With the recent attacks on U.S. organizations in the commercial and public sectors, many companies have asserted they have done everything in their power to prevent further incidents. Most of these claims are tied to adherence to regulatory compliance. In theory, security policies put standards in place to protect organizations, stakeholders, and users. But in practice, security policy often becomes a distraction, forcing organizations to focus on satisfying the demands of a governing body or an auditor, rather than addressing real threats. Behaviorally, organizations become more concerned with meeting these standards than protecting the business.
The Disconnect – Policy vs. Modern Threats
A disconnect exists between the policies, the threat landscape, and the business decision makers. Well-intentioned policymakers develop policies to enable organizations to protect themselves. But implementing policies without focus on critical assets and business requirements only manages to pass audits, rather than stop attackers. Most cyber defenders spend their days detecting and responding to threats,working to constantly adapt as the threat changes. Business decision makers fund policy, compliance and regulation driven projects. And when there is a breach, business decision makers cite their compliance and regular audits as evidence of responsible behavior. This disconnect results in the current cyber environment - organizations struggle and cyber attackers thrive.
The Payment Card Industry Data Security Standard (PCI DSS) is an instructive reference for a discussion on the disconnect between policy and the threat landscape. PCI DSS is mandated by payment card issuers. PCI DSS was created to protect cardholder data and to reduce fraud. It is implemented and used around the world by organizations of various sizes. Despite this compliance, there have been a number of major retail breaches in the last two years. In many breach announcements we see statements to the effect of, ‘<insert breached company name> follows industry best practices and compliance mandates’. Compliance alone is not sufficient. Compliance is not the end goal. It is the beginning of organizational introspection.
In addition to external compliance, organizations make their own internal security policies. When creating a security policy, the authors must recognize the operational constraints of the implementers interacting with the information systems. These policy makers must also focus the policy to apply to a threat centric and response oriented approach. For example, creating a requirement for daily log review is well intentioned but it is too vague and provides little rationale for follow on activity. Following such a compliance requirement creates tensions that disincentivize security teams. The business decision maker may take the policy requirement at face value and provide minimal funding to achieve compliance. Essentially creating an operational model where the auditors and regulators become the adversary, as opposed to the real enemy - the cyber attackers.
This disconnect between policy and the reality of breach detection, however, doesn’t need to be the norm. Fixing the problem takes communication and a better understanding from security teams, decision makers and policymakers. Collectively, these groups can decide on the risks to the business. Let’s dive into the steps and the considerations business leaders can take. These steps help ensure that leaders are implementing the best security policy possible and addressing the real threat landscape.
Focus on business risk
In an ideal world, policy ensures balance between progress and security. Achieving this balance takes a focus on risk measures that protect the assets most important for the business to operate. Risk assessment empowers management to better identify and evaluate the right level of risk for their business, while maintaining the appropriate controls to ensure effective and efficient operations and regulatory compliance.
Policies are put in place to mitigate business risk. Yet, there is a disconnect between policy and operations. The business and security landscapes evolve much faster than policy does. This results in businesses acting on policy not aligned to current threats. Instead of taking measures against cyber threats and breach detection, the business is distracted by a focus on passing audits. If the policy hinders core business delivery, the policy may be more harmful than the threat.
Let’s use a logistics company as an example. Logistics companies move packages – much like a network moves packets. For a logistics company, anything that slows down delivery is damaging to the business. If policy slows down deliveries, it can be more harmful than a breach. Policymakers need to consider the threat model and ultimately, the business risk.
In place of focused efforts, policymakers often go too broad. This is done so policy can be “one size fits all” for the industry and allow for flexibility in implementation. Mandates to monitor all servers or protect all data, for example, are too broad and realistically unachievable at any level of depth. These broad standards fail because they result in shallow and minimal defensive implementations. Rather than trying to protect everything, policymakers must think with a focused business mindset. The goal should be to help implementers identify what threats would introduce the biggest business risk. From there, they should shape the policy around protecting the most critical assets required to conduct business.
Collaboration and Communication is the Key
Management boards and execs speak in terms of revenue and risks. Auditors speak the language of compliance and governance. Security practitioners talk in terms of attacks and vulnerabilities. Teams that can relate to each others language do well for themselves and for the organization.
Auditors and cyber practitioners provide the best business value when they work as partners. When auditors make regular visits outside of auditing days,they can better understand the environment, build relationships and set expectations. Both auditors and auditee should be transparent about what they need to do their jobs successfully. This allows both parties to align for overall business success.
Auditors and managers should also take into account that the threat landscape evolves faster than policy can keep up. IT and security teams must learn to communicate with business decision makers and policymakers in terms that resonate. Technical staff should translate cyber metrics into terms that make sense for regulators and business decision makers. This will allow the practitioners to build a strong business case and influence the decision makers. For example, if a board demands the security team decrease response times from two days to four hours, the security team should communicate the cost involved as well as the changes to the overall business risk. Conversely, the policymakers should communicate acceptable outcomes with specific examples. E.g. It is acceptable for a kiosk system to be compromised for more than three days or it is not acceptable for the web application to be offline for more than 3 hours.
Some things to consider for these conversations are: What is the real world cost versus the end benefit? Do all systems really need to be protected at the same level? Where are the opportunites for risk transferrance and risk reduction. These are the kinds of questions that will need to be answered and allow for better-informed decision-making and more focused policy.
Incentivize personnel to be proactive
The human element is vital to implementing an effective security policy. Although most security practitioners carry out their jobs well, their efforts often go unrecognized. It’s not until a breach occurs that the security team gets attention - usually in a negative fashion. If it takes two weeks to spot a breach, the team should not be chastised for not spotting the breach sooner. Instead, they should be praised for being proactive, and then challenged and enabled to spot breaches faster.
Leadership should focus on the real enemy – the attacker. In recent post-breach debates, there has been tremendous criticism of the defenders and their leaders. For example, Office of Personnel Management director Katherine Archuleta stepped down after it was discovered the OPM breach was larger than originally reported. There is always room for improvement and all organizations should challenge themselves to improve, but publicly shaming the victim is not productive and demoralizes the team.
Cybersecurity extends beyond the cybersecurity staff. Encouraging a culture where employees in all departments are praised for being proactive about security becomes a self-fulfilling prophecy – the positive feedback reinforces good behavior that ultimately makes security top of mind across the organization.
Incentivizing positive security thinking can have far reaching implications. With proper recognition, even non-technical teams, like marketing, can be motivated to have a security mindset and protect the interests of the company. Often times, employees may not take proactive action due to lack of knowledge, fear of repercussion, or fear of being criticized, or stepping on someone’s toes. It’s important to dispel these fears. All employees of the company should be incentivized for breach detection. The security burden should not just fall on the shoulders of security teams. Security is an organization-wide priority.
The bottom line
The bottom line is that breach detection is about reducing risk and not about checking a regulatory box and not about protecting all things from all attacks. Policy should focus on business risk. To do so, regulators must think about the security team as a precious resource. Policy must empower security operations teams to be agile and fight threats to the business rather than battling auditors. Likewise, security teams must consider policymakers as equal partners with best intentions for the business and mission.
Security is everyone’s responsibility. Securing the business requires trust that each employee is valued for his and her contributions. Getting there takes open and constant communication where operational security teams, policy teams, and the broader workforce work together for the benefit of the business.
The third and final article will detail a specific case study, in which these best practices are successfully implemented.
About the Author
Monzy Merza serves as the Chief Security Evangelist at Splunk, Inc. He has over 15 years of tactical and cyber security research experience in government and commercial organizations. His experience has included vulnerability management, security product testing, penetration testing, adversary modeling, cyber tools and infrastructure development. He has also served as content developer and instructor for cyber trainings and red/blue team exercises. Monzy has been an invited speaker at government and open conferences. Monzy's current research is focused on integrated approaches to human driven and automated responses to targeted cyber attacks.