It’s a rare treat when you get the opportunity to speak with someone who has worked as an ethical hacker, has also worked in top secret military settings, and then transferred to the private sector, rising to the highest cybersecurity level in the corporate chain. We had the opportunity to speak with Brian Haugli, CEO of SideChannel. Brian is also the author of a book about the NIST Cybersecurity Framework. His experience and wisdom provides valuable lessons for all, not just from a cybersecurity perspective, but from a business perspective as well.
Tell us a little bit about your journey into cybersecurity, and how you ultimately became a CISO.
Brian Haugli: I started out actually when I was quite young and just had a knack for building and breaking computers. After high school, I turned professional, working in offensive operations work, and ethical hacking. In college, I worked on some interesting research projects that resulted in getting hired by the college to help them secure their own security. I went on to join the Army, and when I completed my service, I moved to Washington DC, and worked with some of the intelligence community agencies. Back then, cybersecurity was known as “information assurance”.
All of the work I did for the government lead me to being promoted to the team leader for the information assurance program management team at the Pentagon. The role there consisted of leading the team to make sure that the Pentagon and the entire national capital region's security program was, correctly built, was operational, and was effective. There was no CISO role at the Department of Defense at that time. They finally actually created that role.
I was hired away from the Department of Defense by the Hanover Insurance Group in 2015, recruiting me to move to Boston area, and I became their first Vice President and Chief Information Security Officer. I started with all of the cybersecurity tasks, and then actually took over all physical security as well. So, I lost the “I” in my title, but I doubled my team, becoming the CSO.
In this role, I have a broader reach, being able to help my leaders, their staff, and educate and train their teams. I know what to expect out of them and what to not expect out of my team members, which I think is just as important. It’s important to know that a general cybersecurity expert cannot do every job. As you build out a team, you start finding your specialists, and it's really good to understand the capabilities and the limits of the specialists.
The role of the CISO has definitely changed. In what ways have you seen the role change over the last decade?
BH: I don't know if the role ever really changed. I think that what happened is that the people who were initially filling the roles weren't as robust as they should have been. What business leaders expect of that role has been the same all along. What we've mostly been talking about are very technical CISOs who have been in the role. What's always been expected of a C-level executive is the ability to support the business. In the last five years, that seems to be the main focus; that the CISO needs to start supporting the business. I always considered that as the primary purpose. Unfortunately, many of the technical people who are going into that CISO role don't have the ability to talk about risk in a way that business leaders like the Chief Financial Officer and the Chief Executive Officer and the Board can understand. What we're seeing now is more people waking up to the fact of what the actual job requires, and that's changing people's ability to be effective in that job.
What would you tell organizations that are looking to rejuvenate or build a new security program? What three or four areas would you tell an organization to focus on?
BH: That really cannot be answered specifically. I've always approached it with the idea of what type of a program a particular company is building towards. This goes beyond compliance. I think a lot of people just try to do what they did at their last job, but you can't just transfer that over and say that that's going to work at a different organization. What you need to do is assess the organization for what it's doing and not doing, and use your past job to inform how to address gaps. But you can't just bring that same program over and expect it to work.
The first thing to do is to really have a good, solid understanding of the program you're building, and to what standard. I really like standards and frameworks, and I wrote a book about the NIST Cybersecurity Framework. However, if we were in Europe, I would look to the ISO series. You need to assess what your current program looks like, and what it's lacking. You should be looking at the areas that are a prioritization of effectiveness, and making sure that they're still sound. And then, start addressing the areas where you have clear gaps. With my new company, as a Virtual CISO I do this during the first 30 days of the job.
Without knowing what an organization looks like, I'm going to ask questions, such as “how have you built your program, and what is it built to? I'm not talking about compliance; I'm just talking about programmatic behaviors. If you can't answer that, then that is the starting point. You need an assessment to get a full understanding of where the organization is today, the current state, what the target state is that it should look like. That becomes your roadmap on how to get there. The easy things to say are the things that cause you the most pain.
You shouldn't write policies that you're never going to meet, because you will just be in a losing battle with internal audit. If I had to select four areas that are required for every organization, they would be, multi-factor authentication, email security, some type of 24x7 managed or endpoint detection and response, and a governance structure to be able to manage and see and oversee the entire program. Any small business can accomplish that as the beginning of a security program. That can be tied back to reducing a lot of risk to those four areas, and you shouldn't stop there. That seems pretty baseline for most organizations. If you don't have those four things, I'm going to start raising flags, because this is “day one” stuff.
When looking at the way the criminals are evolving and changing all the time, what are those biggest threats right now that companies should be focusing on?
BH: The biggest one is the challenge that people currently find themselves in. There is this massive movement towards overcoming the ever-changing threat landscape. However, if you peel back how most of these things play out, it's the same thing. A lot of this stuff is basic criminal behavior. People need to better understand that a lot of what's happening is not new, it's just in a different form. But, that being said, anytime you're adopting a new technology, anytime you're adopting and implementing open source solutions or third party software, or even developing your own software, when you're not checking it, you're setting yourself up for failure. With the reliance on APIs, and the massive move to cloud and SaaS applications, and a major reliance on third parties without having those things in check and underneath some type of review and constant kind of validation or security check, that's the part that's allowing for attackers to, to really be successful. The criminals are just taking advantage of the situation.
Internet-based criminal groups are set up like businesses, with a clear objective, and if you make yourself an easy target, you will be attacked. But, if you create an environment where they don't see a solid return on their investment of breaking into and disrupting your organization, they'll target someone else. It's that simple. When I talk to business owners, it's very disheartening when they have that mindset of downplaying the adversary, and not giving them enough credit, and therefore not taking the threat seriously.
We often hear that being compliant doesn't mean you're secure. What advice would you give to organizations that are looking to do just enough to pass their compliance audits, but they're not actually really focusing on security?
BH: If you’re a business owner, and you take the position that you are going to do something that's just enough, just whatever satisfies the minimum that's set by the governing body for the sector in which you operate in, that is going to be insufficient. We really expect businesses to do more. If you look at physical security, for example, the Occupational Safety and Health Administration (OSHA) sets minimum standards in manufacturing and other institutions, but most employers are doing a lot more for human safety than the basic minimum. Yet whenever you look at a cybersecurity compliance, business owners unfortunately don't realize that they do need to do more. Physical security is obvious, because the possible harm is a very tangible thing that someone can visualize and see.
What would you say are the most important aspects of an incident response program when it comes to a data breach?
BH: It actually happens well before the data breach itself. You should really have your plan set, communicated, and trained well before you ever use it. The worst thing that can happen is that the first time you look at your incident response plan is the day you need it. In the military, and with first responders, they train like they fight. You need to really work on your incident response plan. You need to socialize it; you need to get people to buy into it so that they'll actually read it and be participants. Communication is probably the primary thing. You cannot over over-communicate inside of your organization when something goes wrong.
You also have to work with the people who can help you communicate effectively across the organization. You need to communicate up to the C-suite and the Board, as well as down to your staff, the IT staff, and whoever else is supporting you. Then you have to communicate sideways, too. You have outside council, and you may also have an outside data breach response group maybe helping you out. And you might also have your insurance provider helping out. One person can't do all of that, so you really need to effectively tap into those people who can help.
What do you think about when you hear the term integrity, particularly system integrity, and how important is that when it comes to security, compliance, and operations?
BH: The simple questions that I ask to test for integrity are: Is the data that I'm expecting it to be actually what it is? What capabilities do we have in place that allow for us to make sure that data and files are unchanged beyond what's expected? Security is a triad of confidentiality, integrity, and availability, so, you really can't focus on only one of the three, or treat one of them with less importance than the others and expect that you are fully addressing security as a whole. That's very important. A lot of people focus primarily on availability. Security traditionally focuses on confidentiality first, and integrity this last one that's left until later, but it's very much part of the entire equation.