Key Takeaways
- Security leadership requires clear communication to non-technical and non-security professionals.
- Defenses should consider the impact to the business, not simply the technology.
- Clear communication distils what is happening or could happen, the impact to business operations, and actions that can be taken.
- Most professionals focus on their own goals and are security-agnostic. To prevent a crisis, leaders should align motivation and incentives to those goals.
A Leader’s Guide to Cybersecurity provides details and materials needed to help security practitioners better articulate risk to senior managers and board members that are not directly involved in cyber risk. Written by two members of the Archefact Group, one of whom worked with the US National Security Agency to defend the nuclear arsenal, the book quickly lays out a path to identify the cybersecurity problem along with four principles of how to manage and communicate in a way that would prevent a crisis.
The authors articulate, "cyber risks are nothing more than cyberattacks that cause business risks to materialize." The book maps out the problem that boards and decision makers may be aware of cybersecurity in a business but "don’t know what questions to ask ... or what constitutes a good answer."
This initial problem lays out the foundation for the four principles that senior IT managers can apply to address this:
- If you don’t understand it, they didn’t explain it.
- It is the business at risk.
- Make cybersecurity mainstream.
- Engage motivation.
Chief among the initial problem statement is the misalignment of incentives for improving cybersecurity. The Leader’s Guide discusses the role of changing risk where breaches of current defenses are perceived as inevitable, so there is often, "no motivation for the cybersecurity function within an organization to change from approaches that aren’t effective to one that is." Using antivirus as an analogy that mirrors Web Application Firewalls (WAFs), the guide continues, "there is no blame if it doesn’t work, so long as it is in place." Rather than accepting this status quo, the book shifts attention toward the leadership of risk management as it applies to the business, rather than simply checking a box.
The Leader’s Guide is direct, concise, and clear with regards to applying its major principles. In the first principle, "if you don’t understand it, they didn’t explain it," the guide lays out a clear consequence of ineffective communication that does not lead to an action or decision:
"Without relevant and understandable information, you can’t assess your company’s activities, current approach, resilience, or capacity to respond to attacks."
The guide uses examples to identify the way in which risk manifests itself to different businesses. For example, the major Target Breach suffered a problem of alert fatigue: a human team overwhelmed by a deluge of alerts and security events. Another example was a custom attack on sewage control in the Maroochy Shire, where an attacker was able to take control of SCADA pumping systems and flood a rainforest, PGA golf course, and beach with over 264,000 gallons of raw sewage. The attack did not require physical access to the locked pumping stations. In each case, the authors lay out a series of lessons-learned to better understand how the risk occurred, moving from cyber problem to business problem. For example, instead of discussing radio controls that lacked authentication (a technical risk), a clearer articulation would discuss the impact of permitting anonymous users in-range to dump raw sewage (a business, health, and environmental risk).
The Leader’s Guide deals well with the topic of motivation, identifying reasons that people ignore security controls and how to make the right things happen. The authors lay out several examples where a well-intentioned security control was put into place but interfered with normal job functions, encouraging people to go around it. By making cybersecurity mainstream and incorporating motivations into security controls, the book provides advice on preventing many types of issues. As people work in their normal roles, "they don’t get bonuses for missing a deadline, even if the reason is to prevent a downstream cyber incident." The other concept of motivation deals with the role of accountability or blame. While each has a position, the authors indicate,
"We have seen many cases where the fear of personal blame has resulted in staff keeping critical information about cyber risks and vulnerabilities from company leadership ... Even the mistaken perception that they could place blame can prompt some staff to put a somewhat misleading positive spin on their reports."
As readers use the lessons learned from this book, they can understand what questions to ask so that they can learn about their own business and IT risk, this lays out a lens through which they can understand what is or is not being communicated to them.
The book aims on helping leaders focus defenses on what the company actually does, declaring "if a cybersecurity team doesn’t know the details of how a business activity is conducted, it won’t be able to ensure the business is properly protected." If further states that "systems that are not based on an understanding of what a company does are inherently incomplete because they can only protect against generic attacks." The root cause of many breaches often stem from basic fundamentals rather than aspects that are unique to an individual business. For example in the breach of Equifax, whose former CIO is currently serving a prison sentence, the root cause was a failure to patch a documented flaw in Apache Struts. When aiming to improve the overall cybersecurity posture of an organization, leaders build on top of these fundamentals, including ways to verify them.
The authors deal with verification of controls a key component of leadership. Security controls are only effective if and when they are in place, and this presence needs to be verified, independent, and up-to-date. Speed and accuracy is paramount: "you don’t want a process so complicated that the answer is out of date by the time you receive it." The process of gathering data, whether it pertains to a current incident or incident prevention, needs to be swift. With many scan-based technologies available, many organizations are only obtaining strobe-light visibility of their security posture. Running a report may take significant time and then only reveal the posture of what was current as of several days, weeks, or months ago. By moving towards continuous verification, leaders can move from having strobe-light checks of security or compliance weekly or monthly, to near real-time event detection.
Early on, the authors address the notion of the "chimera of compliance." The term chimera has two key definitions: a fire-breathing mix of lion/goat/serpent in a single animal, and a thing that is hoped or wished for but impossible to achieve. In essence, the definition of compliance is strange-looking beast and achieved so irregularly that it is almost mythical. Deriving from their time in consulting and handling compliance standards such as PCI-DSS, NIST 800-52, and ISO 27000 series, the authors communicate significant expertise to differentiate between checking a compliance box and securing an asset.
The authors note that certain standards may indicate what is not compliant but do not provide guidance on how to move the item into compliance. Otherwise, they observed the common state that many organizations are "perennially noncompliant with corporate standards." In one example used, a breach of Singhealth, the book lays out a series of occurrences where auditors gave a clean bill of compliance but the organization was compromised. While a no-finding audit may seem desirable to many at the time, these often simply shift costs forward: the audit was paid for, a breach happened, and the breach incurs significant cost. Post-breach, many organizations must patch the root cause plus anything else that was harmed after attackers made their beach-head, then the organization must deal with any regulatory/financial fall-out based on the type of data lost. Those previous clean audits offer no assistance in the aftermath, as they have been proven deficient.
The third part of the Leader’s Guide deals with the responsibilities that a leader has to lead and influence teams. The strategies covered this section provide details for managing cyber risks, fortifying a company, and leading in crisis. Evaluating the way to lead in crisis before a crisis happens better helps people navigate the fog of war by knowing some level of interactions. These plans help leaders learn from the mistakes of others. For example in the same Equifax breach, the organization did not have a response plan in place and spent time directing users to a fake phishing site for credit monitoring protection. While the phishing site said Equifax, the Equifax team did not know who set it up and many items were not on the standard equifax.com domain anyways, leading to confusion. By covering restoration and response plans, the Leader’s Guide helps readers plan ahead to avoid a similar catastrophe.
A Leader’s Guide to Cybersecurity ends with a series of aides - practical go-to examples that readers can leverage as examples that can be tuned. These aides seek to distil the knowledge from the book into something that can be used later as a take-away within the reader’s own organization and career.
About the Book Authors
Thomas J. Parenty is an international cybersecurity expert who started his career over 35 years ago at the National Security Agency, where he focused on protecting global nuclear command and control networks from foreign cyber attack. Thomas has testified five times before the U.S. Congress on encryption, national security, law enforcement and global competitiveness, as well as served on a National Academy of Sciences board evaluating the quality of NIST's cybersecurity activities. He advises the leaders of multinational corporations on confronting their cyber threats in his role as cofounder of cybersecurity firm Archefact Group.
Jack J. Domet is a management expert with more than 25 years experience in helping multinational corporations adapt to shifts in technology, globalization, and consumerism through organizational change. He is a cofounder of cybersecurity firm Archefact Group, where he focuses on building leadership and organizational capabilities in digital stewardship.