Kim Crawley - 8 Steps to Better Security

Security leaders believe strongly in the importance of security culture. I asked some of these leaders for their thoughts on how an organization can improve their security culture. Their ideas were varied, but they all included improving relationships. For example, Andrew Gish-Johnson at Carnegie Mellon University stressed visibility and a willingness to help. He said, “Figuring out how to do things right is tough. Finding people to help is tough. If the organization doesn't know who to talk to or finds you're not helpful, they're avoiding you as much as possible.” But if, as the CISO, you can make sure the rest of the company knows who you are and what your role is, you can help improve your security culture.

Nav Bassi, the CISO at the University of Victoria, stressed “awareness and education,” while my friend Larry, a good cybersecurity leader but a very private man, said that “gamification (making educational material like a video game)” can help ensure employees understand cybersecurity well enough that they can maintain the security culture.

Not all organizations have chief information security officers. For the most part, they're like chief technical officers, but they're focused on cybersecurity. The nature of this executive role bridges the gap between nontechnical business leaders (“the suits”) and the IT department (“the nerds”).

Sometimes a company will outsource functions of the CISO role to a managed service provider or some other sort of third party. Either way, if your organization has a CISO, they're the top of the cybersecurity hierarchy. A CISO's job is to lead an organization's security team and to work with other executives to make sure the organization meets its cybersecurity goals. If a company gets hit by a major cyberattack that costs them millions of dollars, their CISO will be very stressed out.

I asked some security leaders what makes an effective CISO. In a nutshell, CISOs need to be able to work well with people. It helps to understand cybersecurity and information technology in general. But people skills are paramount in the CISO role. You need to be able to explain to other executives, such as the chief financial officer, why money should be allocated for a security budget. You need to be able to explain why spending $500,000 on cybersecurity can save the company $5 million. Further, you must also be able to lead your security team, including the people in your IT department.

Andreas Bogk, a principal security architect, also believes the CISO needs to be able to remain calm in a crisis. Nav Bassi thinks curiosity and resilience are important traits in a CISO. Randy Marchany, the CISO at Virginia Tech, believes in a strong team and thinks the CISO needs to be able to trust, defend, and cultivate the growth of the team. These characteristics all demonstrate the need for a CISO to be able to work well with other people.

I asked business cybersecurity leaders about the biggest mistakes organizations make when it comes to cybersecurity. Their answers included trying to solve a problem by buying off-the-shelf software, keeping investment in cybersecurity to a minimum, and believing that having employees who are compliant means that the company is secure. Mitch Parker, the CISO of Indiana University Health, put together his “top 11” mistakes:

Assuming that IT costs are sunk costs and that IT is capable of handling all issues with minimal effort or intervention.

Not doing or ignoring a risk assessment.

Not addressing or developing a risk management plan.

Not developing good internal processes to assess and address risks.

Under-resourcing information security initiatives either through lack of funding, team members, or both.

Assuming that cyber insurance is an appropriate risk transference mechanism. As of 2021, when this was written, the major cyber insurance carriers are becoming more stringent with who they insure. They are denying higher-risk customers policies due to ransomware payouts causing significant financial losses.

Leadership allowing their teams to bypass security controls and identified risks to facilitate the business, even if there is a high probability of a breach.

Assuming that security events will never happen to them for any number of imagined reasons.

Cutting security and IT costs out of projects to increase profitability on return-on-investment calculations.

Leadership not supporting security and information risk management as a required business function.

Overreliance on tools or services to address security needs based on inflated expectations and little analysis.

Even if you aren't a CISO, these are valuable tips for when you design your company's cybersecurity program. It's always best to learn from others the easy way, rather than learn the hard way by making the same mistakes yourself.

You will probably work with cybersecurity professionals at some point or another. I want to help you to foster a strong security culture by teaching you what I've learned about how we think. Understanding this will be a big help in security hardening your organization.

When people start learning cybersecurity, they often believe that computer software, hardware, and networks can be made 100 percent secure. That's the first phase. “I must learn about everything that makes computers vulnerable, so those things can be completely remedied, and then there'll be no more security problems!” But as the first months and years of their studies progress, they learn that absolutely nothing can be made 100 percent secure.

The first problem is the complexity of computer systems. I love video games, so I'll use them as an example. Video games on Nintendo Entertainment System (NES) cartridges typically ranged from 128 to 384 kilobytes in size, with a few games, such as Kirby's Adventure, coming in at a relatively whopping 768 kilobytes. All of that code was written in assembly language, the code computers send directly to the CPU. NES games could have a few bugs here and there, but they couldn't have a lot of bugs and remain functional, because the games were programmed in a simpler way. Plus, the fewer lines of code a program has, the fewer bugs it can have and still run. Any programmer can tell you that.

As of this writing, most of the games I play these days are on my PS4 and Nintendo Switch, eighth-generation video game consoles. It's impossible to make these more technologically complex games in pure assembly language. Their developers use multiple computer programming languages, large media assets such as polygonal environments, sound and video files, and sophisticated game engines such as Unreal Engine 4 and Rockstar Advanced Game Engine. Eighth-generation games are often 20 gigabytes in size, frequently over 50 gigabytes. That's a lot more code than an NES game, and today's internet-connected video game consoles are constantly installing multiple gigabyte patches. The first stable version of a game is never the last.

Debugging today's complex video games is much harder work. And the best developers know that even well-designed and maintained games will have at least hundreds of bugs. Their complexity causes this challenge.

The greater complexity of today's AAA video games is parallel to the complexity of today's corporate computer networks. The software, hardware, and design of networks are all much more complicated than they were in the 1980s and '90s. Many companies have hybrid networks where some of their servers may be on their premises while their other servers are provided by a cloud service such as Amazon Web Service (AWS). The internet interfaces with their networks at many points as a functional necessity, but the internet is the source of most cyber threats. Combine all that with trying to get your users and employees to behave in secure ways, and you'll understand that complexity is one of the main reasons why nothing is 100 percent secure.