Security Is Everyone’s Responsibility
Cyber Security Teams And IT Must Share Tools And Information And Communicate To Safeguard Their Organizations
The relationship between IT and security teams can be tenuous and this has to change so that “we're not an organization of ‘no’ but ‘how can we.’
That was just one piece of advice offered by Darren Death, vice president of information security and the Chief Information Security Officer (CISO) at ASRC Federal. Death was the guest on Monday’s episode 56 of Task Force 7 Radio, with host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
To avoid that “adversarial relationship,” both the cyber team and IT have to remember they are “a customer service organization,” and stay customer focused, and not act in a siloed manner, Death said.
The need for cyber hygiene
The discussion began with Death describing the cyber landscape in the government services sector. He said the challenges are similar to those in the private sector.
“I think when you're seeing very successful government organizations and private sector organizations, you have very motivated technologists to get the work done,” as well as business people who understand that security is also their responsibility, he said. Cyber hygiene, Death said, is one of the most important things an organization needs to focus on – but often forgets about.
When hacks occur, “they're not these amazingly choreographed [advanced persistent threats] APTs,’’ he said. “What you're seeing is someone didn't patch a server, configuration was missing, someone put a development server with internet access. It's these basic things that organizations aren't doing. Arguably we call it cyber hygiene … but really it's IT hygiene.”
Cyber hygiene and IT hygiene are about ensuring you have the resources within your organization to do the basic foundational work, which deals with 90% of the cyber security problems we're seeing, he noted.
It’s too easy even today for a cyber attacker to find an un-patched server to penetrate a network, Death said. IT also needs to be involved in cyber hygiene, he stressed. Rettas asked Death how IT and security teams can partner to drive cyber hygiene?
There are two things Death said he’s found to be very successful. The first is not restricting access to the tools that are implemented by security professionals. “I don't hold back access. I don't filter the content … All of my continuous monitoring tools are fully open and available” to IT.
It’s very important to train the IT group so they can use these tools as well and do their own reporting and have the same visibility into the security team’s resources, he said.
“Instead of me sending a weekly report, they can look at it at will, and … they're fixing things continuously,” which is what an organization should want, he said.
Secondly, “one of the things that I learned very early in my career was don't drop bombs. What you need is folks that are on your side, not against you.”
If you have an issue with IT, talk to them about it and “don't call them out in front of the CIO,’’ Death said. Having an “all-hands-on-deck” approach is highly successful, he added.
If security people are having a hard time interacting with their IT group, then it’s because they are dropping bombs, he observed, “and they need to do kind of the self-reflection thing” and practice soft skills.
Security people need to ask themselves honestly about whether they are causing an issue, and if so, “to reflect [on that] and change that, and just continuously working through that relationship.”
Technical debt in systems
Rettas observed that there has been a lot of talk lately about technical debt associated with cyber security. He asked Death how organizations incur technical debt in their information systems through inaction to the cybersecurity component?
“What you're seeing is folks have decided that they don't necessarily need to patch or configure or have appropriate asset or configuration management to manage their networks,’’ Death said. “What's happening is you're seeing large breaches resulting from that.”
People will say they don't have the resources to do this type of work, he said, but in reality, “they're either not purchasing an automation tool or they're hiring an individual to perform some action on a routine basis, then you have these large breaches” that require spending millions of dollars to investigate and remediate. “Whether you're in the private or public sector, you have a huge loss in reputation and people don't trust you anymore. There are so many organizations where you see it still.”
The breaches are generally the result of unpatched web servers, or development servers sitting in production that are connected to the internet -- very simple things that could be avoided “if the diligence was in place,” and if IT and cyber security had better communication.
Rettas asked about the costs related to information security, and how important it is to be able to articulate that to the board and the c-suite?
“What we're really talking about is the foundational costs of implementing new technologies with a new organization,’’ Death replied. Often, this means the cost of moving to a cloud platform a number of new technologies that need to be implemented because the security services that are used to secure an internal infrastructure don't work in a cloud environment.
There needs to be conversation emphasizing that the organization is in the cloud now, Death said, and “We have a different threat vector that we're going to be dealing with. Your data is not within our data center, and we need to control it in different ways, and actually start talking with the [business] about what do you care about from a data protection perspective? Having that conversation as these are foundational cloud costs, versus these are bolt-on security costs, were very effective.”
Death said he believes “cybersecurity requirements don't exist,’’ but rather “they're base foundational requirements.” This means security requirements should be boxes checked off as they are automatically built into a system.
The importance of soft skills, compliance
In the show’s next segment Rettas pointed out that soft skills are needed to help get things done, yet, it is difficult to find one person who has all the skills necessary to be a successful cyber security leader. So a lot of times, he said, organizations are not only hiring CISOs, but also deputy CISOs to complement the CISO's skill set. He asked Death to talk about the different responsibilities for those roles.
Death said the key thing, from a technical leadership perspective, is “being able to talk to someone … in the business about their needs. Because at the end of the day, they don't care about how [a system] works. It's like the telephones. No one cares about the telephones till they break.”
He said it is his job “to take the conversation that we had and then be able to decompose it into something that both my cyber team and the IT team can use to provide them with great solutions.”
The two then discussed compliance, and how it is often viewed as a “check-box exercise that doesn't really contribute to real risk mitigation,” Rettas said. “I think it's really important for your organization's survival to have these baseline compliance initiatives.”
A high percentage of the NIST framework focuses on the prevention piece and not the rest of the ecosystem in terms of the response and recovery, Rettas said, and asked Death how can compliance drive an effective information security program?
In regulated industries, “I do agree when folks say, ‘If all you're doing is compliance, then you're not doing your job,’” Death said. Compliance also needs to be about being able to function as a company or being able to keep your job if you're in government, he noted.
Organizations need to learn to be resilient and able to “stand the test of time,’’ he added.
In tandem with compliance is a conversation around resilience and security, Death said, “because if you're going to be a compliant organization, you're also going to spend money. And the question for the business is, do you want to spend money on things that don't matter, or do you want to spend money on things that matter?”
Organizations need to have a “compliance checklist” for how they are going to improve their resiliency. If you do this "then you've got a recipe for success,” he said. Security is everyone’s responsibility
The discussion turned to developing a secure software development perspective, and Death said it’s important to make sure software teams have the right security tools.
“Unless you're a very special security organization, most security organizations don't necessarily have developers,’’ he explained. “But even if you have a developer, a security team usually doesn't have the bandwidth to be the gate that all software has to flow through.”
IT should consider providing all the code testing software to the developer team, then configure those tools to meet the organizational standard, and then allow the developers to integrate it into their testing and their quality review and their remediation, he said.
“This goes back to that idea of security is everyone's responsibility, whether it be IT or the software developers,” he said. Developer teams and security “usually are the ones that tend to go head-to-head more often. And I think part of it is a lack of humility, because security teams don't necessarily know development like developers do.”
Security teams will come in with a lot of requirements and they won't tell the developers how to do anything related to those requirements, he added. “One of the ways that we solve that is we come to our development team and say, ‘These are our requirements, work with us to meet those requirements.’”
Rettas asked Death to describe the concept of “zero trust” and what his approach is for implementing it.
“Just remember that there is no one zero-trust solution,’’ Death advised. “It's a selection of tools that you're going to implement to provide you with a zero-trust implementation within your organization.”
The idea is to take different factors about an individual and determine whether the person has the right to access certain information, he said.
“You're developing a risk rating against them, and saying at some point, does this individual meet the thresholds where I will allow them to access data?” he said.
This requires IT to do data categorization, which Death said is hard. However, “the only way that you're going to get an effective zero-trust implementation is to understand your data. Because really, within zero-trust, it's not about the network, it's not about the systems, it's about the data.”
Tools are great, he said, but the process needs to start by understanding what data is important to the organization and which people should be accessing that data. “If you're dealing with large data buckets, if everything's just sitting on a file share, you have a lot of work to do organizationally before you can implement zero trust,” he noted.
Rettas asked Death how his organization is handling emerging technologies like IOT and cloud from a cyber security perspective?
Death said process is the key in any initiative. “What I've implemented everywhere I've been is this idea of security advisement or security architecture, where I have team members embedded within project teams, where they're addressing these requirements.”
He said his organization has developed its own in-depth review questionnaire that they use to engage with cloud providers. This helps them understand what those platforms are providing, how security is being managed on the back end, and how they can integrate their security services in.
“The things that you need to run an internal network where you have full control are completely different services than what you run when you want to [have] managed cloud services,’’ he pointed out. “So we want to make sure we have those hooks into any cloud service we buy, so that we can make sure that we have the same level of security outside of our organization as what we have internally.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.