For a start. it's my favourite time of the year. Halloween. I still remember going trick or treat while in the US, and when I was back, my ex-boss used to throw awesome neighbourhood party over at his place, complete with haunted house setup. I think he spends a lot accumulating props and stuff. It's one of those memories that brings your inner childhood out (playing dress up, and just looking more horrible than your usual $dayattire), which gives me great joy (and fright!) So in line with the theme, let's talk about fear.Specifically for the CISO's - who do fear more? To put a more detailed context to the question, I'll be asking - who do you fear more? Nation state actors or auditors?

Most of you know that I came from a long history of being in the telecommunications industry, and then transitioned into senior leadership role at a financial group. These experiences gave me an interesting perspective into how businesses operate, both in the regulated and unregulated space.

The fear for auditors

When I was in the regulated space, I was frightened to death of auditors. Fear-mongering on audit and results were just over the roof. We were constantly reminded that our career hinges on making sure there is no audit findings. Be it an internal auditor or an external auditor (what's worse, if its a regulator whose auditing you). So a lot of time and effort is put in on making sure that you follow the policy to the dot. But then the operating environment is so big and that similar to the ant analogy against a house. An ant only needs a tiny space to wiggle through and get into the house, while the house owner has to look at every nook and cranny to ensure there are no opportunities for the ants to come in. To add salt to injury, the findings are just "face-palming". "Oh, that system doesn't have password expiry and your policy says you need to have it". Or "you forgot to remove the user for the system which needs internal only access without VPN or any other profile, but since your policy says you are suppose to remove the user within X days, you didn't meet policy requirements". These findings go up to the board and CISO hangs his head in shame. Funnily at a large conglomerate, a board member even told the CISO to use Excel to keep track of account management for a 10k strong staff with hundreds of individual systems instead of considering Identity Governance and Administration systems.

Policy - bane of existence

The hung-tightness towards policy in some organization is beyond reprise. Often, a policy change in an organization implies that you are already compliant and should be ready for the next audit. But all organizations will fail because most will take some time, like getting a new system, instituting a process around what the policy requires to do. But auditors tend to be sticklers to policy and wants it to start working from the day it's approved (and most policies are pushed by the auditors for implementation, even though it does no real benefit for the organization, but looks good on paper for governance). We'll go into more details about policy and implementation and how organizations can avoid such pitfalls in another article.

For some business, compliance is business. If you look at an e-commerce site that relies on credit card transactions, then PCI-DSS is a must. In Asia we say "die-die" must do. Such business cannot survive if they are unable to make transactions, which makes business risk #1 and CISOs tend to gravitate towards ensuring that their career stays safe by meeting PCI-DSS requirements (remember, 7 character password is sufficient for PCI-DSS). Rationality goes out of the window and security becomes theatrics. Security becomes a tool to meet compliance rather than actually securing the business. A CEO once asked – how many compliance people do you need if you have zero business?

From here, you can see that the CISO's primary focus will be meeting compliance and governance requirements. Anything can be turned into a checklist and make sure you tick all boxes. Whether it makes sense, doesn't matter, but the boxes must be ticked. A template approach is most feasible and gives the stakeholder a false sense of comfort. But is the organization truly secure against actual threats? I wonder how the conversation will be the organization does get breached –

"But I ticked all the boxes?"

Nation State Actors - The threat

If by chance the CISO does get to focus on what really matters, you will see the gaze of the CISO towards improving security while bringing value to the organization. This is the Type 3 CISO that I discussed in my earlier series article, the link is at the bottom if you want to have a read.

CISO's focus would to constantly reviewing the threat posture of the organization, applying lessons learnt, looking at avenues to increase visibility, strengthening controls and bringing the organization forward every step of the way. As such, you see improvements, both tangible and intangible, having the pulse on the ground close to your heart and be able to advice if something has drastically changed which warrants the CISO to escalate and take immediate action. TTP's become focus and having an operational cyber threat intelligence, coupled with a blue team for defense and red team for offense helps to improve the security posture. CISO can also put more emphasis on building the team capabilities to further strengthen the organization. What's the reality?

In reality, you find CISOs fear auditors more than nation state actors or threat actors in general. The common thinking is that "If my organization gets hit by ransomware, sure, my systems will be down, but we will be able to rebuild in time. But if I get a black mark at the board meeting, I might as well find a new job!"

There is no shared responsibility and accountability for security as CISO becomes the convenient scapegoat for a blame and swift action is taken by removing the person to show that the organization is doing "something" to address the issue. (Still thinking of being a CISO?)

So, how can you change it?

The general consensus is to remove the portfolio of governance and compliance and have a separate team (usually under Compliance) to handle such functions. These frees the CISO to focus on the role of securing the organization. Remember that the CISO alone cannot secure the organization, its a role that's dependent on all other stakeholders. For e.g. you won't be able to mount the firewall to the rack if the DC guys don't give you physical access. If you want the CISO to be effective in his/her/their role, then you as an organization have to give them that focus to be able to make that difference for that portfolio. Bundling the 2 functions will only lead to disaster as one will demand more time and focus than the other.

All organization wanting to hire a CISO should ask themselves this key question – What is the main reason of wanting a CISO? Is it to meet a compliance/governance requirements of having one (which means the job scope is skewed towards governance and compliance and not security per say) or because the CEO can’t sleep at night, afraid his/her/their organization might be breached? (Also remember while the CEO may be worried about breaches, CISO's immediate supervisor may be worried about something else, assuming that the CISO is reporting another C level). This question will determine the focus and the “real” expectation towards what the CISO should be doing, instead of what the CISO is expected to be doing. Remember, what you expect may not be what you get, because of where the focus is being put.

Secondly, compliance and governance needs to be business sensitive and not be the "head-master" of policy document. Using risk based approach, have a balance between the document and the ground. There will be disparities. There will be deviances, but does it warrant a serious tone of a finding? Over-zealous auditors create more operational overheads on small teams that is struggling to meet basic operations, leading to a collapse of governance. Almost akin to a self-fulfilling prophecy so that there will be more audit findings. If the objective of an audit is to ensure 100% policy compliance, then your audit has failed to address the plurality of operations and business. Most often, business demands are retrofitted with security requirements, not vice versa. Purchase decisions are made primarily on price points and not how well the product meets technical requirements. Hence, how can you expect a 100% compliance when from genesis, the system was never meant to meet policy requirements? CISO then becomes the architect to retrofit and ensure there are security wrapper around the system to meet security objectives. Sure, we can write and sign off waivers on an annual basis, but that will eventually become a finding. (By the way, this is one of the primary roles of the team, where you are required to support business decisions, even though it may sound utterly ridiculous).

Remember, security is a business function, not vice versa.

References

The CISO Series - Types of CISO - https://www.linkedin.com/pulse/ciso-series-types-cisos-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm/