Chief Information Security Officers (CISOs) are the heartbeat of security operations within a company, writes Ross Brewer, pictured, Vice President and General Manager of EMEA and APJ for the cyber firm AttackIQ, on what’s needed to be an effective leader.
Overseeing areas such as the mitigation of cyber risk, fraud prevention and identity management, the CISO keeps a company’s leadership abreast of all developing security threats. However, with the growing sophistication of hackers, and the pandemic contributing to a 600 per cent increase in cyber incidents, the nature of modern cybersecurity poses an increasingly mercurial challenge.
Government research shows that two in five businesses in the UK have experienced a cyber-attack or breach in the last year; this number rises to nearly two-thirds for medium and large firms. Shockingly, 82 percent of breaches that should have been stopped by existing security controls were not. Controls fail silently, and often, due to misconfiguration issues. In fact, 85 per cent of all breaches involved some human element, according the 2021 Verizon Data Breach Investigations Report. To tackle these inevitable challenges, organisations must run an informed security operation, based on real-time data gleamed through real-world environment testing, obtaining insights across their people, processes, and technologies. The modern CISO must evolve from a reactive to a proactive threat-informed defence.
The CISO’s problem
CISOs need data-driven information to boost the effectiveness of their programs’ performance. Chief Financial Officers (CFO) or Chief Marketing Officers (CMO), as opposed to CISOs, have benefited from platforms like Salesforce and Clari for data and reporting to make informed decisions about where to invest or reinvest funding to propel the business.
CISOs have had to deal with cybersecurity tool sprawl and an increasingly complicated attack surface that obfuscates their visibility into what’s working or not working in their program. Reacting to a cyber-event after the attack or breach has happened is too late, as the damage is done. The way to stay ahead of cyber criminals and confidently report to Boards of Directors and regulators is to continually validate the health of the entire cybersecurity program, using an insights platform that provides actionable data and reporting on gaps in their infrastructure.
Threat Informed Defence: A Necessary Evolution
Governance, risk and compliance (GRC) is a traditional, top down approach to corporate cybersecurity, governed by rules and procedures of what should be done; however compliance doesn’t necessarily equal security, as even regulators are constantly challenged by the evolving threat landscape. GRC is seen by many as a static ‘one-size-fits-all’ approach to a nuanced problem, lacking the sophistication and professionalism needed in a cybersecurity world that throws new challenges at teams each day. A nuanced problem requires a nuanced solution, and CISOs will need to synergize their top down approach with a new bottom up approach: a threat-informed defence.
A threat-informed defence is a cybersecurity strategy focused on testing security controls against known adversary behaviour, using knowledge-based frameworks such as MITRE ATT&CK, that can inform CISO teams about hackers’ tactics and techniques. The MITRE ATT&CK knowledge base uses real-world observations to build a foundation for the development of specific threat models for private companies. Breach and attack simulation (BAS) systems, informed by the MITRE ATT&CK framework, can deploy a threat-informed defence by simulating threat actor behaviour. A Gartner report from last year concluded that “when CISOs include breach and attack simulation (BAS) as part of their regular security assessments, they can help their teams identify gaps in their security posture more effectively and prioritise security initiatives more efficiently”.
Testing their security controls continuously using an automated BAS platform can provide quality, useable data that can guide program strategy and foster a resilient security infrastructure. Like a vaccine, a threat informed defence gives a roadmap of genetic information, testing the bodies’ defence, rather than rushing to administer an antidote to a breach already overwhelming the system.
Innovation
A 2021 ISACA report showed that is takes three to six months to fill a cybersecurity role, and with an estimated 3.5 million unfilled cybersecurity jobs by the end of 2025, the industry’s skills shortage is putting pressure on CISOs to recruit talent and bolster their team. With most organisations having an average of 70 security tools, up from 45 just four years ago, according to the 2021 Verizon Data Breach Investigations Report, the adoption of automation can help overwhelmed and short-staffed teams stay on top of their controls and potential gaps that arise over time.
Data and reporting that results from automating the testing of potential breaches and attacks allows red and blue teams to come together to more quickly and effectively find and close gaps before adversaries are able to exploit them. As a result, the culture internally also can shift from an adversarial siloed one to a “purple team” culture that leads to increased co-operation and success within the business.
Security teams should be moving closer towards the integration of an external, threat-informed defence system, and a bottom-up structural realignment. CISOs can empower themselves in the battle against hackers with MITRE ATT&CK informed BAS systems, automating how they validate their controls against an industry framework of known tactics, techniques and procedures. In a cat and mouse race to the finish line, whether CISOs will prevail as the victors will be based on if they use best practice tools to anticipate threats, rather than react to them.
