CISOs shouldn’t plan to protect everything, says McAfee exec

LAS VEGAS – Candace Worley wants CISOs to face what to many is unthinkable: You can’t protect everything in the enterprise equally.

“Sometimes you have to leave something behind,” the vice-president and chief technical strategist at security vendor McAfee told customers and partners Thursday at the company’s annual Mpower conference here. “It’s how you plan for it ahead of time that makes all the difference.”

McAfee chief technical strategist Candace Worley

“That’s a hard thing for us as security people, because we want to protect the entire infrastructure.” But, she said, the rules an infosec pro has to live by echo those of military strategy: “Sometimes you trade something off to get the thing that’s most critical to your long term goal.”

And, like an army, a CISO’s goals are to defend territory, reduce the ability of the enemy to attack and minimize the borders (or, in this case, the attack surface).

Or, she said, it’s like the board game Risk. “Winning the game of Risk often come down to know what you can afford to lose, knowing what you’re willing to lose and understanding the risks associated with a both of those decisions.”

These analogies were used to illustrate her central message: It’s time for CISOs to move from threat-based cyber incident planning to one based on risk.

“Correlating cyber risk to cyber spend is a useful exercise in determining where to make your financial investments downstream,” she added. “So if I have a low tolerance for data loss, I’m going to spend more on securing the endpoint and cloud than network edge. And if ransomware is a major concern, perhaps more on containment/sandboxes and backup processes.”

It’s not, she added in an interview, that less-important data is left unprotected. But through risk analysis the CISO can decide where best to put the most expensive or most effective defences.

“It’s really hard to contemplate not protecting everything,” she said, “and yet I would argue how well are we doing at that as an industry? So that’s part of why perhaps the conversation I introduced is a bit provocative in its tone, because I want to start a dialogue: Is it time to acknowledge that we’re not going to successfully protect everything?

“But we’d better know ahead of time what we have to successfully protect. And what [data] if it got breached we could grudgingly live with – not be happy about, but we could [still] sustain our business.’

She also cautioned that CISOs may also have to some negotiating with lines of business, which may not agree with their view of what’s important and what isn’t – and why IT has to work closely with the business side.

“It’s a very different dialogue and one that not everyone will be comfortable with,” Worley said, “but I think it’s one worth having, because of the complexity of the infrastructure and the sophistication and speed of attacks – even with all the tools in the universe, people can’t keep up.”

In her keynote she argued that risk-based cyber incident planning is rooted in understanding what attacks you’re likely to see, what targets are likely to be gone after, what your organization’s risk tolerance is for each attack and target, what you’re wiling to protect at all costs.

One way to build a risk models is around Verizon Communications’ annual data breach report, she said, which breaks down data breaches into 10 patterns and the attack vectors usually used (for example, DDoS attacks usually involve compromised credentials or a botnet).

Once you have a good idea of the attacks you’re likely to see and the data likely to be targeted you can begin to create a risk tolerance score for your organization.

“Understanding risk tolerance by incident provides you with guard rails when you begin to put together trade-off decisions for security investment decisions,” she said.

For example, because intellectual property can be used so fast after it’s stolen it may be better to spend more money preventing a breach, or protecting that data, than on mitigation after it’s gone.

Worley also emphasized that risk-based planning also helps CISOs communicate with management and the board, whose language is risk.

“When you’re talking to C-levels and board of directors, being able to discuss [cyber security] in the context of risk rather than operations can mean the difference between getting the budget you ask for and having to take the budget you already have and spreading it farther.”

Building an asset prioritization plan and risk plan is only part of a comprehensive cyber security plan, she emphasized, but its a critical foundational element that will colour a CISO’s investments over time.

Breaches will happen, she points out. “So if we’re going to solve this problem we have to approach securing against those attacks in a different way. “We must evolve to using a risk-based approach that focuses on protecting the most critical at the expense of the most expendable.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now