SAN FRANCISCO — Before CISOs start spending money on analytics and data loss prevention solutions they’d better know what’s under their thumbs.
That was the message from former Bank of America CISO Patrick Gorman at a panel Tuesday at the annual RSA Conference here.
Conducting a complete inventory — also known as asset management — is a vital first step for any infosec leader who doesn’t want to get buried, he said.
In an interview after the session Gorman — now head of strategy and product development at startup CyberGRX — expanded on the comments.
“When I think about assets in the enterprise it’s mobile devices, endpoints, servers, networks, where your data is located, It’s where your people are at, it’s understanding business processes — and I’ve yet to see any organization that has a good end-to-end view of this, so if something happens what business process is affected? Where’s the data?
“A lot of time asset management just gets picked up in terms of things like physical devices – which still has to be done – but there’s a whole stack that goes along with that that I don’t think is looked at holistically.
“I start with this principle: How do you defend something if you don’t know what you’re defending? If you’re in charge of defending the borders of a country if you don’t even know the geography I don’t know how you defend against that.”
He recalled the old war philosophy of the Chinese strategist Sun Tzu: Know yourself, know your enemy.
Asset management is underfunded and ignored because it’s not particularly sexy,” he said. “The sexy things are APT tools and advanced analytics and modeling simulation – which I think are all important—but there’s basic blocking and tackling that’s forgotten in all this, and that’s around asset management.”
How can an organization change this?
“You take a look at the SANS top 20 controls. Number one and number two are know you applications, know your data and your systems. They don’t start with vulnerability management or DLP or advanced analytics. What you really have to do is recognize the criticality of this. Without those things you can’t do all this advanced monitoring, you can’t do vulnerability management well, you can’t deploy your controls because you don’t know what assets to put controls on.
“The way you do this is you (the CIO) say ‘This is a top control I want to see the metrics on this and I’m going to hold you accountable for making sure we understand our assets.’
“And that’s a combination of the CISO holding the IT department accountable and reporting up to the CEO where the board on the risk perspective saying ‘there are assets, and here’s the vulnerability of our assets.’
“So I think it’s more of a mentality and holding people accountable for it. It’s really not that difficult, and most of the standards out there say you have to do asset management: the NIST framework has that, ISO has that, it’s just it gets lost in the noise.”