There are two kinds of CISOs: pre-breach and post-breach. Pre-breach CISOs are overly focused on tools and thinking about investing in prevention technologies. They do this almost to the exclusion of thinking about recovery and timely restoration of services once something bad actually occurs. And something bad will happen; it’s not a matter of if, but when (and how often, I might add, so “breach cadence” seems a more suitable KPI than breach likelihood).
How a Security Breach Strengthens CISOs
That mantra of “not if, but when” needs to be ingrained in our thinking about risk management now more than ever. Post-breach CISOs, on the other hand, understand (with what is fairly deemed to be “hard-won experience”) that people and processes are far more important. “All hands on deck” is more of a liability in an incident response situation rather than a benefit. Someone might be trying to help eject an intruder but is actually destroying forensic evidence or breaking the chain of custody should there be the possibility of criminal prosecution in the case further down the line.
This simple dichotomy of pre-breach and post-breach CISOs reveals an important difference in perspective, priority and preparations for security programs in every industry and companies of every shape and size. A breach makes you stronger.
I was fortunate to present a talk at Black Hat and the corresponding Black Hat CISO Summit in Las Vegas in 2021. My session was titled “Executive (dis)Orders: Cognitive and Systemic Risk in the Boardroom” and was well-attended and well-received, given the number of attendees who requested a copy of the deck afterward.
Although that session recording is not available, a reprise was delivered for ActualTech Media in December, for which the recording is available. That presentation contains the seeds of thought for this piece as it centers around identifying cognitive risks affecting the governance of security programs. It also includes a section on the nature of systemic risk as an emergent property of complex systems.
Systemic risk warrants much further attention (and another blog post on the subject in the near future, I suspect), especially as we are beginning to see more “security chaos engineering” find its way into the CISO community discourse on risk management.
Black Hat was one of my first “away missions” since the COVID lockdown. It was there that I heard a fellow presenter and CISO named Bob Lord deliver a talk entitled “How to Put Breaches on Your Resume and Live to Tell the Tale”, which was extremely insightful and has contributed greatly to my own thinking about the nature of resilience and how we should embrace failure rather than fear it.
Why CISOs should embrace a cyber breach
Bob Lord knows a thing or two about breaches as he was not only the DNC’s first security officer but also became the CISO for Yahoo! in November 2015. His job at Yahoo! involved disclosing some of the largest breaches in history that took place there in 2013 and 2014.
What I loved most about his presentation was the incident response timeline that he created, which included an “attack” not normally documented or formally acknowledged as part of the incident response lifecycle: the moment when the regulators, cyber insurance firms, board of directors and pretty much every armchair critic under the sun second-guesses the CISO and the work that they did leading up to the incident or breach event.
There is the first “attack”, which is when the bad actors breach or compromise your infrastructure in some manner. But there is also a second “attack” from which the CISO, more often than not, does not survive. It’s more than disheartening to work in a profession excluded from most D&O (Director & Officers) liability insurance coverage and where the predominant mode of operation is to introduce the CISO to the underside of the oncoming bus, regardless of the strength of their security program. It’s dangerous to allow this pattern to continue.
That breach event is an extremely valuable experience. A “battle-tested” CISO should be even more prized and valued. But instead, one finds ample evidence that the successor of the breach CISO is the one who gets the pay increase (whether deserved or not).
I recall being at an NYC infosec meetup a few years ago where a CISO was telling a story about someone (not them) who was paid $800k a year at a major corporation that was actually spending precious few dollars on the security program itself and then along came a ransomware incident.
“Boom!” as they say in the military. “Left of boom” is events leading up to the incident or breach, and “right of boom” is that part of the timeline of events and milestones which occurs afterward.
The CISO was sent packing, and the new CISO was paid $1.2MM. The security program budget was “harmonized” with industry benchmarks for that sector of around 5% of the total IT spend. It would have been cheaper to protect the organization with a reasonable security program budget than to pay the ransom, increase the security budget and raise the compensation for the CISO to the market rate for such an organization.
Taking the “Antifragile” approach to cybersecurity
One of my friends who studies martial arts mentioned a book called Antifragile by Nassim Nicholas Taleb. One of the themes of this book is that fragile systems and fragile things will break easily when subjected to stress and pressure. Bones, for example, can be improved and hardened by being subjected to pressure and external forces. They are literally built to be stressed and shocked.
So antifragility is perhaps a property that we want to better understand to build trustworthy and robust systems. Systems that can actually benefit from volatility and random attacks. Antifragile systems are built with antifragile components, of course. Robust and antifragile systems are those which demonstrate resilience in the educational and psychological sense of the word rather than the mechanical engineering sense of the word related to ductile strength and tensile properties.
When a cloud infrastructure is attacked, we don’t just want to put it back into its former shape and merely restore the pre-existing capabilities and features. We instead want to see that infrastructure improved and transformed by the event and made better. Cyber resilience, in this sense, means adaptation. It speaks to the modular properties of the system that allow us to combine its elements in new ways without much additional effort and expense. A well-designed cloud infrastructure should demonstrate design principles that succeed in helping it to fail gracefully rather than just “wink out of existence” when something breaks. That’s just one aspect of what is meant by the adage, “that which does not kill you only makes you stronger.”
Here are some design principles which feel like they should be found in a modern information security program:
- Fault-tolerant, robust, adaptable
- Scalable, resilient, self-healing
- Segmented/isolated environments
- Evolving and reducing complexity
- Degrades gracefully instead of failing entirely
- Atomic, simple, modular components
- Tightly integrated and loosely coupled
- Delivers security in depth
- Maintains the principle of least privilege
- Trustworthy by design, not just certification or attestation
How CISOs can move forward from a cyber breach
So in conclusion, allow me to encourage you and your peers to find strength in failure. Your mettle has been tested when you’ve weathered a security incident or a breach. Don’t shy away from telling the tale and using it to bring the respect and gravitas you have rightfully earned. Others will not bestow this upon you; you have to bestow it upon yourself. With that breach, you’ve actually elevated your profile by crossing over to the “post-breach” CISOs community.
Just take the example of John Scimone. He is currently the Chief Security Officer for Dell Technologies. He has 60 CISOs that report to him. I met him at the CISO Bootcamp at RSA in San Francisco in 2019. There, he spoke about the challenges of sourcing talent in infosec roles across the myriad organizations that Dell owns and operates (including RSA). He also mentioned that he was the global CISO (for only two months, it should be noted) at Sony when it was hacked in November 2014 by the North Koreans. So there is life after breaches and you should figure out how best to put it on your resume and craft a solid (and truthful) narrative around why the event made you stronger.
SecurityScorecard can help you move forward from cyber incidents
If you’re interested in learning how you and your business can better prepare and respond to a cyber breach, SecurityScorecard’s Incident Response solution gives CISOs the ability to take immediate action toward remediating incidents and mitigating risk in the event of an attack.
Contact SecurityScorecard today to learn more about our incident response solutions, or sign-up for a free account to start assessing the cyber posture of your business.