CISOs Look Past Compliance for New Solutions to Old Problems

Larry Whiteside, CISO for Spectrum Health Systems, speaks at the 2012 SC Congress in Chicago on how mobile devices in the workplace are changing the landscape of security. Photo by Tom Ford of Ford Photography

The cyber landscape is constantly shifting – new threats arise daily in the form of employees’ devices, malware and denial-of-service attacks, and the nebulous menace of hacktivist societies, such as Anonymous. And while these continue to mount, new CISOs are fighting back within their organizations to reform information security protocols and meet the oncoming risks head-on.

At a November conference in Chicago, the SC Congress 2012 from SC Magazine, I had the opportunity to sit down and meet several leading CISOs, as well as listen in to some thought-provoking keynote sessions on the threats of the day:

Becoming the Office of “Maybe”

According to Ward Spangenberg, CISO of Pearl.com, formerly of online gaming giant Zynga, companies are facing a wide variety of threats and problems, many of which are brought in by employees.

“You can’t be the ‘no’ guy,” says Spangenberg. “Every time you just shut down an employee’s request with a ‘no,’ you’ve destroyed an opportunity to affect good change.”

He says that IT security professionals should tackle these requests from the side, especially when they come from upper management. “Start with ‘maybe,’” he adds – the CISO’s willingness to compromise and explore different or unusual solutions can expand a business’s efficiency while improving employees’ awareness and respect of security.

Building the Best BYOD Policy

And speaking of improving employee relations, the BYOD (or Bring Your Own Device) movement was one of the hot topics of the conference. The panel discussion regarding mobile security brought some strongly conflicting opinions to the fore, most notably – Should security adjust BYOD policies because new talent demands the use of their own devices, or should the new talent adjust their work styles to the existing company policy?

Cost, the speakers said, is not a factor in BYOD, at least not compared to the empowerment of the workforce. Incoming workers are of the “multitasking generation,” and many of them request device policies during job interviews. Several speakers noted throughout the day that if a talented applicant dislikes a company’s stringent BYOD decisions, they could decide to work elsewhere.  

According to Larry Whiteside, CISO at Spectrum Health Systems, companies should test a pilot program to gauge employee interest, while employing encryption tools on all devices, including desktop computers, to help reduce the risks of data loss due to device theft.

The Threat Landscape

“Look at the OSX threats – the top problems haven’t changed in 10 years,” says Spangenberg. “We might have job security, but we’re not fixing the key problems.

“There’s nothing horribly new to implement. It’s all attacks against software, so we have to harden those targets – force you back to the harder access points. We have to block the easy ways in,” he says.

For Whiteside, the key is due diligence: “With users… you can’t unteach stupidity. Sometimes, due diligence is all you can do – you cannot always hold fiscal responsibility.”

In healthcare security, Whiteside is most concerned with addressing access management and data tracking within the facilities he oversees, along with device loss and encryption.

“Organizations have not been doing their best practices,” he says. “But now, the Federal government is doing a better job in holding organizations accountable for their actions, and organizations are taking note and taking action.”

Pictured from left to right: Eric Green, SC Congress Director; Mary Chaney, incident response leader for GE Capital Americas; Kirsten Bay, Bodkin Group principal; and Scott Gerlach, director of information security operations for GoDaddy.com. Photo by Tom Ford of Ford Photography.

Another buzzword was Anonymous, but perhaps it was buzzier than it needed to be, according to Kirsten Bay, principal at The Bodkin Group. She admitted a certain amount of frustration on the budgetary side – management keeps pulling funding toward preventing hacktivist attacks, while the priority should be elsewhere.

If an organization is the target of an Anonymous or hacktivist party threat, Bay recommends that the company get out in front of the issue – finding someone who will evaluate the perceptions of events before anything is released. She stresses prioritization – will an attack shut you down or just embarrass you? Would your attention (and funding) be better served elsewhere?

Solving the Problems

“Compliance should be the floor, not the ceiling, of your efforts,” says Rafael Diaz, CISO of the State of Illinois, at the event. “It’s the fundamental layer for every security program.”

However, other speakers warned against using compliance as the be-all-end-all of an information security program.

“Compliance is a great hammer – if you have a nail,” says Spangenberg. “Don’t use a hammer if you have a screw. … If you have a motorcycle, the law requires that you wear a helmet. Well, you’re only managing risk for your brain. What about the rest of you?”

Spangenberg has a variety of other security recommendations to take IT departments past the “helmet” stage of compliance, including hiring hackers.

Read More: Hire a Hacker – A 2013 Security Imperative

“I’ve mentored ethical hackers for years,” he says. “If we don’t continue to promote that art, it disappears. Hacktivists are exposing that people are dumb – so why not use hackers to make the systems smarter?”

His other recommendations include:

·         Using a FAIR report (Factor Analysis of Information Risk), which can translate the risk into real dollar amounts, making it easier to sell to the C-suite

·         BSIMM reports, which function as security initiative report cards or benchmarking tools

·         Penetration Tests – both in the IT and physical sides of security

·         Code Reviews

·         Scans (“You know they’re being conducted on you – you should at least know what the other side is seeing.”)

According to Ken Rowe, director, enterprise systems assurance, for the University of Illinois-Chicago, 80 to 85 percent of compliance controls are “just good IT principles you should already have.”

“We have to move past the ‘check-the-box’ mentality on compliance,” he says. “We need to talk about concerns, worst-case scenarios, not just in risk management terms. Compliance might start out as a checklist, but it can evolve.”

Ward Spangenberg (far left), CISO at Pearl.com, uses his ethical hacking background to uncover loopholes and entry points in both information and physical security at Pearl.com. Photo by Tom Ford of Ford Photography.

The CISO and the CSO

Both Spangenberg and Whiteside are responsible for aspects of physical security at their organizations as well as information security, and that seems to be a sweeping trend for CISOs in the industry.

While Spangenberg, being the CISO at a small start-up company, is dealing mostly with the basic security issues at Pearl.com’s office building, he is also using his “grey-hat” hacker background to conduct physical penetration tests. He might show up at a building holding a heavy box, struggling to get into his pocket at the door, just waiting for a friendly employee to walk by and let him in. After that, he can test how close he can get to data centers or other valuable locations within a building.

Whiteside, on the other hand, is working alongside physical security personnel to improve reporting protocols between IT and security. In the Spectrum Health System, security officers have arrest power, and they have a list of questions to ask suspects – including ones about how and where they obtained a device. Similarly, if IT infiltrates information about a data leak, officials from that department would ask physical security questions, such as how that suspect obtained access to the area.

As these lines of communication being to open between IT and security, many of the speakers expect great strides forward in the cyber aspects of physical security, as well as the attention paid to cyber security throughout entire organizations.