CISOs: It’s time to get back to security basics

The post-pandemic world will see cybersecurity addressed differently, said panelists during an online webinar hosted by ReliaQuest Wednesday.

Image: iStock/sdecoret

The cyber threat landscape has become more dangerous over the past year and the C-suite is paying greater attention—but all the tools in the world won’t help until organizations home in on good cyber hygiene. That was one of the messages from CISOs who participated in a virtual think tank webinar hosted by ReliaQuest Wednesday.

“The fundamentals of being good at cyber hygiene is the most neglected” aspect of cybersecurity, said Chris Hatter, CISO of Nielsen. “If you’re not good at the very basics and making sure you understand the basics on your network—like patching and remote monitoring—you’re not set up for success.”

Dave Summit, who recently stepped down as the CISO of Moffitt Cancer Research Institute, agreed, saying that “the fundamentals are key to a successful program. If you don’t have the fundamentals down … you’re missing everything else.”

SEE: COVID-19 workplace policy (TechRepublic Premium)

Another neglected area is dealing with legacy systems not getting replaced fast enough, added Summit, who is now a fellow at the think tank Institute for Critical Infrastructure Technology. “We have security company after security company coming out of the woodwork and everyone seems to offer the right solution for all your problems and we all know that’s not the case.”

Alert fatigue is another issue, Summit said. “We haven’t gotten to a good place of understanding what events mean and how to properly filter them to know what they mean to your organization. That’s a big one that takes cyber down quickly.”

Moderator Jon Oltsik, senior principal analyst at ESG, said he’d add training as a most neglected area. Additionally, “in terms of risk, how do you improve or work on maximizing risk identification and really understanding cyber risk as they relate to mission-critical applications?” Oltsik said.

Not only have cyber threats grown more sophisticated, but the number of malicious actors has grown—they are more persistent and better able to communicate and collaborate with each other, said Oltsik.

“They communicate better than they do on the provider side,” Oltsik said. “Pandemic-influenced remote workers has increased and the cybersecurity skills shortage” are other factors.

“It’s not getting any better and the skills shortage is often misinterpreted as we don’t have enough people, but we also don’t have the right skills,” Oltsik said.

Other pain points for CISOs are that the security tech stack has grown complex and they have to keep up with innovation, changing technologies and different vendor landscapes, he said.

When it comes to cybersecurity decision-making, today there is a lot more involvement from boards—and a lot more being asked of security teams, said Joe Partlow, CTO of ReliaQuest.

Defining risk

The ability to understand risk is one of the skillsets Summit said he believes is lacking now. For quite a while, cybersecurity was more focused on day-to-day technical operations and now it has moved into the managerial space, he said.

“Risk management is very much a team sport—you really can’t do this in a vacuum,” agreed Hatter. Sometimes business units don’t feel that any of their data is private or sensitive, and organizations need to have a process for defining risk “in ways that make sense to a particular business unit,” he said. When risk is clearly defined, IT can get into deeper metrics to find out what systems are vulnerable and mitigate any that have been compromised, Hatter said.

The goal of cybersecurity used to be protecting data and people’s privacy, Summit said. There has been a major shift in that thinking.

“It’s one thing to lose a patient’s data, which is extremely important to protect, but when you start interrupting” people’s ability to travel or the food supply chain, “you have a whole different level of problems … It’s not just about protecting data but your operations. That’s where major changes are starting to occur.”

Summit added that he has long said if companies were making cybersecurity a high priority long before now, “we wouldn’t be in this position” and facing government scrutiny.

The cybersecurity field is “incredibly dynamic,” Hatter said, and CISOs don’t have the luxury of planning out three to five years. “We want to create and deploy a strategy that’s sound and solid. But market forces demand; we recalibrate what we do and COVID-19 was a great example of that.” CISOs now have to have as resilient a strategy as possible but be prepared to make changes.

Managed security service providers can help, Summit said, but CISOs are still feeling overwhelmed. “I feel we’ve been inundated with attacks, and everyone’s taking notice and asking questions and security teams are overloaded with alert fatigues from tools,” he said. “Now, people are asking the right questions, [but] that takes away time from addressing problems.”

Making threat detection more efficient

ESG research has shown that 88% of enterprises are going to invest more in threat detection this year, Oltsik said. He asked the panelists what can be done to make threat detection more efficient.

Improving threat protection is not isolated to making sure you have the best technologies, Hatter said. “You need to have an organizational commitment to a level of standardization in IT that sets you up for success, and visibility to detect problems.”

Without a commitment to standards, IT and security professionals will be in “a constant state of running after unmanaged assets,” he said.

Summit said he believes the industry is going to see greater separation of cyber teams from IT and that “it’s long overdue.” The reason is the majority of cybersecurity problems are about misconfigurations and improper use of assets, he said.

“To me, that’s the priority of IT. If you’re doing the fundamentals correctly … you’re lowering your risk level already. Then cyber teams can be focused on something different than looking for misconfigurations.” They can spend their time looking at what’s coming into the environment and being exfiltrated out and focus on what the real threats are, he said.

Tools, tools and more tools

Partlow said ReliaQuest sees an average of 30 to 40 tools in an enterprise, “and more often than not, that’s just adding to the confusion and noise.” Many are also not used to their full ability, he said.

“The number one thing that makes threat detection hard is not having visibility into the full [network] environment,” he said. “You can’t secure what you can’t see.” The best way to improve threat detection is to get that visibility and reduce the noise, Partlow said.

Hatter said he thinks vendors need to reconsider their pricing models “to give us more support and create more sophisticated rule sets. That’s a pain point for me and other CISOs I’ve talked to.”

Because IT teams already have alert fatigue, Summit suggested they speak to their MSSPs before they invest in more tools. “If you have a managed partner, take advantage of their experience. They’re working for a wide range of clients and have a lot of valuable information that can help you decide what to look at.”

He also made a plug for utilizing organizations like ISAC. “I can’t stress enough how important they were to us” when he was at Moffitt, because of the ability to share information and learn the pros and cons of different toolsets.

“We learned a lot and that’s how we selected a lot of our tools. I never recommend any team be isolated. Use a wide range of people out there.”

CISOs: It's time to get back to security basics

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Did you like this article? You can read it and many others @ Tech Republic!


Here's the latest news

Photography by Getty Images The 'Schitt’s Creek' star reflected on how experimenting with fashion has empowered him, adding, “there is no more exciting a time for menswear than right now.” By Natalie Michie Date June 23, 2021 Canadian actor and...

Dan Levy Paris Fashion Week: 'Schitt's Creek' Star Opens Men's Week

Defense Secretary Lloyd J. Austin III on Wednesday formally endorsed changes to the way the military handles sexual assault cases, becoming the first secretary to do so, and told lawmakers he would recommend the revisions to President Biden. The changes,...

Austin Endorses Changes to Way Military Handles Sexual Assault

GitHub is rolling out new features for the most-used online code repository on the market. Jack Wallen has the details. Image: Shutterstock/roman-Samborskyi GitHub is one of the largest online code repositories in the world. Currently, over 65 million developers are...

GitHub is set to better empower collaboration with Issues and Projects

Say it ain't so, Joe. Max Scherzer was checked for sticky stuff three times on Tuesday night, the second day of MLB's sweeping enforcement of its new policy against pitchers using Performance Enhancing Sticky Stuff (PESS [we just made that up])....

Phillies manager Joe Girardi explains decision to have Max Scherzer checked for sticky stuff

Would Tiffany Haddish Play Pickup Soccer With U.S. Women's Team?These women are aiming for the goal—and the gold.  The 2020 U.S. Olympic soccer team was officially named by head coach Vlatko Andonovski on Wednesday, June 23 and we can promise you'll recognize...

Meet the Stars of the 2020 U.S. Olympic Soccer Team
Load More
Share via
Copy link
Powered by Social Snap