Canadian infosec pros aren’t doing their jobs if they spend more time on buying technology than implementing simple but effective measures.
That was the consensus of their peers, who gave IT security managers a rough ride at a panel discussion Thursday on emerging security issues.
“Security professionals in general don’t do a great job of creating metrics that’s easy for human beings to consume, said Ben Sapiro, senior director, security privacy and compliance at Vancouver-based Vision Critical Communications Inc., a cloud-based platform for building customer communities.
Too often they talk in technical terms business managers don’t understand, he said. “You don’t have to achieve perfect, you just have to achieve good enough” when explaining the security impact of a decision.
Ideally what CISOs should aim for its “pragmatic decision-making by the business with the tool and the guidance provided by the security people.”
Sapiro was part of a panel assembled for reporters by security consulting and managed security provider Scalar Decisions Inc. as the company announced its new 3,000 sq. foot security operations centre in Toronto. That’s more than three times the size of the previous SOC.
Others on the panel were Marc LeCuyer, area vice-president for Canada at RSA Security, Rafael Etges, executive advisor for risk, cybersecurity and compliance at Toronto’s Strata Advisory Group, Benjamin Boi-Doku, co-founder of the EOSENSA risk and advisory services firm was just bought by Scalar, and Scalar CTO Ryan Wilson.
Boi-Doku had hopes that the so-called next generation CISO will be able to talk to the business side of the organization in terms they understand. But, he added, “a lot of CISOs I encounter aren’t able to talk in business in that language.”
They certainly didn’t show much sympathy for their peers at times. LeCuyer said there are simple things CISOs can do to prevent or slow attackers, such as vulnerability risk management and security awareness that don’t involve spending money on technology.
“I work with a lot of large organizations in Canada and you have no idea — from the CEO right down to the security people they’re still clicking on phishing emails,” he complained.
Sapiro argued that because organizations have a more “permissive” attitude in allowing employees use technology IT security pros “are forced to buy more and more sophisticated technologies to account for each of the edge cases our users stumble against.”
A lot of organizations focus on zero day attacks, said Wilson, but 99.9 per cent of successful breaches last year were due to vulnerabilities that had existed on systems for over a year. “We have an IT hygiene problem first to fix before we get to the sophisticated advanced attacks,” he said.
Etges argued that for a CISO pros to have an impact in organizations there has to be a “culture change” and talk to management about risk management. “If you’re just supplying technology you’re going to have a very short term effect – maybe that’s what you want, maybe that’s what you need to make a good convincing business case for the CFO.”
Asked by a reporter why infosec pros aren’t doing better, LeCuyer blamed “budgeting inertia” — which he described as defending the stack of technology they’ve bought.
“To me it’s a spending problem. When they sit down I don’t think they’re looking at ‘Let’s step away from technology and the security operations centre for five minutes and look at how it’s actually happening’ … We love tools, we like gadgets.”
Asked what will change that attitude, Sapiro replied, “We need not give ourselves a kick.”
At the same time some in the group had sympathy for the CISO. RSA’s LeCruyer, for example, said vendors have done a good job of “confusing our customers” about traditional protection security tools. The “next-gen anything” is available, he said.
“I do believe from the heart that vendors are stepping up and admitting there are gaps (in their products) and are investing R&D in that space. There are emerging technologies in detection and response solutions, he added, but “our customers need to step up and spend there… it is a spending issue for me, less of ‘Are we doing the right things.’”
Ryan agreed, saying customers aren’t buying “leading edge” technologies that can stop threats.
On the other hand, Sapiro recalled doing research with Etges several years ago that suggested when CISOs have bigger budgets they didn’t necessarily get better outcomes — although he said the research indicated that instead of buying newer technology they bought “more of the same.”