Expect to Fail: How Organizations Can Benefit from a Breach
By Tyler Farrar, CISO, Exabeam
The Chief Information Security Officer (CISO) is one of the most prominent and well-paid positions in digital security. As CISO, you bear primary responsibility for protecting your organization’s data, you play an important part in business strategy, and help secure the future of the company. Some regard the CISO role as the pinnacle of a career in cybersecurity. Security analysts, the entry-level members of a SOC team, enthralled by the challenges and rewards of detecting threats and preventing breaches, often aspire to this role in the C-suite.
As they advance up the chain of command, however, they quickly discover that the CISO role is not as fascinating as it seems. Rife with stress and intense pressure to ensure organizations comply with governance and regulatory requirements, nearly half of CISOs cite human error and a lack of cybersecurity understanding as the most critical threats confronting enterprises today.
The rigorous demands and pressures of the job keep 90% of CISOs up at night, with many opting for a career switch. Much of the tension can be attributed to long hours and the misplaced idea that security professionals can eliminate all threats. Misaligned expectations can lead to a culture of fear and blame, where mistakes are unacceptable. This is a result of CISOs now facing federal charges if it’s proven they failed to properly handle a security breach. Scapegoating CISOs for security incidents is not new, with many subjected to public blame or firing for such incidents. But new accountability measures from the federal government have made a CISO’s job even more difficult.
For those hesitant to take on the CISO role due to pressure of failure and its career implications, I would argue that a healthy outlook begins by recognizing that failure will happen. In cybersecurity, managing an incident is not a question of if, but when. The biggest difference is in how you prepare.
The best laid plans…
Protecting an enterprise from the continual threat of financial or reputational damage is a tall task. CISOs also live with fear that, despite taking all reasonable precautions to mitigate cyber risk, some threat will invariably infiltrate a business and cause harm.
Wise security experts know that threat actors aren’t lying in wait. They are constantly changing their tactics and approach to remain unpredictable to even the most seasoned security professionals. Consider this: you’ve invested time and effort into creating an incident response plan, and your team has been trained, giving you full confidence that they’ll know what to do, if and when the breach occurs.
However, when the breach happens, you discover that the incident response procedures weren’t adequate, and you failed to account for the impact of the breach on the firm. In this circumstance, no amount of training or practice adequately prepares your SOC personnel for the harsh reality of the security incident, with no way to capture everything that occurs during a breach, especially the gravity and intensity that accompany it.
…of mice and men often go awry
As the famous quote indicates, even when you plan carefully, something will go wrong. That’s why reducing human error is crucial for cybersecurity. Given that more than half of CISOs consider human error to be the greatest threat to enterprises, ensuring that everyone in the organization is accountable for cybersecurity can be an effective approach to preserving data privacy and security.
Working together to proactively identify or avoid cyber risks can result in enterprises developing a well-vetted planning stage with awareness of potential outcomes of security operations and threat detection teams. This includes forming the appropriate functional teams and ensuring that everyone understands their duties. By testing backups and understanding how to recover critical operations from backups can near-guarantee that incident response plans are built out and the human error aspect of cybersecurity is minimized.
Existing in a risk-aware culture
Many private sector firms are incorporating risk awareness into company culture by adding risk management training for every employee. Rather than placing the whole responsibility on the CISO, create shared accountability across the firm. It is critical to be adaptable and adjust to changing conditions.
The more personnel that you train to be looking out for new dangers, the less likely the company may be caught off guard by a vulnerability. To begin, a CISO must provide employees with basic risk understanding and language. Explain the processes of managing risk and identifying potential problems. Next, provide employees with a well-defined mechanism for reporting risks, and they will be more likely to alert of potential issues before they become problems. Finally, use technology to acquire risk-related information, boosting transparency and fostering a risk-aware culture throughout the organization.
Communication, escalation, and documentation
Communication and delegation are the most crucial aspects of risk management for the CISO. In a crisis, CISOs are called to lead the technical incident response, assembling functional teams, delegating work, and understanding when to repurpose resources to meet the demands of the incident. It is critical to contact Crisis Management teams and discuss the business impact, with an understanding that difficult decisions regarding containment must be taken. In a crisis, a CISO must communicate consistently using neutral emotion. Doing so can help ensure judgments are sound and not hasty. Forming a risk management team composed of stakeholders from several departments can avoid communication silos.
This is a good time to use technology as an aid in centralizing risk information, establishing a shared language, and facilitating communication to address vulnerabilities. Finally, make sure there is documentation throughout the process. Delegating a scribe to document all decisions is helpful and can ensure the escalation process is followed, with the appropriate persons alerted. This provides CISOs with a framework of checks and balances and shares responsibility of the response process.
Devise a new game plan
Currently, there is far too much emphasis on breach prevention and not enough on detection. In fact, many breaches are not the result of inadequate cybersecurity prevention, rather of the organization’s poor detection and lack of cybersecurity knowledge. Organizations can focus on preventative measures, such as reducing the attack surface to a more manageable level. This must be balanced with incident response and crisis management.
Cybersecurity professionals, and specifically the CISO, must approach their role through the lens of opportunity, rather than failure. Each cybersecurity incident provides an opportunity to learn from previous mistakes, discover potential weaknesses in cybersecurity policy, and develop more effective measures to assist the organization in preventing and detecting future attacks. It is not just about making a plan with the intention of succeeding, but rather about accepting that failures are likely to happen – but by being prepared to adjust plans, you’ll be well-positioned to minimize any damages.
About the Author
Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. In this role, he is responsible for protecting Exabeam – its employees, customers, and data assets – against present and future digital threats. Farrar also leads efforts in supporting current and prospective customers’ move to the Exabeam cloud-native New-Scale SIEM and security operations platform by helping them to address cloud security compliance barriers. With over 15 years of broad and diversified technical experience, Farrar is recognized as a business-focused and results-oriented leader with a proven track record of advancing organizational security programs.
Prior to Exabeam, Farrar was responsible for the strategy and execution of the information security program at Maxar Technologies, which included security operations, infrastructure governance, cyber assurance, and USG program protection functions. As a former Naval Officer, he managed multiple projects and cyber operations for a multimillion-dollar U.S. Department of Defense program.
Farrar earned an MBA from the University of Maryland and a Bachelor of Science in Aerospace Engineering from the United States Naval Academy. He also holds a variety of technical and professional certifications, including the Certified Information Systems Security Professional (CISSP) certification.