Finding Security Focus in a Target Rich Environment

I find it hard to believe, but my five year anniversary at my current institution is coming up soon. It’s been a great ride so far — the team has more than doubled in size, we’re consistently seeing funding increases from leadership, and the Security profile of the organization has significantly improved. We had a five year plan, and that plan is almost complete, thanks to countless hours of excellent work by many, many committed individuals working to serve a larger purpose. Poetry.

Establishing the five year plan was a comparatively simple exercise, because the organization had relatively little in place when I first arrived. Let me be clear: there was not NOTHING — there were plenty of folks doing excellent work for many years before I arrived — but there had been relatively little investment in security for a long time, so I walked into the place at a time when the leadership attention was changing for the better, and we could finally start investing in the build out of a Security program.

This first five year plan was like shooting fish in a barrel — it didn’t matter where, or in what order, I directed my attention — the impact was immediate and positive. Frameworks, vulnerability management, identity and access, training and awareness, security portfolio management, security assessments… all the building blocks of a basic security program were there for the implementing. It wasn’t easy, and it took the dedicated effort of serious Security pros to make this work, and we stumbled sometimes. But, overall, it wasn’t a huge strategy effort to make this happen.

Which brings me to the present question: What Comes Next?

Once you’ve done the obvious, then the next steps are usually NOT obvious, nor completely intuitive. This is doubly so in Security, where risk-based decision-making results in a series of trade-offs, gambles and finger-crossing, even when those decisions are based on the best available data.

When you read Security social media, Security Strategy usually follows these philosophies:

Focus on the Basics

For vendors, this means things like Asset Management, Vulnerability Management, Access Controls, Phishing stuff. For IT Staff, this can mean Change Management, Disaster Recovery Planning, or Technology Refresh. For Security, it can mean ensuring that controls, tools and services already in place are effective and well-utilized.

The problem with following this path, is that although it’s probably one of the best things you can do, it’s not particularly sexy. And if you want to get increased funding, or political support, for your Next Big Thing, you need a constant track record of doing the Next Big Thing. It’s also a pretty bland effort to rally people behind: “Keep doing what you’re doing — but better”. Hardly the stuff of big dreams and motivational fodder. And, as we all know, folks in Security are Believers — they believe they are part of a Larger Whole, and their work is for the Greater Good. Keeping them motivated to stay to the True Path is an important leadership objective.

Vendor Consolidation

A current CISO topic of discussion is how to simplify your vendor portfolio. We Security Professionals have invested in too many tools and products, which is inefficient, and likely less secure as it’s hard to keep track of all the interrelationships between them.

Have you seen the vendor landscape lately? The Security Services sector is staying true to traditional economic market theory. Attracted by all the money to be made, the market is flooded with startups trying to crack the CISO inbox, to break into a market which is dominated by a few large players. Those larger players are playing the M&A game, trying to build platforms of products services which will lure the trusting CISO into committing to a particular vendor for multiple years of strategic partnership. Many, many vendors will crash and burn before achieving that Unicorn funding milestone. Many more CISOs will be left holding on to products with no vendor support, or locked into a vendor agreement with a behemoth company too large to be agile or relevant. As with all immature markets, there will be a reckoning sometime in the (near) future, and when the Security bubble bursts it will painfully settle into a more predictable pattern.

Until then, the CISO has to set strategy without letting the chorus of vendor voices distract her from discerning what the institution needs now, and in 3 years, and in 5 years. For this research university CISO, there is no point in consolidating onto one mega platform — the technical debt wouldn’t support a single solution, in any product category, let alone across product types. There’s also only a limited tolerance for dealing with a really small startup — these vendors don’t have the scalable design or support structures that a large university requires. The economics of standardization are attractive, as is the agility that comes with working with a new vendor with a new idea. Either would play well with institutional leadership, even if the downsides are pretty intense.

I guess I’m waiting for that bubble to burst…

Going Big: Architectural Redesign

OK then, in the next five years, if we’re not going “back to basics” and we’re not consolidating onto one vendor platform, maybe the thing to do is to completely redesign security architecture to address emerging technology trends. This might mean going all cloud for the security tools/services portfolio. It might suggest a huge investment in Artificial Intelligence (those RSA vendors can’t be wrong!) or Machine Learning or BlockChain. It might mean outsourcing Security services to external vendors. It could mean jumping on the “zero trust” wagon.

These are all lovely ideas, each worth investigating. Some may even be worth doing. The challenge for the CISO is working out which of these redesigns will work with the direction of the Business, and with the strategic direction of Information Technology. Security tools and services do not function in a vacuum. Unlike the CIO, who can set technology direction for the whole organization, the CISO must align her architecture with what is already in place, or what the CIO wants to put in place. To set a new Security strategy, the CISO must redirect the entire organization to chart a new course, which doesn’t happen on a dime. And if the organization already has a lot of technology programs in flight (and I don’t know any that do not), then the CISO has to maneuver within these lists of programs. Building the airplane while in mid-flight — indeed.

OK, So I’m Over-Simplifying

Setting Security strategy is not a single sum game — it doesn’t have to be all one approach. I could, for example, go Back to Basics for some services, while I look to consolidate my Vendor Portfolio to a more streamlined and efficient end state, while I investigate emerging trends like zero trust or blockchain. And, the reality is, this is what we CISOs do all the time. A little bit of this, a little bit of that.

We need to make this approach cohesive for our stakeholders. How do you tell your general IT staff to get back to basics, while also engaging them to think big about blockchain? How do you get your CFO to invest in more licenses, or staff, or training on a new product, while also spending dollars on test initiatives for Artificial Intelligence? A Security team that needs to focus on basic blocking and tackling is not likely to be equipped to incorporate new technologies into their daily operations. And, when trying to sell this approach to a broader organization, you end up with a slogan that says “Get ‘Em” — which isn’t a strategy at all.

My problem, and that of my fellow CISOs, is that there is no way to know what the potential outcomes of these strategies might be.

We can guess that an attack vector might involve phishing an individual to gain access to a network, to move laterally, to ex-filtrate data. Statistically, we can intuit that it will be a known, old vulnerability which will be exploited to damage our institution. The data is there for the analysis. The problem is that it does not reflect where and when and how an event will actually take place. We can make all the strategies we want — one badly managed system, or disgruntled employee, or determined nation-state adversary, will ultimately call into question all our strategies. And hindsight will reveal that we took the wrong path, made a bad mistake, rolled the wrong dice.

I would love to be in a situation where I didn’t have to plan at all. Just go with my gut, respond to the next bright shiny thing when it appears before me. The concept of a five year plan, or even a three year plan, is pretty audacious in this industry. But without a plan, I cannot bring the organization along with me on this ride. If I don’t know where I am going, neither do they. And nothing is more important to a CISO than having credibility, and allowing the institution to trust in them, and in the Security Program.

My challenge, then, is to find a way to have a theme and to tell a story around a strategy that is, at its core, “Get ‘Em”. I will need my best psychology skills, my best communication strategies, my best powers of persuasion. I will need peers who understand Security enough that they can understand Security nuances. I will need vendors who will be creative and flexible with their products and their pricing. I will need employees who are comfortable with ambiguity and changing priorities. I will need Board members who recognize their role in setting tone and risk tolerance at the institution.

I will need superior coping skills and stress management.

I will need more time.