CISOs inevitably are the organizations' leaders in achieving resilience, which is to say an ability to continue to do business or accomplish the mission in the face of cyber attack. Thus discussions of resilience began with thoughts about the CISO, observations about the opposition, and then considerations of what businesses can learn about resilience from organizations who have long experience in thinking about the problem.
"Fighting the Last War."
Alex Stamos (CSO, Facebook) delivered a Thinks Forward talk on "Fighting the Last War." He began by asking whether CISOs were having the right impact, and he answered his own question in the negative. "We're massively underperforming, given the responsibilities we have. We focus on complexity, not harm, and the vast majority of actual harm comes from abuse. In most cases there's no technical component to this abuse. The number-one source of harm with a technical component is compromise though password reuse."
It's possible, he said, that an action taken by one threat actor isn't even against your rules. "Security nihilism" is a problem. It's an overlapping set of beliefs that the attacker is perfect, he noted, that the scenario we face is always the worst case. He displayed a pyramid of threats, a kind of malevolent Maslovian hierarchy of needs. The rarest of threats, occupying the apex and taking up disproportionate time and thought, is the highly targeted, sophisticated exploitation of a zero-day. But the problems enterprises actually face are in the vast majority of cases the mundane ones of social engineering, insider threats, and exploitation of unpatched systems.
He thought CISOs might do a better job of structuring their teams. "They're still too often ghettoized, and not part of the group that's dealing with organizational risk and considering the future of the company." He also thought we too often don't have the right people in terms of background and thought. "We need diversity of roles. We need to get rid of the idea that only people with the right tech degrees can possibly understand tech."
"The Cyber Frontlines: national cyber competition."
Raj Shah (entrepreneur, former managing partner DIUx) moderated a panel composed of Major General Hua-Ching Chien (Director of Information Assurance Division, J6, Taiwan Ministry of National Defense), Elsa Kania (Adjunct Fellow, Center for a New American Security), and Zulfikar Ramzan (CTO, RSA). They discussed the clear and present international competition in cyberspace, amounting now to significant conflict among capable adversaries, identifying and hitting one another's vital technologies and capabilities. Cyber warfare has extremely low barriers to entry. It doesn't take much to develop a useful capability. And the world is so interconnected, even a small perturbation can have a tremendous ripple effect. Ramzan summarized the advice he gives to customers: get the basics down, focus on resilience, and don't try immediately to attend to exotic and sophisticated threats.
Ways of building resilience.
The panel devoted specifically to resilience was moderated by Neill Occhiogrosso (Partner, Costanoa Ventures). It included Chris Wlaschin (CSIO, US Department of Health and Human Services), Sean Kelley (Former CISO, US Environmental Protection Agency), Jeff Klaben (CISO, SRI), Brendan O'Connor (CTO, Service Now), and James Beeson (CISO, Cigna).
Occhiogrosso defined resilience as "what we do after an incident to keep the business running," and he asked the panelists to share their relevant war stories. The panel's observations and recommendations agreed that resilience came down to planning and practice. They understood a resilient organization as being one that had quick and effective incident response capabilities.
Beeson emphasized the importance of making quick sound decisions under conditions of limited information. Kelley thought that "Too many people try to wing it. Notoriously, people don't know what they have in their environment. We have to look at frameworks." The delta between stress under training and stress during an incident is enormous, of course, but any training should help, even setting aside an hour or so and thinking about your incident response.
"Bad news is good news," said Klaben, quoting a mentor. "If you don't want the bad news, you shouldn't have the job." He recommended assuming that you're under attack during any implementation. "There's nothing privileged in terms of access that an attacker won't go after." Having a standby incident response and good situational awareness during deployment are vital.
Klaben also advised using references, and remembering that you're part of a supply chain. "Your partners may have a plan that you're part of. Have 'what would you do' scenarios for things that could happen every day." Everyone in cyber is a teacher, Klaben argued, and such teaching is vital to becoming a resilient organization. "If you're not a teacher, get out of the field. You can't just dump a lot of information on your business customers. They have to become your partners." A series of elevator pitches you can use to educate your board and C-suite is a useful tool to have. Wlaschin suggested relearning and reteaching some old disciplines, paper processes for backup.
Resilience is something your board should grasp. As Kelley pointed out, the board is concerned about staying in business no matter what happens. Wlaschin advised CISOs to educate themselves on the language boards use when they talk about risk. "If you can frame cyber issues in terms of risk to the business, you'll be able to communicate with them." Beeson concurred strongly. "The language of business is finance. Learn that language." He recommended that CISOs send their people to some finance classes the better to equip them to talk about business risk.
Finally, educating people on the mission is essential. They need to understand the mission and the objective. Understanding that overarching mission will help them make the right decisions under pressure.
Planning and drill: a place for risk reduction exercises.
A panel on risk reduction exercises discussed how enterprises are basically on their own when they're attacked. If they call law enforcement, at best they'll get sympathy. On a bad day they'll be told they're negligent. But this suggests some lessons from the military school of life. Robert Rodriguez (CEO, SINET) moderated the panel, whose members included Niall Browne (CSO and SVP Trust & Security, Domo), Humphrey Christian (VP of Product Management, Bay Dynamics), Sameer Dixit (Senior Director, Spirent Security Labs), Nadav Zafrir (Co-founder and CEO, Team 8), and Steve Zalewski (Chief Security Architect, Levi Strauss).
When you're the midst of a cyber incident, you're fighting for your business's life. So the discussion (with many allusions to SunTzu) asked whether it was possible to bring military concepts of exercise and training to make that fight more winnable? Browne held that "The only way to be prepared for this fog of war is to understand your crown jewels, what the attacker is after, and what your communication systems you need to use in a crisis."
Zalewski stressed the importance of corporate culture in determining what corporate protection would look like in any given business. He thought deskside exercises a good tool to help executives gain clarity about the kinds of crises they would face.
Christian emphasized the volatility of incident response. You're up against an opponent, and while no plan survives contact with the enemy, planning is vital to sound preparation. The panel commended development and use of playbooks for core threat scenarios, and their regular review and exercise.