… I don’t know, it seems pretty risky to me, and it probably is, right? Let’s talk about this a little bit more. I’ve seen you operate; we’ve had long conversations about that and it’s particularly fascinating to me. But for the purposes of who is seeing this video right now; if you are newly appointed to be the CISO of a Fortune 1000 organization today… and I know you’ve been in the shoes before, how would you be thinking and what would you be doing in 2021?

Mike Britton

Well, I guess the first thing I would say is, you’ve really got to understand: what’s your attack surface? What’s your inventory? What’s the lay of the land that you’re now in charge of protecting? You’ve got to understand the business, how do they operate? I’ve got to look at my security tools, do they have the right coverage? Where’s my risk? Where are my gaps? And honestly, it really comes back to some basic things, and it’s one of these things that it’s been a topic for years and yet, it still continues to be a critical topic; a lot of organizations aren’t good with asset management and with companies sprawling into the cloud, and SaaS and other things, it’s become an even more difficult task. As a CISO, I can’t protect what I don’t know about, and so really, that’s always my first part is; okay, what are my key suppliers? What is my asset inventory? What am I trying to protect?

Gaurav Banga

And then, once you’re done with the inventory component, what would you do next?

Mike Britton

Once I have an inventory, it’s really looking at my gaps. Let’s risk rank these. Let’s look at what are my biggest holes and really, how can I prioritize the things that need to get fixed? If I have ten things that need to get fixed, I can’t necessarily fix all ten at the same time and so, we need to really come at it from a risk-based perspective and really be able to measure that, and be able to talk to our management chain and our board and say; okay, for each thing that I knocked off the list, here’s how I’m reducing the risk for the organization… here’s how I’m helping us further protect our attack surface and our clients, our data, our employees.

Gaurav Banga

Mike, what you’re saying makes complete sense to me. I guess going back to the question which is that; isn’t everybody in charge of information security, aren’t they’re all doing this stuff? It seems like the obvious kind of stuff to do.

Mike Britton

Yeah, and it’s not necessarily what I said, but it’s how it’s done. Accurate inventory for assets is hard. Most organizations do it manually or it’s disjointed. They may have a CMDB over here, they may have it in a spreadsheet and anything that’s disjointed, or manual is almost impossible to keep up to date. Also, CISOs do risk assessments and some of them do it in a very thoughtful way, but these assessments are usually periodic snapshots. And a lot of times they’re not repeatable and not continuous. Attack surface is only partially covered leaving a lot of guesswork. Business context is almost never captured and so, it’s really hard to say; okay, I see a vulnerability assessment here and I’ve done a risk assessment, but what’s the business context to help prioritize it? And really, that’s what makes it difficult. We really need a way to automate risk assessments, and we need them to be run continually. And really, the better that these are done without manual intervention, I think they’re more effective.

We really need a way to automate risk assessments, and we need them to be run continually.

And really, it is better if these are done without manual intervention… they ‘re more effective

Gaurav Banga

We’re talking about automation again; this is a topic that is top of mind for us at Balbix as you know. I mean, like speed; how can we get to be a couple of steps ahead of the adversary? It seems so obvious; you just need to get there. So, shifting gears a little bit, let’s talk about a completely different topic. With SolarWinds, the whole supply chain risk has come to the forefront. Was it always there and how are your colleagues, your peer CISOs, and your friends in the industry, thinking about supply chain risk or SolarWinds right now?

Mike Britton

I know, it’s on top of mind. It was on top of mind with my board and they became interested in knowing what we were doing. The bottom line is most companies have to rely on vendors and third parties, I just don’t know any way around it. And if you’re a large enough enterprise, that number can be 1000s, and even for small companies, it can range in the hundreds. And so, you’re basically having to put trust that they’re doing the right things, and they’re running a program as effective as yours from a security and risk perspective. And the problem with vendor assessments is that you typically do them at onboarding, and then you maybe do them annually thereafter, but a lot of it’s based on flawed methodologies. I’m either relying on my vendor to ask questions, I’m not doing a full-blown audit asking for evidence and proof, or I’m leveraging an outside view of the vendor. And so, it’s really difficult to get a true sense of the risks that the vendor is creating for your environment. And we have to figure out a way to automate our assessment and for third parties as well just because once again, I’m sure if I asked SolarWinds the day before they figured out they had an issue, they would have said everything was great. And so, one day later the world is on fire for them, and depending on the timing of my periodic assessment, I could have gone a significant amount of time with putting my organization at risk because of their issue.

Gaurav Banga

So, is it fair to say that even for third-party, we really need automation, a fair amount of automation, a different type of automation, but nevertheless it’s the same thing?

Mike Britton

Yeah, I mean, things change, they put new changes into their environment, they acquire other companies, they do things within their business that also changes their attack surface or the effectiveness of their controls. And so, much like we need to look at a way to automate risk assessments and controls in our environment, we should be doing the same for third-party vendors and suppliers.

Gaurav Banga

Can you think of a standardized way by which CISOs are required to attest to their cybersecurity posture… maybe in something like a vender risk exchange? Is that even a possibility that might happen one day?

Mike Britton

Yeah, there are a few out there that are trying this concept and I think that’s a novel approach. I still think you’ve got to get beyond it and we’re conditioned because of regulatory compliance and other things where if you’re doing a SOC 2, or you’re doing ISO or you’re doing PCI, it’s really set up on an annual occurrence. And so, people get in that mindset of once a year. And really, bad guys don’t operate once a year and they’re continually attacking and so, our assessment and validation of our controls and risks really need to be on the same level as what the bad guys and adversaries are doing.

Gaurav Banga

Yeah, it’s a tough, tough problem, hard problem. So, Mike, my final question for today. Imagine you have a young new CISO, and she has to go up to her CFO and/or board and explain the need for automation in the organization’s cybersecurity program, which is the topic we talked about for the last few minutes. Automation seems like a topic that could be pretty easy to understand, but do you have any specific advice on how they would go talk to the CFO, the CEO, the audit committee, board members, people who are not necessarily cybersecurity experts, or IT experts for that matter, and they want to sell automation; is that a hard thing?

Mike Britton

I don’t think it’s a hard thing. I think first you need to understand what your business is doing, and how your business is looking to automate in other ways. A lot of companies are leveraging automation and RPA when it comes to customer service and other things. I think if you look at it from the value of (automation):  I have finite resources when it comes to human capital and so, it just doesn’t make sense from a business perspective to hire an army of people around the clock to watch something. We really need to leverage automation; we really need to take the human error factor out of it. We’re able to do more with less through the use of automation. And like I mentioned earlier too, bad guys are automating. They’re not sitting in front of a keyboard, they’re leveraging automation to do their attacks as well and so, much the same way from an effectiveness and an efficiency perspective; I think if you explain that, you use some other examples within your business where automation is being used, I think the board will get it.

Gaurav Banga

Well, thank you so much, Mike. This is fantastic. Thank you.

Mike Britton

Absolutely, my pleasure.

The key to getting all the above and decreasing cyber risk is automating your cybersecurity posture controlled by just the right amount of human supervision. Balbix can help. Get in touch to see a quick demo.