Mark Ruchie: My journey into security was not of my own doing. In 1986. I was a second Lieutenant in the U.S. Air Force, and much like other people who've been in the military, you're assigned a job. My job was something called, "Computer Security Officer." I remember being rather disappointed because I was more interested in becoming a “real” computer person. I thought that was really the cutting edge. So, in 1986, I was handed one of the original Orange Books, which was one of the original data confidentiality books that were out there. I still have it to this day, and it's probably more a historical remnant than anything.
I was pretty bored at the time because I thought that it was just a paperwork exercise. I left that after four years to work in Operations, which I really thought was where everything important was happening. However, I was always sucked back into security. Then in 1991, security changed. We had new Computer Emergency Response Teams (CERT) and network intrusion detection devices, and this really caught my interest. I also completed a symmetric cryptography program for the Air Force, and that solidified my connection to security. I spent multiple years consulting in security operations as well as working as a security director for financial services and the health industry before I became a CISO.
JP: Excellent. You've obviously come from a technical background, yet the role of the modern CISO is evolving where there's a technical element and also a business element. Based on your experience, what do you think are the essential skills of the modern CISO?
"Understanding how technical risk equates to business risk is important because that's ultimately what this is about."
MR: Well, you described it perfectly. The skills include business communications and business risk. I came up through the technical track. People tend to come into the CISO world either via the technical network security track or the auditing track. A few are coming up from the legal side of the house, but understanding real business communications is critically important. Twenty years ago, when I was selling vulnerability assessments, a bank vice president asked me to rework my presentation because my presentation was entirely built on technical risk, but the bank vice president actually handed me a banking risk document that talked about how to put it all in banking risk language such as liquidity risk, strategic risk, and reputation risk. Understanding how technical risk equates to business risk is important because that's ultimately what this is about. That's ultimately how you communicate with customers, with regulators, and with leadership in your industry.
JP: Yeah, that makes sense. That is definitely one of the challenges, isn't it? What advice or tips would you advise for other CISOs to get approval for security investments from other stakeholders within the business?
MR: You have to have a conceptual framework for consistency. Anything from ISO 27001 to NIST frameworks, depending upon what industry you are in. Get a single framework for consistency, and then use that to communicate with your board or your leadership to measure and communicate your security program. Not necessarily the risk, because everybody in security knows there's lots of risks that's out there, and by only using a risk approach, it ends up getting you into a subjective position of fear, uncertainty, and doubt. You need an objective measurement tool so that you can measure yourself in the security program and not necessarily risk. Then, you can present your security gaps with solutions. Don't go down deep into the weeds. There are always going to be thousands of vulnerabilities in any program that you've seen, so keep it at a higher level.
JP: That's really good insight. Thank you. The world's changing very quickly, and based on your experience and your insights, how are cyberattacks changing at the moment? What do you see as some of the biggest threats that companies really need to focus on right now?
"The public cloud is not the threat. Rather, the threat comes from the actors trying to exploit our usage of the public cloud."
MR: The threats are still kind of the same at the meta level. It's the nation states and the crime groups that are operating either in concert or in competition with one another. But where are we seeing them? The exploits are largely happening on the supply side, as we saw with SolarWinds and a bunch of other attacks. They are finding their way in through the software and even the hardware that companies are procuring, often as a result of providing more tools for employees as they work remotely due to the pandemic. And It's pretty concerning right now. People are leaving companies and industries because they want flexibility in where they spend their time working. So, that's creating lots of pressure for companies to provide better remote offerings to attract and retain talent.
I'd be remiss if I did not mention the threats to public cloud environments. The public cloud is not the threat. Rather, the threat comes from the actors trying to exploit our usage of the public cloud. The public cloud allows the business side (e.g., finance and legal supply side) to almost go off on their own in many respects and do their own business in the public cloud. But what these businesses don't realize is that the controls that they had with on-premises IT and with security doesn't always show up automatically when you go to the public cloud. Bad actors are exploiting that. So again, I would highlight those three areas today—the supply side, working from home, and the public cloud. It's the same threat actors, nation states, and then the criminal groups.
When I say criminal groups, there's commoditization even within the criminal groups. If you look at ransomware, it's not a hardcore group somewhere in Eastern Europe where there are people with guns. Some criminal organizations have outsourced some of their operations to different groups around the world.
JP: They're so sophisticated now, and those tactics are evolving all of the time. You hear of different levels of extortion, it is changing all the time, and it is a challenge to keep up with those criminals. You touched on the emergence of working from home. The last 18 months have been difficult for everyone for different reasons, obviously all around the pandemic. As people start to move back into an office environment, there’s going to be this hybrid work where a lot of people don't want to go back to the office. They want to stay remote, or they're going to work from a different country in a remote location. As companies scrambled initially to make sure that these workers were secure, what are some of the security considerations that organizations need to be thinking about right now with this hybrid workforce, and how do they manage that risk?
MR: That's a hundred thousand-dollar question. There is the logical stuff. There's better endpoint controls and multi-factor on everything. Here in the United States, the government just added single factor to the top three “bad practices” list. Use multi-factor on everything that you can. That's harder than it sounds. When you think about the tech debt that most companies have of both tools that they use internally as well as other public cloud services, for instance, getting multi-factor on all of those can be a challenge. Getting a single solution can be a challenge. Then there's also things like Endpoint Detection and Response (EDR) and eXtended Detection and Response (XDR). Years ago, you just worried about antivirus on your workstation. Other earlier technologies, such as endpoint intrusion prevention systems and USB controls, were important, but now, endpoint detection and response is taking it to that next level.
"...there are Zero Trust networks—kind of like the nirvana of network security. But they don't consist of off-the-shelf products."
DNS security has changed, as well. When employees were based entirely in the office, you could use web filtering. But now, when people are out of the office with remote endpoints, those same controls are not available to them. For example, an employee who doesn't like the corporate restrictions while on a VPN can easily bypass that by going out to the web when they are not connected to the VPN. DNS security can push those additional controls out to the endpoints. Finally, there are Zero Trust networks—kind of like the nirvana of network security. But they don't consist of off-the-shelf products. You don't go buy a box, plug it in, and you have a zero trust network. There's a lot of work that goes into it. At a minimum, it includes all of the endpoint controls, multi-factor authentication, micro-segmentation, and better identity solutions if you really are going to enable any kind of a zero trust network.
JP: Yeah, and that’s a term that is being used a lot more. It's obviously appropriate with the hybrid workforce. There are a lot of security professionals who refer to the employees as the weakest link. We should see them as our strongest allies, but people naturally will always take the easiest route. For example, if a person is in a cafe somewhere and they can't connect to the VPN for whatever reason, they are just going to go around that and do what they need to do especially if they don't have the right sort of training. What sort of security training should we offer to employees?
MR: Indeed. There's a regulatory side of that. When we work with conceptual frameworks, they require some level of annual training, as do most of the certifications such as PCI-DSS. Many of the security awareness trainings are a bit boring and dry, even when they are gamified. There are things you can add onto the annual ritualnlike micro-learning. There are psychologists who support the theory that if you subject people to small bursts of learning, they will remember more of the information. I use that method here at Entrust.
I also conduct periodic phishing simulation training. It is a tremendously valuable tool, although sometimes, people can get frustrated with it. A very robust phishing program that reflects realistic scenarios may annoy some people, but as long as you have open communications, you are transparent about what you're doing, and you provide feedback to leadership, phishing simulations can be a critically valuable tool. If you work collaboratively with the staff, they can certainly become a valuable security asset.
JP: I agree. It is a challenge, and ultimately, one of the main reasons we perform these phishing exercises is to prevent data breaches. What advice would you share with other CISOs when it comes to an event like a data breach?
MR: My advice to anyone prior to a data breach is to make sure that you have a security incident program. Make sure you have a security incident response guide. If you have a security emergency response team, make sure you perform regular tabletop exercises with realistic scenarios. You also need to communicate to the business because a lot of your insights that there's been a security incident are going to come from the business. For instance, somebody who has a relationship with a customer may notice something unusual, but if they don't know to get a hold of your emergency response team, there may be a warning that goes unnoticed due to lack of communication. It is all about having awareness across the board as well as having a partnership with your emergency response teams and crisis communications teams. There needs to be a playbook upfront that has the response protocols in place. The other reason to have all this in front of you is to know when and to whom to report a breach.
JP: Definitely. There are so many different regulations with varying reporting responsibilities and timelines, and you have to know them inside and out. If you don't, there can be severe consequences. In terms of compliance, a lot of people feel like being compliant is enough, but it doesn't mean everything is secure. What advice would you give those organizations that are looking to do just enough to satisfy a compliance audit but they're not really focusing on security?
"It's a critical mistake if you are just going to do the minimum necessary for compliance."
MR: I agree. Whether it be a PCI-DSS certification or any of the government certifications, security compliance does not equal security. Compliance refers to mandatory regulations and what must be protected. There is always going to be a business driver to make sure that you can meet those certifications, but those are the basic layers, and cyber criminals take advantage of everything they can. They will know how to get around this stuff. It's a critical mistake if you are just going to do the minimum necessary for compliance.
JP: You hear the term “checkbox compliance” and things like that. You make a good point that there are levels of maturity, and when it comes to compliance and security, doing the bare minimum isn't enough anymore. What do you think about the word "integrity" as it relates to security compliance and operations?
The “C” and the “A” of the CIA model have had their day. They're still important, but the “I” is getting its day now – finally.
MR: I'll go back to one of the basic fundamentals of any CISO—the CIA model of Confidentiality, Integrity, and Availability. Twenty years ago, availability was of interest because of all the denial of service attacks. Confidentiality became more important as data loss became more of a reality. Integrity does not get the attention it needs. Most of the compliance frameworks don’t adequately address it. If you don't have that, you are not going to have a business offering if you lose the integrity of the data. The “C” and the “A” of the CIA model have had their day. They're still important, but the “I” is getting its day now – finally.
JP: I like that. Another topic I would like to ask about is metrics. It's so difficult to measure things, especially in the realms of security. It seems that if you are doing your job and there are no breaches, you cannot measure that. Yet, if there is a breach, you are evaluated as if you are doing your job wrong. What metrics do you have in place that help you measure success and those seemingly unverifiable facts?
MR: I have varying levels of metrics. At the executive or Board level, it's focused on the high-level risks and what we're doing for those. At that level, they don't need to see the amount of emails that come into our system. At an operational level, however, it's important to know if 10 million emails came in at a particular timeframe and what our email security system did to protect us. If it blocked eight million of them that were spam or malicious and the advance checking found another 500,000, for example, that is a metric that's only really of interest in the security operations world.
Vulnerability management is another one of those subjects that companies struggle with because of the incredibly high numbers of vulnerabilities out there. What do you measure? You have to approach it from the perspective of the maturity of the security program and the capability around it as well as using a conceptual framework. From an operational perspective, I use the NIST Cybersecurity Framework to drive some of those metrics because a metric of 10 million emails coming in is fairly useless to most people except for a few people in security and a few people in email administrator’s group. It's really about having a tiered structure like that.
JP: Yeah definitely. You've mentioned security programs a bit. If you were looking to rejuvenate or build a new security program, what areas would you tell an organization to focus on?
"It is vitally important to get endorsement from your leadership, not necessarily endorsement from tech leadership but from the business...."
MR: I would definitely start out with conceptual frameworks, and I said "frameworks" in the plural tense because it's virtually impossible to have a single framework. At Entrust, we use as our high level framework, ISO 27001, because we're a global company. We also have PCI obligations, U.S. federal obligations, and web trust obligations. All of those have a parent-child relationship, meaning there is a hierarchy of what is most important to those of lesser importance. Strategy is sitting at the highest level, and that is what we use ISO 27001 for. All of those other frameworks, PCI DSS, PCI CP, and web trust all reference many aspects of ISO 27001. So, we have that as our high level functionality.
It is vitally important to get endorsement from your leadership, not necessarily endorsement from tech leadership but from the business. If you don't have endorsement from the business or even up to your CEO, you're going to be viewed as just the tech organization that takes care of security. Including the business side is even more important these days. For example, cyber insurance is inherently a business item where CISOs or security officers must be involved. If you're a company that relies on cyber or produces cyber, you're going to probably need cyber insurance. It is also important to understand the business impact analysis and to be a partner with your business continuity manager to understand what the tiered applications are in the environment.
Understand the business resumption programs that your company has as well as your organization’s emergency communications, crisis communications, and internal communications teams. Understand what your core business offering is; that's going to help you define what that program should look like and what the metrics should look like. You can have a conceptual framework, but once you start to understand where your business operates from a business mindset, then you can start to knit together a program that is important to the business leaders.
JP: Brilliant. I really appreciate your time and your insight