Albert Einstein's aphorism that doing the same thing over and over again and expecting different results is the...
definition of insanity can be applied to the trendy exhortation to "speak the business language to the C -suite." Despite the irony of a genius defining insanity, there is some relevance to Einstein's statement as it relates to a continuing conundrum in information security: How can CISOs better communicate with the business side of the enterprise?
For the past 10 years, the same mantra has implored IT security professionals to learn to speak in terms of the core business. But this has not worked, as was made clear to me at the recent IT Security Analyst Forum, which brought together CISOs and industry analysts in London. Fourteen CISOs were asked their most pressing issue, and their universal response was no different than it would have been a decade ago: They needed help communicating with the C-suite and board of directors.
First of all, one must recognize that information technology is not the core business at a manufacturer, hospital or bank. IT is a support function, although in recent years it has become a driver of reduced costs, increased efficiency and in many cases dramatic improvements in profitability. But those very benefits are part of the security conundrum: The enterprise rushes to leverage the value of IT while continuing to ignore IT security threats that either already exist or will rise against those systems.
Thus, you get retailer Target Corp., which had modern point of sale (POS) terminals deployed in all of its stores -- terminals that ran Windows and were vulnerable to a memory-sucking piece of malware.
You have seen this played out in many organizations, maybe even your own. Back in the late '90s and early 2000s, viruses and worms were rampant; organizations deployed antivirus products everywhere and patched everything. But because no antivirus product catches everything -- and, in fact, invariably fails to catch the latest so-called zero-day threat -- the business language of risk management crept into the lexicon.
The CEO and CFO had no patience for lengthy technical explanations about catch rates, polymorphism or reducing surface area. Auditors began looking at and influencing IT security and language. New regulations spoke in nebulous terms about "security frameworks." More dollars went to compliance than to actual security, and CISOs were appointed to oversee risk management programs.
Few people are aware that the prevalence of risk management in IT security is due in part to Donald Rumsfeld, or at least to the way he influenced the Pentagon and eventually government standards bodies such as the National Institute for Standards and Testing (NIST). Between stints as Secretary of Defense, Rumsfeld was chief executive of a pharmaceutical company and a cable television equipment manufacturer. That is where he learned to manage risk. And while the risks that such companies deal with may be subject to analysis, much like random computer virus infections, IT security threats quickly evolved into a much different animal.
Target has become the poster child for focusing on compliance at the expense of countering targeted attacks. PCI compliance, while a minimum requirement for retailers that handle credit cards, does not come close to defining adequate defense against determined attackers.
So, if talking about risks, metrics and the probability of loss is not working, what will?
Get a visceral reaction out of the C-suite
The answer is to talk threats. The C-suite is woefully ignorant of security matters and their impact on profitability, operations and, yes, stock valuations. While an option might be to hire Michael Chertoff or his compatriot Michael Hayden, or to pay the astounding rates of General Keith Alexander (newly retired from the National Security Agency, who according to Bloomberg is commanding $600,000 a month for his guidance), it may be much more useful for existing IT security personnel to throw away the business jargon and start educating.
Stop presenting risk scores and start talking about threats, indicators of attack and compromise, and threat actors. Was the CEO of Target even in a position to ask the right questions? If he had been briefed on the spread of a new piece of malware that stole credit card credentials directly from the memory of POS terminals, wouldn't he have asked, "What have we done to ensure we will not fall prey to this attack? Do we even know if we are already victims?"
Of course, answering those questions implies a different approach to IT security threats altogether. These are questions that get asked at Lockheed Martin and the Security Intelligence Center (SIC), a team at Lockheed built to answer them. I visited Lockheed's SIC while researching my book on cyberdefense.
Lockheed CISO Chandra McMahon is empowered with a unique ability to talk to the C-suite. Her team presents a chart that lays out current attack campaigns that are active against their systems. This "Chart of Campaigns" is the greatest communication tool I have encountered for translating security threats to the business. Down one side is a list of named campaigns; "Cheesy Finger" was one I saw displayed on the overhead screen at the SIC. The name means nothing; it is the actions that are being tracked each step of the way through the now famous Cyber Kill Chain® created by Lockheed researchers to codify a methodology in response to their first targeted attack from China in 2003, according to Mike Gordon, a manager at the Information Systems & Global Solutions Security Intelligence Center.
Lockheed determines a campaign by extracting common elements from the attacks the company identifies using its network packet capture and malware sandboxes. Those elements may include IP addresses, the domains from which spear phishing email messages are sent, and even the particular executives at which those phishing attacks are aimed. The family of malware used and the methods of packing the payloads also contribute to valuable insight into campaign commonalities.
The Chart of Campaigns may have anywhere from four to 15 current and active campaigns. Across the top is each stage of the Kill Chain, and the body of the chart shows which protections that week caught and mitigated attackers.
This method of communicating with the C-suite creates a visceral reaction. These bad guys are trying to get our stuff. We must take all measures possible to stop them!
Can't track campaigns? Don't have that sort of visibility into your network? You don't reverse-engineer malware? Then you have a lot of work to do. Take a visual page from Lockheed and begin replicating what they have. Talk to your vendors that are slowly making these network visibility and malware analysis capabilities available. Or you can look for a managed security service provider, many of which are beginning to delve deeper into this level of service capability.
If you start communicating in terms of attacks, threat actors and campaigns, do not be surprised if you start getting questions like: What more can we do? What resources do you need? Do you need more staff? This will be a refreshing change from a polite "thank you" and the quick shuffle of your report to the bottom of the stack. Truly, it would be a first for most CISOs.
About the author:
Richard Stiennon is chief research analyst at IT-Harvest and co-founder of securitycurrent. Stiennon is the author of Surviving Cyberwar (Government Institutes, 2010) and recently joined the advisory board of the Information Governance Initiative. His past positions include vice president of threat research at Webroot Software and a vice president of research at Gartner Inc.
IT security threats of 2014 and beyond
Security luminaries on overlooked cyberthreats
A look at the data-driven security approach
BYOIT, IOT among the biggest security trends