Beware Of ‘Assumption-Based’ Cyber Security: Q&A With Verodin’s Brian Contos

With the first month of 2018 behind us, it’s clear that the year will be another crucial period for the growth and maintenance of enterprise security. Chief Information Security Officers (CISO) will likely be staving off hackers looking to crack the proverbial code – to administer the mega-breaches witnessed in 2017.

There is no doubt that malicious hackers will attempt to exploit enterprises of all sizes – for financial gain or intelligence purposes. However, in the same timespan, can cyber security also tighten? Will CISOs preside over more efficient security operations? Will they mitigate threats with more accuracy?

To get his take on the wider state of cyber security, we spoke with Verodin, Inc.’s CISO and Vice President of Security Strategy, Brian Contos. Over the last two decades, Contos helped build successful and disruptive security companies. He is a seasoned executive, board advisor, security company entrepreneur and author.

See Related: 'Handle Fear By Understanding': Q&A With KnowBe4's Erich Kron

Cyber Security Hub: What is your take on the current state of cyber security and, say, breach anxiety or threat mitigating?

Brian Contos: We tend to think myopically on breach details. There has to be a broader perspective more aligned with the strategic business mission of the organization. And what I mean by that is, the security person might find an issue within the security architecture – they may not be able to prevent data from leaking out from the network to the internet. That’s then communicated to the executives, who say, “Okay, there’s a data leakage problem.” There’s not really any substance around that. The same security practitioner could say: “(It’s possible that) data could leak out from the network.” (Then, list the) type of data…and mitigate the threat. “It will cost X dollars.” The decision maker can look at that and say, “It will cost me X. I think the problem is worth X+Y if we don’t fix.” The business needs to be much more aligned with security…instead of security as an isolated set of solutions.

There are strong metrics for sales or marketing…and how we manage it. There’s not a lot of instrumentation in security. (Perhaps we’re) not effectively measuring or managing security. Nothing’s sort of quantifiable. It might be all squishy, qualitative information – which is very hard for business decision makers to (work with) and make investments. Measured business decisions should be based on empirical evidence.

CSHub: In your opinion, how has the talent crisis affected cyber security’s standing? Do you see it changing? If so, how?

Contos: The talent crisis is felt across all verticals. We’re seeing it globally. The big issue is trying to address the growing threat landscape the same way we were, again, over the last 20 years. (We need to be) more focused on automation, (and place) more focus on solutions that will continuously validate security controls. It’s interesting that at any given time, a security practitioner or executive can’t tell you with any level of certainty that this is working, this isn’t working; we need to retire this, or we need to invest here. It’s all muddled up. There are a lot of good solutions out there, (but are you) getting value? There are better solutions around automation, so we can do more with the security teams we have.

When we start looking at people and bringing in individuals for interviews, we look at the CV, resume, LinkedIn (etc.). But often what happens is the individual that doesn’t have as much work experience is put at the bottom of the stack. Look, they might be really hungry, but don’t have 20 years of experience. (We must) bring (them) into our environment, evaluate their skillsets.

[Editor’s Note:] Contos suggested bringing in candidates for interviews, and also implementing situational tests to see if the individual is effective in the precise security environment.

Contos [Cont’d.]: If they are, do we bring them on and train? It wasn’t that long ago that someone in a trade industry might come in with little to no experience. We kind of lost that. (There’s a) lack of desire, time, or capability to bring someone on. It’s also about helping to train these individuals – to get back to what we did before the start of the digital age. Let’s train them on the job.

CSHub: What are some top challenges that CISOs face today? What’s plaguing the enterprise?

Contos: It boils down to one thing: managing their security based on assumptions. Assuming their people and processes are efficient and effective, or assuming the technology is working. We assume a firewall will prevent an attack. But, there’s a massive lack of empiric evidence. It’s security based on assumptions. Assumption-based security has really caused a big problem for CISOs.

We’ve just started seeing security rationalization groups whose sole goal is to determine if I’m spending on product X, I’m getting value from X. It shows you what a large gap we have in our industry. Auditors have stopped asking security teams: “Do you have controls in place to mitigate risk?” They’ve started asking (enterprises to) prove that controls in place are actually providing value. It’s ratcheted together. We need to go beyond assumptions, and base (decisions) on empirical evidence, not hopes and dreams.

CSHub: What are your general thoughts on today’s most pressing threats (say, ransomware, malware strains and phishing scams)?

Contos: Phishing and ransomware, these types of attacks have been around for a long time. They’re still being used – they’re easy and deliver results. I would say that everything that was a threat continues to be a threat. We haven’t completely “stamped out” particular genres of threats. (What’s crucial is) determining (a solution’s) value. If it’s 25% effective, who would buy a car that runs 25% of the time? Deploying security controls just thinking it will protect me is assuming that at some point, something will help. We need to get back down to basics, and understand what our security effectiveness is.

CSHub: What’s the trajectory of cyber security in the short and long term?

Contos: I think (we’ll be) spending more time measuring and validating security controls. “Am I going to get value out of what I’ve got? What do I have that I could get rid of or retire?” CISOs often don’t get rid of security controls. They’re stacking one on top of the other. (But, if they’re) retired, we can take revenue – income from those – and invest that in things you really need. (We should) fine tune what we have. Let’s (also) start now reprioritizing our investments based on our measurements. We should be determining whether I’m doing validation, instrumenting, and determine that this is what I’ve got that I can tune; or I can retire this. (We need to be) tying that back into the business mission. It should really be entangled in the general business process. Security should not be seen as an obstacle or a cost, but as an enabler, to move more efficiently or effectively.

CSHub: What’s a piece of advice you’d give to an active CISO?

Contos: Before you invest another penny in security, start validating what you’ve got. What’s working, what’s not? Determine what the gaps are. Security investments – their cost and the effort involved – may simply not be yielding effectiveness. We’re managing based on assumption, because we haven’t taken the time to measure and validate.

[Editor’s Note:] Contos also outlined one industry term – “environmental drift” – and cautioned CISOs from assuming their security posture is like a “Formula One racecar.” Environmental drift, he said, implies that a subsequent problem – “a $5 problem” – causes a “million-dollar issue.” He suggested that practitioners impress on people that cyber security is not a “snapshot,” but a continuous process of validating.

Be Sure To Check Out: 'We've Had To Roll An Immense Boulder': CISO's Thoughts On Women In Cyber Security