Tammy Moskites knows that the role of CISO is changing, But as a woman more than happy to embrace the technical aspects, her view is that it is not a lessening of tech that should be widening the appeal of the role, but its increased importance and variety as it becomes a fundamental part of business risk management.
By her own account she's been a CISO for a very long time: “A lot of what we had to do back then was technical in nature. The CISO was really seen as a technical advisor”.
Over the last 12 years the role has changed: “When we look at our engagement with business, in the past we were always seen as the office of ‘No'.” But in the last five years, notes Moskites, the CISO has become more embedded in business and compliance. “If you are not well versed in the business you are not going to be successful, so this deeper engagement is essential.”
This is increasingly the case as technology becomes not just a business enabler but a fundamental part of the business. As a result, “security has to be engaged for a whole host of reasons and it's not just the technology, it's the compliance and regulatory models, so you need to know what the regulatory requirements are for your line of business.”
Another big area is around the legal ramifications around what's important, so it's necessary to cover legal, regulatory compliance, and engagement with business. “We have to become well versed in what their (the employer's) projects are and what they're trying to do, and we have to be seen as an enabler. Part of that is being able to assess the risk to the business.”
Moskites explains that it's no longer about telling people ‘no', but addressing the risk and ramifications of certain business decisions : “That's a big mindset change for the organisation. CISOs have been notoriously buried down in the infrastructure – especially back 15 years ago. But CISOs now have risen up into the true C suite, and are actually seen as a trusted advisor.”
In Moskites experience, C-suites and boards have beens supportive of her role as an advisor. She's spoken to plenty of boards about security and controls and what kind of relationship they should be having with their CISOs. But, added Moskites, often “Even the CIOs of the company don't get enough time with the board so they can't really assess the technology as well as the risks associated with the CISO, so when you look at the board of directors of Global FTSE 500 or whatever, very few of them have Security leaders or very senior IT leaders as part of their board of directors.”
Sometimes CISOs might be brought onto the board, but not as an active speaker and member of the team but more as a figurehead showing that the company has an interest.
SC asked Moskites what she thought about the merits of having MBAs learning tech, rather than the techies learning soft skills including better communication to explain cyber-security risk to the board?
Some people, noted Moskites, who are very strong on security tech can find it difficult to speak with the board: “A difficulty in communicating what the risk is to the company becomes apparent. That's where some of the uneasiness is with the board”.
“They think you are going to be talking at a level they don't understand, so you have to come in being able to articulate risk to business because that's what the board's looking for. They don't want to know how many viruses you caught, they want to know, what's the risk?”
IT leaders must engage the business aspects and add business acumen to the portfolio of things they need to know, because that's the way the board are communicating back. Moskites elaborates: “I work on a holistic level – eg we're going to deploy this new website, with bells and whistles, all the investments you plan to make this year, and this is the value-add that security is going to bring.
One of the newer aspects of the CISOs reborn role is responsibility for education programmes. “It's something you can't just do once a year,[it should be] more than every month. When I do security awareness in large organisations, it's every week. That could involve putting signs up around the office, or reminders on monitors.” Moskites even suggests you take laptops just left on the desk with a note, ‘to get this laptop back please supply one candy bar'. If someone clicks on a (fake) phishing email, send them onto a phishing awareness course, you have to take a 15 minute awareness video to get your email back.
It's important to note that good intentions are too often an organisation's undoing, when well meaning employees flout security policy in the spirit of efficiency and end up endangering the whole organisation.
It's necessary not to have IT policies get in the way of people doing their job. Moskites cites an example of a third party call centre which was largely prevented from having efficient access to certain critical systems. If they can't do it above board, then they'll do it underground - thus exposing an organisation to an increased danger of compromise and all because they want to do their job better.
There are controls you can put in place, maybe mandatory VPN for BYOD use, and controls within the device. But when staff go home, you don't know if they are infecting themselves. There are ways to check and control pieces of that on the network: “We have to remind staff that this is a different world today. There's malicious things on all kinds of stuff that you would never even have thought of so, go back to the foundational basics – awareness.”
It is also depends on your company's risk appetite – not just your technology risk, but what risk are you going to accept from your staff. You have to be willing to accept that social media is not going away anytime soon. . For any popular social media app, “There's gazillions of proxy bypasses, and kids share them all the time.”
“Proxy bypass sites go up and down every day. A lot of folks use those to download streaming content. And they're not safe at all. They are full of malicious software and they download root kits.”
Finally, looking at future threats, Moskites notes how phishing is here to stay. Social engineering and phishing will always be the number one way of getting in and out of a company: ““We use those companies that will phish your staff, and still get clicks on them all the time. The number of attacks will go down, but they are getting more and more sophisticated.”
A decade ago, says Moskites, “you'd get that funky looking picture that you click on - now they have the right logos, they have certificates on them, they take you to a website that looks like you and smells like you but it's not you. And when they are done gathering all your information it redirects you back to the good site. They are very creative.”
Certificate-based attacks are forecast to keep increasing: “The internet of things, and all the devices that required certificate-based Authentication, we're gonna see an exponential increase in attacks there.”
Asked how do you compare the certificate issue with, say, DROWN attacks? Moskites responded: “The good thing about certificates is the security foundation. You need to know what you have to be able to protect it. Just like companies need to know what user IDs and passwords they have, and get audited on it.”
But, she added, “That's a person to person or person to machine. But when we start looking at how we communicate from one ‘thing' to another ‘thing', there's no checks and balances there, there's no foundational benchmark as to what I have in my environment”
“What companies need is to have that basis of certificates with what's known good in my environment and if something enters it which is not within that known good it needs to be stopped or it needs to have privileges revoked.”When you see vulnerabilities like Heartbleed, speed is critical. You have to build a baseline, said Moskites, and know where and what the status of your certificates is: “If you don't know what you have, you can't protect it, you can't remediate it.”