Using Cyber-Attacks for C-Suite Buy-InIncidents Can Influence Decision-Makers on Funding Infosec
Kwon, onetime head of the Department of Homeland Security's United States Computer Emergency Response Team, says chief information security officers can use recent, high-profile attacks to make the business case to the C-suite and those that fund information security initiatives. And that pitch can't be technical, but must be delivered in terms of its impact to the business, she says.
"Have them understand the loss in terms of liability, in terms of loss of revenue, in terms of loss of customer," Kwon says in an interview with Information Security Media Group [transcript below].
"It's a much more advantageous way to speak to an executive in the business part of the company, which is the part that's going to fund us," she says.
Security leaders will frequently have to make that pitch to upper management, because information security is a rat race, Kwon says. In order to keep up, security leaders need to manage the hygiene of their systems through a secure architecture, enforcing policies and monitoring systems.
"It's a very complex layered approach to managing the security and trying to get out ahead of that adversary," she says. "We'll always be running, trying to keep ahead, if we're funded well enough that we can do that run."
In the interview, Kwon:
- Discusses the significance of the Facebook cyber-incident to Internet users and IT security professionals charged with safeguarding their enterprises systems and data;
- Assesses the impact of President Obama's cybersecurity executive order and proposed legislation from lawmakers on sharing cyberthreat information between the government and industry;
- Explains how organizations can position themselves to mitigate or reduce the risk they face by the likes of the Facebook hack.
Before heading U.S. CERT, Kwon served as deputy director for IT security staff at the Justice Department, where she oversaw the deployment of the Justice Security Operations Center to monitor and defend the department's network against cyberthreats.
After leaving U.S.-CERT and before founding her consultancy, Kwon served as vice president of public sector security solutions for the worldwide professional services unit at security provider RSA.
ERIC CHABROW: What message does the Facebook attack send to the information security community, especially those in end-user organizations?
MISCHEL KWON: It sends a message more to a broader audience than just the security professionals. It sends a message to the users. As we move more and more of our lives online - whether it's being social, whether it's doing banking, purchasing or e-mailing our kid's teachers - as we move our lives to the Internet crime is also going to move to the Internet. Espionage is going to move to the Internet. All different kinds of what used to be physical crime now becomes crime on the Internet or espionage or whatever activity. What's transpiring physically now is happening virtually.
As a user, we have to be much more aware that you're putting yourself at risk, whether it's the information that you're putting online; whether it's that your computer is also being used for doing something else like purchasing; or it's storing some type of sensitive information. We just have to be a lot more cognizant and aware as users of what we're doing on IT systems, and which IT systems may or may not have problems.
But even more than that, looking at the mission space, historically we think of IT security people as the people that push the button that protects us. But really, IT security professionals are those people that give recommendations and find bad things that are happening and then suggest a remediation. The actual people that push the buttons are the operations folks. In order for them to change a system, add security devices, change architecture to protect or to remediate from an incident, they need funding. Who funds IT? The mission-space owner because IT really is supporting the mission, whether it's banking and it's websites they're supporting, the banking or the transfer of money, or whether it's the website that Facebook is supporting the social media application.
The mission-space owners inevitably pay not only for that security recommendation and that security remediation advice and detection, but also they pay for the operations folks that make those changes, so that's expensive. At some point, those mission-space owners have to understand that they need to pay that cost in order to protect themselves.
Getting the Needed Resources
CHABROW: Let's turn to the information security organization, the CISO and others. How should they approach the operations people? How should they approach their bosses in getting the needed resources?
KWON: At this point we need to evolve as a profession, and we need to understand how to translate what's going to happen to them, from our security geek-speak to that risk management and mission speak, so that the executives understand the risk and the cost to the organization and the business. The days of us bringing presentations that show an attack and talk about malware, talk about buffer-overflows, I think those days are kind of spent and I think executives are kind of deaf to that kind of discussion. Having them understand the loss in terms of liability, in terms of loss of revenue, in terms of loss of customer, I think it's a much more advantageous way to speak to an executive in the business part of the company, which is the part that's going to fund us. As a CISO, we have to learn how to do that speak, make that translation and do those estimates so that we can get the funding that we need.
CHABROW: Obviously, there's been a lot of interest in the Facebook hack. How can the security professionals use what happened to Facebook to make this argument?
KWON: That's a hard one because I don't know the details of the incident, but I think if they look at any incident that happened in their own company, they would understand that something that affected the business would be either a loss of revenue or a loss of customers, and I think the Facebook example should cause question as to whether or not they will actually lose users. I think all of that depends upon if users were notified, if there was actually a said loss. It's my understanding that there actually was not a found loss, so that one is not exactly an easy discussion.
But there are others that are. If you look at businesses that are out of business now, because of banks that had IT incidents around their ATM machines that are no longer in business, or if you look at other IT companies that had large breaches that are no longer in business, those are the extreme cases that are easy to point to. Industry by industry sometimes you can find some justification for numbers in looking at shared information about incidents. For instance, looking at the FS-ISAC and the information they share amongst each other, they as an organization can be supportive of each other in helping put together those kinds of numbers and that kind of executive justification.
Sharing Info among Businesses
CHABROW: Also in the news is the President's executive order, calling for a cybersecurity framework and information sharing. There's new legislation out there to enhance or promote information sharing. Without the executive order and without the legislation, are there still opportunities, and what are the opportunities to share information among businesses?
KWON: I have to say I'm not sure if the current writing of the legislation - which says that you're allowed to share, nothing is changing but you're allowed to share - is really going to do any good, but that's just my personal opinion. But I will say that it's important to know that all cyber intelligence does not come from the government. Some does and it would be great if we knew more about that, but there's also information that's available from purchase and also from exchange within other working groups across the industry.
We need to look forward at not necessarily exchanging verbal information, but look at exchanging information from a technology perspective. Look at direct intelligence feeds through products or other types of ways of looking at the data from a meta-data level so that we're stripping away all the identifiable information so that it's really truly just the indicators that are being passed. You'll see new products out today that are doing this kind of work and there are standard formats that are being decided on for that kind of meta-data level of threat intelligence feeds. Those are available today through some new products on the market.
A New Normal of Cyberattacks?
CHABROW: Are we at a new normal here, or is this sort of the old stuff going on? Because we're hearing about Facebook, Twitter, the Times and other organizations.
KWON: There's a lot of stuff in the news - especially this week - about an increase in attacks, and I just don't think we have the metrics to prove that. I think we understand that this has been happening for a long time, and that maybe we're just finding more occurrences of it, but I don't know if we have metrics to say it's new or that it has increased. But we do know it's been around for a while and we do know that it is not good. And that it's not good news, so however you want to wrap your heads around that metrics, I think just saying that we have a problem is good enough. We can't prove whether it's escalated or whether it's new. In fact, I don't believe it's new. What we need to do is embrace the fact that security shouldn't be the first place where money is cut. In the end, we're securing our businesses - not boxes, not IT systems - and that should be a huge executive priority.
Root of the Problem
CHABROW: When we hear about these attacks, such as the Facebook attack where malware got into the system, it was recognized and they got patches to fix it. But the bad guys are going to get into systems. Is something like this basically good news that people are fixing the problems when they discover them before maybe it's too late, or don't we really know?
KWON: IT systems are really complex and it's really difficult to manage this process, and I think we're just moving into a realm where we're getting better at managing the hygiene of our systems. In managing the hygiene, you're managing the security of your systems. Security management is the hardest piece of it. We've tried to do that in the past with compliance. How do you balance that work of compliance with what's operationally happening to your system, and come up with a way of using that complex baseball bat to remediate what's happening to you on your system? That's a hard trick and people are learning how to do that. That's the whole concept of continuous monitoring in the federal government, and I think we're taking steps forward to do that.
But even if we're the best at the hygiene of our systems and secure our systems to the upmost, there's still a risk of having an incident and being attacked. For someone doing it successfully, vulnerabilities can always be found and there are always zero-days. But I think what we need to understand is that security is much more than just hygiene. It's layering. It's a secure architecture. It's enforcing policies. It's monitoring our systems. And it's lifecycle management, replacing the old equipment and doing hygiene. It's a very complex layered approach to managing the security and trying to get out ahead of that adversary. It will always be a rat race. We'll always be running, trying to keep ahead, if we're funded well enough that we can do that run.