LAS VEGAS – Candace Worley wants CISOs to face what to many is unthinkable: You can’t protect everything in the enterprise equally.
“Sometimes you have to leave something behind,” the vice-president and chief technical strategist at security vendor McAfee told customers and partners Thursday at the company’s annual Mpower conference here. “It’s how you plan for it ahead of time that makes all the difference.”
“That’s a hard thing for us as security people, because we want to protect the entire infrastructure.” But, she said, the rules an infosec pro has to live by echo those of military strategy: “Sometimes you trade something off to get the thing that’s most critical to your long term goal.”
And, like an army, a CISO’s goals are to defend territory, reduce the ability of the enemy to attack and minimize the borders (or, in this case, the attack surface).
Or, she said, it’s like the board game Risk. “Winning the game of Risk often come down to know what you can afford to lose, knowing what you’re willing to lose and understanding the risks associated with a both of those decisions.”
These analogies were used to illustrate her central message: It’s time for CISOs to move from threat-based cyber incident planning to one based on risk.
“Correlating cyber risk to cyber spend is a useful exercise in determining where to make your financial investments downstream,” she added. “So if I have a low tolerance for data loss, I’m going to spend more on securing the endpoint and cloud than network edge. And if ransomware is a major concern, perhaps more on containment/sandboxes and backup processes.”
It’s not, she added in an interview, that less-important data is left unprotected. But through risk analysis the CISO can decide where best to put the most expensive or most effective defences.
“It’s really hard to contemplate not protecting everything,” she said, “and yet I would argue how well are we doing at that as an industry? So that’s part of why perhaps the conversation I introduced is a bit provocative in its tone, because I want to start a dialogue: Is it time to acknowledge that we’re not going to successfully protect everything?
“But we’d better know ahead of time what we have to successfully protect. And what [data] if it got breached we could grudgingly live with – not be happy about, but we could [still] sustain our business.’
She also cautioned that CISOs may also have to some negotiating with lines of business, which may not agree with their view of what’s important and what isn’t – and why IT has to work closely with the business side.
“It’s a very different dialogue and one that not everyone will be comfortable with,” Worley said, “but I think it’s one worth having, because of the complexity of the infrastructure and the sophistication and speed of attacks – even with all the tools in the universe, people can’t keep up.”
In her keynote she argued that risk-based cyber incident planning is rooted in understanding what attacks you’re likely to see, what targets are likely to be gone after, what your organization’s risk tolerance is for each attack and target, what you’re wiling to protect at all costs.
One way to build a risk models is around Verizon Communications’ annual data breach report, she said, which breaks down data breaches into 10 patterns and the attack vectors usually used (for example, DDoS attacks usually involve compromised credentials or a botnet).
Once you have a good idea of the attacks you’re likely to see and the data likely to be targeted you can begin to create a risk tolerance score for your organization.
“Understanding risk tolerance by incident provides you with guard rails when you begin to put together trade-off decisions for security investment decisions,” she said.
For example, because intellectual property can be used so fast after it’s stolen it may be better to spend more money preventing a breach, or protecting that data, than on mitigation after it’s gone.
Worley also emphasized that risk-based planning also helps CISOs communicate with management and the board, whose language is risk.
“When you’re talking to C-levels and board of directors, being able to discuss [cyber security] in the context of risk rather than operations can mean the difference between getting the budget you ask for and having to take the budget you already have and spreading it farther.”
Building an asset prioritization plan and risk plan is only part of a comprehensive cyber security plan, she emphasized, but its a critical foundational element that will colour a CISO’s investments over time.
Breaches will happen, she points out. “So if we’re going to solve this problem we have to approach securing against those attacks in a different way. “We must evolve to using a risk-based approach that focuses on protecting the most critical at the expense of the most expendable.