The Forgotten Questions
Looking back at my days as a Chief Information Security Officer, I was always a very early adopter of technology. I remember with pride many successful and some less successful projects to roll out one form of new security tech or another.
As with any successful project the starting point was always some form of need. Some key capability that the company was missing and needed to add to its complement in order to defend the homeland.
So, I would send out the scouts to search the distant lands for technologies that could fill the need. They looked at new features and products from established players; they looked at wholly new technologies and beta products from small start-ups around the globe.
Eventually the team would pick a few options to test in the lab. After detailed trials they would select a product, make recommendations, describe the pros and cons with respect to the other options and as the CISO I had to ask the first question…Is this the right product to fill the need?
If I concurred with the team’s recommendation, then the team was now off to implementation and operation. Hopefully the first question was answered correctly!
To understand how the project was going, there were regular reviews and we’re always asking the second question … How many widgets do we have to deploy and what percentage had we completed? There’s obviously a lot more to a successful implementation but if there had to be one metric, this was a good one.
Implementations were sometimes simple but more often than not they were complex, especially if they required application integration or the deployment of Yet Another Agent (YAA) on endpoints.
Usually, when one got to 99.9% complete in the deployment, out came the champagne and project completion was celebrated. There was always the next project waiting. There was always the next hole to plug. When we live in a world defined by the “looming crisis”, our attention spans can be short.
But before victory can be declared, we need to ask a third…actually two more forgotten questions. The first and most common forgotten question is … Did the product actually fill the need? This is sometimes readily obvious, but in other cases it will take time to really answer.
The second and less obvious forgotten questions is … Is the product that was deployed and operational last week, still operating as expected? Is the agent corrupted? Is the process stopped?
When Sony was hacked, one step the bad actor took was to disable the AV on the endpoints and no one noticed. No one was asking the second forgotten question.
There are also studies that show in complex environments, especially where multiple endpoint agents play a role, the interplay between different agents, over time causes a decay in the actual operational health of the tools. So, the protections are not operating as expected and no one is noticing because many people aren’t asking the question. The longer you go without asking the question, the greater the degree of decay in the effective operation of the protections.
As the CISO, it is your responsibility to never stop asking questions.
You get to ask and answer the first question once during the life of the project.
You get to ask and answer the second question until the project is done.
You hopefully ask and answer the first forgotten question at least once, if not once a year.
And you can’t forget to ask and answer the last question every day for the life of the product in your environment.