Cybersecurity & The Board: Choosing success over the Sarlacc Pit by Brian Contos

hey everybody i'm brian cantos i'm the vice president in cso with mandy advantage and welcome to cyber security in the board choosing success over the sarlacc pit so let's jump right in a little background about myself again brian cantos i work with mandiant but i've been in cyber security for about 25 years i've worked in over 50 countries started with disa and then bell labs then started building a whole bunch of startups her riptech arcsite imperva silence and a bunch of others i've written a couple books and i was in a cyber warfare documentary recently as well says all companies bigger small public or private must embrace cyber security as a key issue with today's

threat landscape if you don't you're not meeting your fiduciary responsibility i love this one just because it's so it's so simple look it doesn't matter who you are security is important you better you better take note of it if if as a board you're not paying attention to this you're not meeting your fiduciary responsibility it's not even like you're a bad board member you're not doing the core things that you need to do to help that organization so you need to be armed with that detail one of the things that we found or i've found speaking to these board members over time is it's not really about cyber risk at all it's about the financial brand and

operational risk from cyber there's lots of risk types we discussed there's risks um moving your company to a new location there's risk expanding internationally adding a new product line making an acquisition cyber's just one of those we're seeing ceos in the news now all the time even with power and energy companies and oil and gas companies who never used to talk about this stuff but they're talking about cyber attacks and i think it's because they woke up one day and said you know cyber is really important we really need to dig into this i think they had to because they're board members and their stakeholders and their shareholders they're saying look this is a topic that needs to be covered

we talk about other risks political risk and military and terrorism and environmental issues and everything else we better start talking about this publicly because people care you're seeing in annual reports and corporate charters uh corporate government documents and and and it's it shows up in all their public documents because it matters now evidence measures um like other strategic business units is becoming critical now so if you have a cfo you say how much money do we have in the bank and the response is well we follow best practices and pci and and this and that it's a very wishy-washy response they're probably not going to be the cfo very long they basically you want to know how much

money is in the bank well in cyber security we've kind of been giving a pass for a while because it's very hard to calculate numbers in terms of how well are we doing are we trending up or trending down are we effective are we not effective but those are the types of things that board members need to know are we going up or going down are we able to operate effectively and efficiently and there's really like six basic things that i found that sec that you know basic things that executives require and they prioritize and are really essential they want to make sure one their communication channels like email are secure the ceo wants to know if he emails the

cfo or a board member that it's secure they want to know if they're protecting their financial systems they want to know if their customer data and their ip is protected they want assurances of the availability of all their critical applications and the infrastructure that supports them whether it's on-prem or in the cloud they want to make sure that they're safeguarding access that not anybody can just get in and then of course they want to be able to demonstrate compliance that's it i mean those are the six things and once you get past that area it becomes a little less relevant to their their calculus when they start looking at risks so just keep that in mind

here's a quote from alexa king alex is interesting because now does she work in cyber but she's actually also a lawyer and she sits on several boards as well but alexis said if you provide boards with evidence-based data regarding your cyber security posture trans intelligence effectiveness etc they should be able to provide you with valuable input based on their broader perspectives so basically again they're saying look you have to talk about the cyber security posture we got to look at the trends are we trending up what does our threat intelligence say how effective our controls we need to be able to arm board members with this information so they can look at their broader perspective with the notion that

hopefully the board members have their fingers in a lot of pots that maybe cyber security doesn't and maybe your organization doesn't because they're involved with a lot of organizations so the the reason you have these members is because they have a little bit of a broader perspective in theory so by arming them with these key you know points if you will um regarding cyber security and that effectiveness of the controls and what's happening on threat until what's happening in the horizon that arms them with what they need and then keep in mind this got hit on by pretty much every single board member i talked to which was business relevance across all industries now i i'd be hard-pressed to

think of one businesses rely on critical assets to generate revenue okay i don't think that's a weird statement but they want to generate revenue they want to deliver services they want to be competitive they want to add value so significant investment is made into the protection of these systems they want business continuity they want to have access to the data customer services critical infrastructure think of health care you need to be able to keep things running right regulatory compliance they don't want to get sued they don't want a class action lawsuit they don't want the negative pr that goes with that with you know the fines that come with regulatory issues and accreditations and privacy

and things like that so they want to make sure other eyes are dotted and their t's are crossed as well critical asset protection my intellectual property my customer data these types of things these are the crown jewels for most organizations we have to make sure those are protected be monitored and finally rationalization optimization do i really understand my threats am i investing in the right places do i have tools that are sort of old and i can retire now these are the things that i really want to know as it relates to business relevance and again this comes up a lot that cyber security professionals don't necessarily think in terms of business relevance a lot of the times because

they're so busy fighting fires they're thinking of those fires they're thinking of that ransomware that new malware that new botnet that uh one new attack that they that they've been hearing about some chatter right instead of sort of that bigger picture all those other things are critically important but when talking to the board and communicating business relevance has to be kept in mind audit committees evaluate a wide range of risks from standardized accounting practices to the composition of boards in cyber security historically the audit committees have lacked control effectiveness evidence validation measures against threat intel and optimization metrics for instance analysis and response capabilities lacking these key data points results in audit committees being less effective

at managing at measuring and managing risk again it's all about those measures and all about validating and now he says something here about validating against threat intel which has become a key topic really in the last couple years is saying look it's not good enough just to validate my security controls against attacks that i write in python or or some shell scripts or you know some some attack database that was given to me by by a vendor for example what i really need to do is take the latest breaking threat and tell as well so i can know that hey where do we stand against these latest threats the threat that just popped out that's

specific to my industry and it came from my isac or from some subscription service that i have so measuring my control's effectiveness against the latest threat intelligence is just as important as measuring my security control's effectiveness against known sort of legacy or historic attacks when you're talking about security validation or breach and attack simulation again this is something that keeps on popping up a lot in these conversations it really comes down to a few key pillars right you want to do things a little bit um you know differently not just better the idea is not a firewall that goes a little faster on ips that has a few more signatures or a proxy that does this or

endpoint this is actually a different perspective when you look at validating security controls it's all about how can i do things like one identify where the gaps are across email network endpoint and cloud and hopefully when i identify those gaps have a solution whether security validation or bas or what have you how do i tune that tool now okay here's the whole tell me how to fix it how can i address that i need i need something to get me to that next level don't just tell me where all the holes are then once i fix that thing let me retest it and validate that it actually works by providing assurances okay i i found a

whole abc it says do you want to fix abc this is what you need to do i fix it and then i test it to make sure that fix worked i would have loved this in the day early days of sim how fantastic would that be you write a rule and now i want to go ahead and test it and make sure that rule really works against a real attack then i want to mitigate environmental drift once i find that hole and fix it i want to go ahead and test that every hour every day every week to make sure that it stays fixed and there's no environmental drift that's causing you know from either my security team or my

security devices or the it infrastructure team or something else it may be installed a proxy server now syslog isn't making it to my sim a tap was bi-directional now unidirectional now my ips isn't providing value i need to avoid that environmental drip and when that thing that was blocking or was alerting or was detecting has stopped i need to know right away then rationalizing how do i prioritize where do i put my next investment what devices can i get rid of um we're starting to even now see people that have the title uh like vice president of rationalization and the whole title the whole job role is about getting value from your security controls also mapping and measuring i want to

make sure that what i'm doing um follows the best practices and i can map it to things like mitre attack oh sans and nose right reporting communicating so so key being able to not just validate your security tools in terms of their effectiveness like all these board members have been talking about but then being able to communicate those measures in a report that's easily understandable by a board member that might have five minutes a month to really consider cyber security and finally demonstrating value cyber security isn't just about stopping bad things it should be about enabling the organization now and i know we've kind of been talking about doing that for a very long time but i think we're to the

point now where we can say by having a strong security posture we can make this merger and acquisition and run much more smoothly we can make this expansion to this market better we can make our connectivity with this supply chain or this partner more stable so again demonstrate value this is uh julie cullivan again board member with a healthcare organization technology company cyber security companies she says most wouldn't argue that automated proactive intelligence-led approaches to cyber security is where we need to move as an industry say threat intelligence again however most organizations don't have the resources to maximize that value very true most organizations today don't have very large threat until groups or they're just a small branch of

the security team this is another case where leveraging a third party can utilize their platforms and experts to help provide a service enable intelligence-led approach to successful be successful at scale such a key point because this isn't just necessarily throwing products up problems i think there's there's sort of this new embrace if you will and you know mssps and services and and incident responders and professional services doing red team and purple teaming and things like that and providing threat intelligence that's all been around for a while but now i think people are saying look we we can't hire enough we can't train enough we can't invest in enough in our own infrastructure to develop the expertise

we could get by partnering or by leveraging the service component especially for threat intel so definitely by working with threatened with organizations that have you know very robust sophisticated threat intelligence you're never going to pull that in in-house even a lot of government agencies of course they have to rely on other agencies to provide that information to them so again threat intelligence extremely important being able to take advantage of from a service perspective might be something to strongly consider as well because again threat intelligence is a topic that is showing up in boardrooms more and more uh here's uh bill kroll uh bill and i actually wrote a book together not too too long ago but he was the former

deputy director of the national security agency the nsa bill said so so he knows a little bit about intelligence right so he says having an intelligence-led approach to cyber security doesn't just make security the security team more effective it provides the evidence leadership needs to ensure that your goals objectives and priorities are aligned with their business requirements in the face of the latest relevant threats and threat actors i love this because he's basically saying threat intelligence is key yes but it provides you that evidence that leadership also needs so when they're looking at all their business goals and all their business objectives they know where those objectives are in terms of the relevant latest threats and

threat actors and basically he's basically saying look if you're going to do business you have to have thread intel as a component of that of course um or why even have security controls at all now this notion of this intelligence led approach this is something that again i heard time and time again it's the new tip of the security sphere if you will um you know with validation automation intel has you know it's really hit its stride to become that tip of the spare but intelligence led is all about intelligence being timely and relevant you know i i want to test the old stodgy stuff the legacy stuff too but i need the timely relevant stuff as well i need

to automate it because it's a lot of data i need to operationalize it so i can leverage that automation personalize it so i can see how is that relevant in my environment with my tools my people my processes everything that's good and bad about my network right i'm going to have things that are broken and things that are working well and i have to make sure that i understand how well they're working in terms of that threat until all right i want to be able to answer questions like are we safe from this attack that my ceo just heard about on the news right you know how how our tools respond to this attack how our people respond well our

processes actually work now i want to be able to measure that effectiveness and report on it and trend it so i can go ahead and show my board this is where we stand there's no guesswork here's the evidence here's the latest threat we've tested our tools and our people and our processes against this threat this is what's working this is what's not maybe we're preventing but we're not alerting maybe we're detecting but we're not preventing what are these holes that we can fill and then based on that i can prioritize i can actually say okay this is where i need to invest this is how we have to prioritize or maybe this is area i can divest or this is where i can

train and i can use this budget to hire more and then i want to be able to protect in perpetuity against that threat from environmental drips like we talked about before it's working today and hopefully it's working next week but it's going to work next month next quarter i want to make sure it is so i get that roi um jay also says that uh you know boards in the c suite are recognizing that software with a service is the future of cyber security technology led platforms augmented by security and operations experts are delivering value via productized services so again another another board member pointing out that you're not going to be able to do all of this

in-house anymore he says for example this may be utilizing software as a service through a combination of red teaming security validation event analytics threat intelligence where i need to continuously know the state of my controls for multiple real-time and forensic angles where my gaps are and how to fix them when validated against the most timely and relevant threat intelligence so to kind of paraphrase that using you know having a platform that's accessible is key so you can do all your own work but having a services group thread and tell professional services etc that plugs into that where you have software with a service that seems to be a very popular conversation that's being had now

demonstrating operational competency so this this notion that uh just like we want to prove that our security tools are working we want to prove that our security strategy is actually effective evidence-based communication not assumption based you got to be able to prove it at this level working with the board you have to be able to prove it and they want measures they want evidence they want facts they want to know about the effectiveness of your security control not the fact that you have a security control they want to know how you're able to prevent detect and respond to this threat not that there is a threat so what's working what's not what needs to be done in what order they want to

demonstrate trending analysis um it's it's you know the trends are so key i can't overemphasize this because it's it's not about having coordinates it's about having a vector and the trend kind of shows you where you're going over time and it's it's usually not a straight line it's you know it's kind of up and curvy and back and things are going to get better things are going to get worse but you need to hopefully over time be trending in the right direction um progress specific to threat until i want to show that we're making an investment based on our new threat intelligence and based on this here's how we're actually able to address it here's the facts not

we need a new security tool there's some bad things happening have that evidence risk to partnerships and supply chains again don't just think about your internal organization but how does this apply to the people you partner with system health with security being a system of multiple systems right are they running are we getting value total cost of ownership and metrics right effectiveness of teams and processes it's not just about the technology it's about the people we have making sure that they're trained that they're effective and as you add new tools and remove tools and change things you have to make sure that they're still able to operate effectively sometimes they need additional training sometimes they need

additional access to information that maybe they didn't have access to before maybe processes need to be changed and budget planning has to be based on facts not theoretical bad stuff these tests this intelligence they they need to be based on the evidence that you're proving that you're showing to your board and then relevance for the c-suite and board all this sort of demonstration of operational competency it's so the final reports and communication that you're doing with your board are actually relevant they actually hold merit and value for them um uh karen nortman uh uh again uh very uh on a board of just a very large number of companies said companies are embracing cyber security services at an

increasing rate okay this trend will continue to intensify augmenting your cyber security controls teams and sas solutions with specialized expertise means greater security roi and reduced risk okay again just another hit on the fact that cyber security services are one of the things that boards are looking at heavily as a way to augment their team because they know it's almost impossible to scale an organization internally without some level of augmentation now where that's supposed to be is that intelligence is that incident response that's for your organization to decide but it's a question about scalability and just table stakes for being able to address today's threats now i'll leave you with this just a little plug so i've

interviewed over 100 people on my podcast it's called the cyber security effectiveness podcast you can find on spotify itunes etc it is a video podcast now in the early days we were just audio only but i have the full interviews with these board members once again i'm brian cantos take care