A Proposed Model for Permanent Change in Cybersecurity

Why is it that we keep on doing the same things in security year after year and we expect a different result? For decades, we have been buying and installing security tools to “fix” our security issues around things such as patch management, privileged access, application vulnerabilities, etc. And yet these issues remain at the top of the list of security issues today.

Assuming our goal is to actually fix security issues and keep them fixed, how might we change our approach to this problem? The fact is, most CISOs are now being held accountable for measurable and sustainable risk reduction, and not just having fixed a lot of security flaws. This may require ongoing reporting of the risk reduction achieved on a monthly basis. Such KPIs could include the percentage measurement of reduced sensitive data leaving the network month over month, as well as the percentage of enterprise data captured by a DLP (data loss prevention) solution.

For a new “permanent change” model to work, it’s crucial that, from a goal’s perspective, we should only take on new security initiatives if we can have confidence that the initiatives fix a security issue (as measured by risk reduction), and that fix is sustainable in an automated manner. In other words, we fix the problem in a manner that includes not only the tools, but also the processes and controls.

The first step is usually identifying the area of security where we want to invest in improvement. Ideally, the area(s) chosen for investment will be a security domain where the greatest risk reduction can be achieved for the dollars spent. A second criteria might also be that once implemented, the solution (i.e., the tool and related processes) will continue to control the risk being remediated and control the risk that the risk will grow again over time.

For example, we may want to focus on a risk area around firewalls and hone in on the hygiene related to the firewall rules across the environment. We might approach this by hiring a consultant to come in and clean up all the rules, eliminating those which are out of date, consolidating those that are redundant, etc. The problem with stopping here is that the firewall rules will fairly quickly become stale again and will grow quickly. What is missing are the control processes/tools to manage the future changes in firewall rules, and the tools to monitor those changes.

Once we have decided upon the security areas to focus our investments on, we then need to consider what processes need to be implemented to remediate the security risk. Only after the end-to-end solution is designed should we determine the “tools” that will help enable the solution. While building the solution(s) to reduce security risks, we should consider several factors including coverage, remediation of the risks and automated monitoring of controls.

Typically, when we take on a large initiative to reduce risk in a particular security area, we put together a plan to remediate, and then we put forth a major effort to fix the issues. From a risk perspective, this represents a reduction in risk. However, it is equally important to take steps to ensure the risk does not rise again.

We need to build into our remediation program/security initiative the processes and tools to monitor this control in the future. We all know that over time, vulnerabilities/risks/issues tend to grow and come back unless there is a focused effort to ensure they don’t. There have been several occasions where I spent a large sum of money to “fix” a security area, reported the results to the board, and then had to go back to the board some time later to request budget to fix again.

CISOs cannot wait for someone else to solve this problem of permanently fixing security risks and keeping them fixed. While tools may help, the problem will ultimately be solved by CISOs thinking of an end-to-end process that will not only remediate risks, but continuously watch over the controls, ensuring they continue to manage the risks.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

James Doggett is CISO at Semperis. He previously served as Head of U.S. operations at Panaseer, Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente and Managing Director of JP Morgan Chase. He also spent 27 years at Ernst & Young, where he helped build the company’s cyber security practice from the ground up.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.