Those who follow this blog are likely to have invested much of your careers in identity and access management (IAM) without realizing the intersection and value that cyber security and risk management add to the craft. Others are looking to find an inroad into IAM or cyber security s a career coming from a different discipline, say network administrator or DBA. Mid level managers and PMO also have a stake in how their InfoSec and IAM programs are operated. This post is for you!
So I have asked a long time friend Jeff Kistler to write up a short guest post to give us some tips and recommendations about leveraging cyber and risk management more effectively to help individual careers and enable businesses. Jeff is an information security officer for the US Navy with over a decade of experience managing information assurance for the DoD. I am excited that Jeff has agreed to share his experiences here and definitely looking forward to him contributing more of his knowledge here on the Forte Advisory network in the months ahead.
Enjoy the post, and as always feel free to leave your comments here or reach out to me directly with your thoughts or suggestions.
After being an Information System Security Officer (ISSO) responsible for enclave security and data protection in the federal government for over a decade, I have seen the demand on security professionals reach an all time high. The New York Times has recently reported that “Cyberattacks have become an ever-increasing threat. The F.B.I. now ranks cybercrime as one of its top law enforcement activities, and President Obama’s recently proposed budget would sharply increase spending on cybersecurity, to $14 billion.” The report goes on to list some of the more recent security incidents; Primera Blue Cross, Sony Pictures, Staples, JPMorgan & Chase Bank, Office of Personnel Management, and Target just to name a few.
Management teams are always looking for cost effective solutions to prevent technical disaster and maintain client trust. While there are certainly an abundance of hardware and software solutions out there, I feel like soft skills have taken a back seat to urgency. Here are a few areas I believe are critical to get right, and when done so, provide a great deal of value to both individuals and organizations.
Build strong metrics Leadership will eagerly make the claim that they strongly support their cyber security team, but it’s rare to find a leadership team who actually knows about how they are protected or not protected for that matter. Work with management to understand the actual threats that are actively being prevented. Consider putting together metrics that demonstrate strong protection while maintaining their Ao (Operational Availability) will help instill management’s confidence in their cyber security workforce. I’ve also adapted to keeping my leadership apprised of the latest threats through a quarterly report. Use metrics to demonstrate that there have been fewer reports of data breeches since the onset of your latest PII training and awareness campaign. Always be sure to include management and other team leads in your metrics development. There have been multiple times when both Engineering and Security statistics go hand in hand.
Threat mitigation is a lost art Cyber monitoring tools, policies, and directives are often too rigid in nature and excessive. Remember, 100% compliance is not achievable. In order to survive in this fast paced industry, Security Professionals first have to become experts in the art of mitigation. When I say “mitigation”, I am referring to the practice of reducing the severity of one vulnerability by strengthening another (more feasible) security control. Security professionals have to be innovative in their approach to handling known threats. If a threat is identified with a likelihood or severity of “Low”, perhaps they should focus on more high priority vulnerabilities first. Often times, securing a higher severity exploit will eliminate multiple lower severity exploits in the process. It’s been my experience that working from the outside boundary in provides ample amount of mitigation for lower level controls. Try not to downplay the importance of environmental controls. locking a system cabinet and restricting access to your server room can mitigate the need for a great deal of system level controls. Also note, stating that a patch couldn’t be applied because it breaks system “A” is not a proper mitigation.
Stop shining your badge! While maintaining clear separation of duties and avoiding conflict of interest, it is important for security professionals to understand their reliance on system engineers and administrators. Applying security is extremely costly at times. Taking a more flexible approach with a little sensitivity and understanding for administrative and productivity needs will go a long way in reaching a mutually acceptable end goal that is often less costly in the end. Our job is not to police our coworkers. Instead we should take a more collaborative approach which involves other team leads. Which leads me to “Availability.”
Availability is important too Yes. Of course protecting your system is one of your primary goals, but not at the cost of sacrificing the systems functionality or availability. It is certainly not our goal as security professionals to secure our enclave to the point of denial of service. As an alternate measure to apply security while ensuring availability, try mitigating your risks by incorporating a new low impact policy instead of a rigid registry edit. You may be able to supplement a Domain level GP (Group Policy) by incorporating a strong business policy instead. I’ve learned through experience that strong group policy doesn’t always account for non-connected systems. This is where a local corporate policy or procedure on proper handling may be a more effective approach. Availability is important to everyone. Without it, we have no product at all.
Don’t be a problem generator As a security professional, you are always going to be searching for issues, identifying risk, and documenting deficiencies. Problems without solutions do nothing for your rapport with your Engineering team and will typically decrease credibility with management as well. Remember, your company is in the business of making profit. Your job is to help accomplish this task in a more secure manner. Presenting a solution along with a newly identified problem will help ease the burden of applying security and strengthen the unity between you, management, and your engineering counterparts. In general, any time you assess your system’s security needs, you should always include user representatives, project managers, leadership, engineers, and perhaps a non biased security professional or consultant.
Remember, as security professionals, we play a vital role in the success of the corporate mission. While our role is of course to implement security, sometimes it helps to apply a little “out of the box” thinking through mitigating risk and ensuring system availability.
Jeff Kistler has worked 5 years as a DHS Intelligence analyst and has over a decade of experience in Information Assurance and System Security Implementation for the DoD. Today, he leads a team of Cyber Security professionals protecting complex systems for the DoD Naval Aviation Community.