It’s bad enough that CISOs have to be prepared for the wide variety of possible known attack vectors — phishing through email, application holes, Web site vulnerabilities, lax access control, unencrypted sensitive data, corrupt or vengeful employees … But do they also have to be ready for the unknown?
Yes, argues Anuj Goel, co-founder of Cyware Labs, in a blog this week. In fact, these situations have a name: Black Swan events, defined as an event that comes as a surprise, leaves a major impact and can be rationalized only with the help of hindsight. (“Who’s have thought someone could do that?…)
Leaving aside the fact that Goel is softly touting the situational awareness service his company sells, it’s true what CISOs need in addition to all their years of experience and vendor advice is a dose of foresight, which often seems in short supply until it’s too late.
Former U.S. defence secretary Donald Rumsfeld once said there are three things we can be certain about: Known knowns, known unknowns and unknown unknowns. He was mocked in some quarters for the statement — what can we do about unknown unknowns? — but as Wikipedia points out the concept isn’t new. It’s been understood in project management, by NASA, which builds manned space vehicles, and was referenced in a 1979 British Columbia royal commission.
So back to the question: Can a CISO be prepared for the unknown attack? It may be trite to respond, “The board, shareholders and customers expects you to be.” (And so will lawyers for data breach victims). But info leaders have to spend some time with staff looking at their infrastructure and asking where potential holes are. And it’s not an easy exercise. There’s a wide range of trust built into every IT product and service an organization buys. It can be exhausting to try and nail down suppliers — particularly cloud suppliers — on whether every risk has been anticipated. Yet an exercise in thinking outside the box is vital. It’s also important for the CISO to work closely with the business side to know which way it is going so the cyber security team won’t be blind-sided by a sudden change which might alter the organization’s risk profile — for example, allowing third parties to directly connect to your data.
Yes, as Goel says, basic cyber hygiene goes a long way to meeting the risks of unknown unknowns. So does being part of a threat sharing group — there’s no such thing as too much threat intelligence.
“You cannot predict a black swan event,” he writes, “but you can estimate the probability that it will occur and its potential impact by building a security architecture that evolves as the threat landscape shifts. Organizations must look beyond conventional modes of defense to achieve a security posture that is dynamic, not static.”
So it’s true that the CISO may not be able to predict all possible threats. But one of the responsibilities is to have a flexible strategy that can meet most eventualities.