At the 2013 ISSA International Conference in Nashville, Tenn., this month, Emily McLaughlin, assistant site editor with SearchCompliance, sat down with Jay Leek, senior vice president and chief information security officer at The Blackstone Group LP. She wanted his take on enhancing IT's visibility and responsiveness to provide effective information risk management and security for corporate systems, a topic session he led at the ISSA conference.
According to Leek, the vast majority of instances in which organizations see their security compromised stem from users clicking on suspect links and opening dangerous attachments. How can CISOs better prepare their people to fend off security threats? In this Ask the Expert video, Leek explains how to secure a network and shares his three-step process for protecting corporate systems.
Approximately 75% of corporations' security efforts are focused on prevention planning. What should CISOs do differently to protect corporate systems?
Jay Leek: I think you're exactly right. We have probably focused approximately three-fourths of our budgets, our resource allocation and our processes that we've tooled around our technologies and our people on protecting the organization through preventative controls when, in reality, this is not succeeding today. It's so easy for an end user to click on a link or open an attachment, and then you have a compromised host. And because this is so easy, and not the advanced persistent threat that we often think about, there's nothing advanced in clicking on a link or about opening an attachment. Yet, that's how 90-plus percent of compromises happen today in organizations.
So, as we're looking at our programs, we should be thinking about it, not just from a preventive side, but planning that we're going to get compromised because it's so easy. If we start putting on the hat of planning to get compromised, then we start thinking about what are the mechanisms I need to have in place to detect that this compromise is on my network, to somehow prevent that compromise from creating harm to my organization, and then ultimately get it off my environment before it does create any harm.
In order to do this, we should be focused a lot more not just on trying to prevent it from happening, but we need to gain more visibility into what's happening in our environment. By gaining this visibility, it allows us to go back and mine this information after the fact if something happens, because I don't know what happened. I might not know about a compromise taking place right now, because it's a zero date. Nobody knows about it. But if I had visibility into what's going on in my environment, and I can keep a record of that, I can then go back and ask my environment later on, if something that I now know about was present at some given point in time.
More coverage from ISSA
Attendees discuss security roadmaps and more
Latest cybersecurity trends from ISSA
Whistleblowing, geolocation threats and real-time risk
Secondly, I need to invest more in intelligence. I need to know what's happening in the world around me, but also what's happening in my environment. So, intelligence is not the vulnerability that we think of. It's a lot more complicated than that.
And then, the third aspect to focus on is response. We react too much, or too often, to things that we detect, so we don't prevent it. We do a little bit of detection, and when we do, then we react. And in reality, if we plan to get compromised, then we know it's eventually going to happen, so what can I do? Well, I can plan to respond.
I would lay those three changes of your program out in the order I just now described them: more focus on visibility, more focus on intelligence if you're not already doing it, and then transforming your reaction -- that you're typically doing in your response work -- to a true response. And I put that intelligence between visibility and response, because that gives you intelligent visibility and intelligent response.
Let us know what you think of this story; email email@example.com.