Fears of a CISO: Keeping Up in the Cat-and-Mouse Game
Information security is often referred to as a cat and mouse game, and one in which defenders are inherently disadvantaged against attackers. This disadvantage is usually thought as stemming from the fact that defenders must defend all possible attack paths, while attackers simply need to find one feasible path in order to accomplish their goal. As such, attackers can maintain a level of agility and iteration that is overwhelmingly out of reach for defenders — thus leading CISOs to feel that they’re continually behind in understanding and defending against the latest threats to their organization’s security posture.
However, a key difference between defenders and attackers is also their mindset — defenders typically are reactive, while attackers are proactive. It’s understandable that a defender who is continually trying to plug new holes and specific attack paths as they arise will constantly feel behind — and overwhelmed.
CISOs do have challenges with integrating new inputs into their defensive models, such as new attack surfaces or new attacker methods. And, they also need to be considering what they’re already supposed to be taking into account, and whether or not they’re doing so properly — a sort of ongoing maintenance. Thinking at a higher level, attackers use tactics that tend not to change as rapidly as the underlying methods. Many of the security hygiene “basics” — such as network segmentation, not using default credentials, two-factor authentication, role separation, and so forth — will help protect against a variety of tactics across many different underlying methods.
CISOs should consider their security strategy from the tactics point of view, and brainstorm which security tools or processes help reduce the most risk across as many of those tactics as possible. Being overly concerned with niche attacks shouldn’t be as much of a concern, and can even engender the continual firefighting that contributes to the sense of falling behind. While tools and techniques used by nation states or other sophisticated actors trickle down to the more common criminal enterprises, worrying about the latest, high-skilled attack is irrelevant given that few companies can even attest that they can protect the common attacks of today — or even of one year ago — and determining how to improve one’s security hygiene to cover those bases should be first on the list before considering more advanced adversaries.
As CISOs consider how to ensure that their security strategy is covering the basics appropriately to be more resilient to change, they must include feedback from an attacker’s point of view. Organizations must have attacker mindsets embedded into their security culture, either through building red teams* internally, hiring team members with offensive experience, or engaging with red teams externally. Adopting the attacker mindset will help improve the security culture so that new — and even existing but unknown — avenues of attack can be uncovered on an ongoing basis, and to help think creatively about what sort of defensive mechanisms cut off as many attack paths as possible.
*[A red team is a benign hacker team that helps the organization understand its potential
weaknesses in security.]
CISOs also are concerned with increasing attack surfaces. As more organizations become engineering-led, CISOs must keep pace with what technologies are being used. Developing a strong working relationship between the security and engineering organizations can help CISOs stay abreast of new technologies on the horizon, and proactively plan for how to address additional risk going forward. When considering transformative technologies such as the cloud or containers, CISOs shouldn’t assume existing security strategies can be easily ported. A partnership with the engineering team can help determine what security strategies will work with the technology, rather than hinder its benefits. Additionally, a strong relationship with engineering will ensure CISOs are aware of additions to the organization’s technology stack, so that it can be included in building the organization’s security strategy when considering what assets need to be protected. If CISOs don’t communicate with their engineering teams, or relegate security to their teams, new technologies will be an unwelcome surprise, and securing them will become a reactive exercise rather than an anticipatory one.
It’s easy to focus on the latest, most intriguing type of attack, but CISOs must take a step back and consider whether they’re truly resilient against pre-existing threats. Maintaining strong security hygiene through implementing best practices that address the “basics” — and monitoring to ensure these practices are enforced — will serve as a foundation on top of which new tools or mitigations can be added in case existing mitigations don’t address the newest threats. If CISOs focus on adding mitigation after mitigation that is solely focused on addressing one kind of threat at a time, they’ll be destined to a life as the proverbial mouse.