The role of CISO these days requires a strong moral compass: You have to be the one speaking up for the protection of customer data and be ready to handle uncomfortable situations such as pressure to downplay an actual breach. Do we admit that a data breach has occurred or just call it a system glitch that caused some minor accidental data visibility? CISOs are tasked with crucial, timely decisions to avoid legal repercussions.
Adding to that pressure, recent legal discourse around cybersecurity breaches has focused on whether the company or individual in charge had done enough to protect the company and customer data from cyberattacks in the first place, as well as how they handled any notification to affected customers. There have even been high-profile court cases involving CISOs who oversaw the response to a breach in which the CISOs themselves faced legal consequences.
There is clearly a focus on ensuring companies and CISOs exhibit due care in protecting their clients’ data. This requires enterprises and smaller and less mature organizations alike to take a new look at their multiple layers of defense and ensure that each layer is implemented appropriately.
In short, CISOs must layer-up their security programs. Here are three concrete areas to focus on.
People skills: Hiring strong security analysts
Often the most underrated component of a security program, skilled people can be the most valuable security layer by far. We need to move beyond looking at people as replaceable cogs in a machine and recognize the unique and individual talents that security professionals bring to the table, as well as learn to recruit and hire for the right skills.
I have learned to look for four attributes that make someone a strong information security professional: “how” skills, “what” skills, drive and effectiveness. Through the interview process, I look for the intersection of three or four of these areas to find the most successful people. Here’s what they entail:
- “How” skills encompass the foundational knowledge of the innards of operating systems such as Linux and its audit framework, as well as Python scripting skills that allow someone to perform forensic investigation.
- “What” skills are evidenced by real-world experience performing specific activities, such as investigating OWASP Top 10 code vulnerabilities in web-based applications.
- Drive is essentially an intellectual curiosity to go one step further, ask the right questions and show an ability to go deep, for example by constructing your own tools and frameworks to speed up investigations.
- Effectiveness refers to a track record of success and the ability to perform consistently in the sort of “always-on” mode that modern SecOps teams expect.
While some of these skills can be taught, you can save time by leveling up your team with new hires who possess some combination of these. And the drive and motivation to go after hard problems and constantly innovate is something that sets strong professionals apart. When disaster does strike, the security analysts with that extra drive are the ones you’ll want to have by your side.
Process improvement: Incident response
Many security teams spend the lion’s share of their budgets trying to reduce the likelihood of an adverse event, but only a fraction of their budget trying to reduce its impact. But real world evidence shows we must “assume breach.” In fact, IBM’s 2023 “Cost of a Data Breach report found that 95% of companies studied had experienced more than one breach. If a successful attack is inevitable, CISOs must focus on how to handle it properly to reduce the blast radius by limiting the number of data records affected. That in turn helps limit legal repercussions and other costs associated with a privacy breach, such as compensation for affected customers.
Companies need an incident response process that’s nimble enough to respond quickly without being too prescriptive. The business mindset, especially in the tech sector, is often focused on agility and time to market. Sometimes this mentality is seemingly at odds with security and compliance, and requires the CISO to implement mitigating controls.
I was able to support this agile business mindset in my work at Jotform even as I implemented the relatively structured controls of the SOC II Type 2 framework. During my first 90 days on the job, I had to do a quick process-maturity assessment to see where we needed improvement. We needed to implement security standards in cloud infrastructure and web application development. But most importantly, I found that establishing repeatable processes for incident response and investigations was a key contributor to success, making the correct and timely call on a data breach investigation.
For example, customers can sometimes think there is a data breach in one of their SaaS platforms when, all too often, the root cause is a misconfiguration or user error on the customer side. As an incident response team investigating this type of customer concern, it is critical to have well-documented and repeatable processes to ensure that you can develop a clear picture of what happened to support making the right decisions and making them quickly. If you fail to report something that is an actual data breach in a timely manner, that’s when legal repercussions are going to hit.
Technology temptations: Choosing the right solution
There are two competing temptations in the technology landscape that the seasoned security professional must navigate.
The first is the temptation to totally trust the power of the tool. An overly optimistic reliance on vendor tools and promises can fail to identify security issues if the tools are not properly implemented and operationalized in your environment. A shiny SIEM tool, for example, is useless unless you have clearly documented response actions to take for each alert, as well as fully trained personnel to handle investigations.
The second temptation, which I believe is more prevalent within tech and SaaS companies, is to trust no tool except for in-house tech. The thought process goes as follows: “Since we have a solid development team, and we want to keep a bench of developers for any eventuality, we need to keep their skills sharp, so we might as well build our own tools.”
It’s a sound argument — up to a point. However, it may be a bit arrogant to believe your company has the expertise to develop the best-in-class SIEM solutions, ticketing systems, SAST tools, and what have you. While open-source technologies can certainly be foundational for many of these software needs, the amount of customization and configuration that teams invest to operationalize tools developed in-house may be cost prohibitive, and the trade-off is often that professionals end up spending time on areas outside their expertise, lowering efficiency.
For subject matters outside their corporate key competencies, companies should perhaps embrace a term of yesteryear: the concept of “package enabled reengineering,” which was so popular in the 1990s. For those who didn’t live through those days, the gist of it is that a vendor who specializes in a particular space – let’s say: automated incident management – may in fact have the best insights and have developed a truly best-of-breed solution to fit this need.
Built into this solution will be best-in-class practices and processes that companies can easily adopt instead of inventing their own. Thus the business should re-engineer its own incident management practices to match the workflows that already come out of the box from leading edge providers — a legally defensible approach to demonstrating due care, all at probably a fraction of the all-in cost of developing and maintaining an in-house solution.
The right responses
Layering up security can reduce the risk of your company becoming the target of a court case. But even in the court of public opinion, if something bad does happen, cybersecurity executives often have to prove that they did enough to try to prevent the data breach, and that they handled everything with the right level of transparency.
As much as skilled staff, repeatable procedures, and good tools can help, if something bad does happen, the responsibility for decision making and communication usually ends up on the CISO’s plate. Being up front and straightforward with your communications to customers, regulators, and the general public, demonstrating both due diligence in implementing protections and due care in resolving incidents, is the best way to keep yourself as well as your employer out of legal hot water.