In the security arms race, the cycle is familiar: Defenders spend billions on security products, attackers breach defenses anyway, and so on. We seem doomed to repeat history and are locked into a spend-and-defend loop. Are the wrong tools the heart of the problem? Are the attackers just too smart, and we can’t keep up with them?
The truth is that hubris and fear are also part of the problem. Too many CISOs are convinced that the “guard the castle” approach to protecting the perimeter, which worked in the past, will continue to be the best bet for the future. They’re afraid to abandon what they are comfortable with. But CISOs need to be ready to pivot from strategies that are increasingly ineffective to an approach that will actually address real security issues in today’s business environment.
In 2015, organizations were projected to have spent $75 billion on cybersecurity, but the scale of attacks is getting worse.
So why do we keep paying for solutions that aren’t working – and why won’t CISOs agitate for change? One reason is the old “nobody gets fired for buying IBM” argument. Legacy solutions are “safe,” as is anything highly recommended by industry analysts, who favor traditional, appliance based, on-premise solutions. Too often, CISOs prefer to buy whatever has the analyst seal of approval instead of venturing outside of their comfort zone.
Reporting structure gets in the way
Another reason: In most organizations, the reporting structure doesn’t lend itself to truth-telling by the CISO, who typically reports to the CIO. CISOs aren’t empowered or encouraged to make decisive moves that would benefit the overall business (or admit that a previous decision, while not necessarily a mistake, is simply no longer effective). CIOs and CISOs are personally and financially invested in the networks and security architectures they have built and are afraid it might reflect poorly on them to suggest that they should tear it down.
According to research from K logix, more than half of CISOs report to the CIO, compared with 15 percent who report to the CEO. More CISOs need to report to CEOs, or at least to chief risk officers; they need the ability to offer honest criticism to leadership without fear their ideas (and more likely their careers and compensation) will be quashed. The way things work now, CIOs don’t want security professionals upending IT, and CISOs don’t want to rock the boat.
An executive team that’s not committed to sharing information about the risk of attacks – and addressing the problem head-on when attacks occur – can lead to an Equifax-style outcome. While it’s not entirely clear what sort of reporting-structure breakdown led to the credit reporting company’s massive 2017 breach, as well as the company’s foot-dragging in disclosing it, it’s possible that the right Equifax executives were not highly focused on the crisis from the get-go.
A recent and similar example of hubris, or just plain inattention: Due to a website vulnerability, Panera Bread leaked millions of customer records for months, even after a security researcher contacted the bakery chain about the vulnerability. When Panera executives were told of the leaks, they appear to have sat on the information for months; once Brian Krebs of Krebs on Security contacted the CIO of the bakery chain and the news went public, company leaders pulled down the website, put it back online, then downplayed how bad the leak was.
The lack of an oversight structure for raising alarms about security risk is blinding security professionals to what’s really happening in terms of the cloud and workplace mobility. And the legacy solutions are ill-suited to a world where employees offload work documents to cloud accounts without anyone noticing, or where employees bring work to homes, hotels, and cafes with open wifi and unsecured connected devices.
By assuming that legacy solutions are sufficient, CISOs are creating security structures for people who aren’t within the traditional perimeter anymore. These architectures made sense 20 years ago, when the pace of change for technology was glacial and nearly all employees worked on-site. Today, the amortization on hardware is about 20 minutes instead of five years.
CISOs as business strategists
Transforming security approaches takes time and money; threat actors rely on defenders doing little, so they can keep launching successful attacks. We can start with the basics. CISOs should build relationships with other department heads to uncover business initiatives that impact security instead of waiting for the news to filter back to them. It’s part of removing the constraints of the CISO’s role as a technical advisor. CISOs need to up their game in terms of business-savvy – a challenge for sure, since most of us are trained to focus on technology and security. (I took a course in “MBA Essentials for Managers,” and as a CISO I’d recommend it.)
Relationship-building also extends to the board. If leaders are to understand risks and solutions, CISOs should deliver intelligence about the security perspective of business plans. Too often, changes discussed at the highest levels only trickle down to the security team when someone needs to tack on security to business systems that have already been bought and paid for. Security should be by design, not an afterthought.
Courageous CISOs should advocate for radical change, recognizing that the architectures they built no longer reflect the disappearing perimeter. Just because CISOs embraced legacy solutions in the past doesn’t mean they can’t challenge them in the future. Simply trying to bring infrastructure up to speed for today’s world isn’t enough – you’ll fall behind before you get started. Build security based on what you think the future will be.
Bil Harmer is CISO for the Americas at Zscaler.