Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Scott Dowsett of Anomali dissects security strategy, and why at the center should be identifying which assets are mission-critical.
News flash: CISOs are only human.
We try to be strategic, but the fact is that it’s easy to get distracted by the fire drill du jour– whether that comes in the form of a new product to incorporate into the networking infrastructure or a new security threat to repel. The nature of the profession is such that we’re often reacting to the latest item to cross the transom rather than taking a more proactive approach to a nascent threat that may be lurking beyond the horizon.
As we’ve learned from experience, organizations that come up short on security pay a steep price. Breaches can not only make or break the operations of an existing company, but they now also impact careers and create headaches long after a security incident has occurred. Consider the recent example of Drizly. After the alcohol delivery company suffered a data breach that exposed the personal information of about 2.5 million customers, the FTC issued an order that will follow company CEO James Cory Rellas throughout the rest of his career. The agency order requires him to put in place a security program at any company he oversees which collects data from more than 25,000 people.
Identifying Critical Assets
That news was top of mind when I presented to a room full of CISOs, VPs and company directors recently. These are the folks whose job it is to make sure their organization and bosses don’t find themselves in that sort of predicament. After introducing myself as someone who works for a company that sells cyber security solutions, I asked how many used threat intelligence in their work. Nearly everyone’s hands shot up. When I then asked what they did with that intelligence, one CISO said that he delivers monthly KPIs to his board to measure what threat intelligence was doing for the company.
At this point, I was thinking, “Wow, this is great. These folks understand the value of strategic insight into security threats.” But my initial enthusiasm was tempered by the fact that most of the other people in the room still operated tactically when it came to their security posture. Most acknowledged that they aren’t able to identify the critical assets in their environments because they are always dealing with something new. One healthcare CISO recounted to me how he’s constantly scrambling to make sure that the organization remains secure as new IoT devices get added to the network– an ongoing event.
That was surprising. At first blush, this ought to be a routine task where IT figures out what the device would connect to and how to mitigate any potential threats. But this process isn’t so clear-cut. In fact, the FDA takes between five and seven years to certify new medical devices and by the time a product eventually reaches the market, the device’s operating system is already nearing the end of its life. The upshot: the manufacturer is essentially delivering a product to customers that’s vulnerable to potential security vulnerabilities. Of course, IT may respond by creating islands of “mini-isolation” to mitigate risk but that also means more things they have to constantly track. That doesn’t allow a lot of time to operate strategically.
You might assume that secure environments are the norm but think again. I’ve encountered situations where organizations uncovered threats in their environment but chose not to act. In some cases, they determined that taking an infected asset offline would negatively affect the organization’s productivity and instead decided to isolate it so it could still operate, trading potential risk for the disruption of business operations. I’ve also been on manufacturing floors where management kept a compromised machine going because it wasn’t connected to anything else. Elsewhere, I’ve come across hospitals that still use aging equipment with older operating systems they cannot patch because it would affect overall operations. These devices are everywhere inside their facilities, the equivalent of time bombs waiting to detonate.
The CISO can help mitigate the risk by providing the board or senior management with visibility into the assets in their environment as they set their business goals.
- These strategic threat assessments start by getting a handle on the critical assets that drive the business, particularly when mergers and acquisitions are involved. Simply put, critical assets are operational assets in the environment. An acquisition means new assets to track as well as compiling a revamped list of compliant items that need to be protected in the environment. It’s up to the CISO to make sure virus controls, effective authentication and compliance procedures are in place before connecting the acquired company’s environment to the corporate network. Otherwise, trouble beckons.
- Take inventory listing of the critical assets that must be protected in the environment in case of an attack. If an automated saw machine goes offline in a furniture factory, no tables or beds are going out the door. If a hospital depends on a robotic arm in a surgery center, keeping that asset up and running is your No. 1 concern.
- Understand everything that touches your environment externally. That extends to security protections and how they communicate back to the organization. So many systems are interconnected that threats come from all directions. Everyone remembers what happened during the Target breach in 2013 when an HVAC system provided a conduit for an external attack.
CISOs have a tough enough job to do and unless they’re blessed with limitless resources, they must pick their battles carefully. That’s why the best guarantee of success is a strategic approach to protecting their company’s assets. But the foundation of that approach must be built on having accurate intelligence to help provide insight on how best to protect company assets. That intelligence can provide the context required to answer questions like what’s happening with your assets, how they are being targeted and why, and not just where attacks are coming from, but where they’re likely to happen in the future. Otherwise, it’s impossible to protect the unknown, and we’re fated to be chasing our tails with each new blip.
- Strong Security: Knowing What Assets You Need to Protect - January 19, 2023