No sleep 'till Brooklyn
The pressures of leading a security organization are diverse. From hiring the right staff, to keeping up with technological change while becoming a better business executive, to helping one’s team accurately and reliably fend off cyber threats, security leaders seemingly need to be everywhere, doing everything at once.
The media spotlight on cybersecurity—a relatively new sensation for mainstream news and thus “exciting”—doesn’t help, as it is often sensationalist and leads to more questions than it answers. Therefore, in addition to being a great technologist, communicator, and business person, security leaders must be educators and psychologists, helping fellow executives and boards of directors understand the realities of the organization’s specific threat landscape without turning it into an edition of Fear Factor.
Foot on the pedal
Managing one’s team amidst resource shortages is also a hot topic of conversation among practitioners. This is so often the case that security conversations can become so overwhelmed that the team’s focus slips away from doing what’s necessary to secure the organization’s assets to “what would we do if we had more?”
Security leaders Angie Singer Keating, CEO of Reclamere, and Tom Eston, Manager of Penetration Testing at Veracode, are no strangers to the pressures of being a high-visibility security leader. In this Q&A, Eston and Singer Keating offer their thoughts about what it takes to become the best possible leader given today’s security climate.
Never ever false metal
What are some unique pressures of security leaders today?
Angie: Today's security leaders have tremendous pressure from many angles. Finding excellent talent is incredibly difficult. And with the industry growing, it will be many years before this pressure is relieved. Working with higher education, networking within the industry, and even reaching out to high school vocational and technical education programs are some of the ways that we can try to find and/or grow talent.
Board pressure has increased on security leaders. Directors and C-Suite executives are now asking more questions and demanding evermore assurances that security and risk management programs are up to the challenge of today's threats. Recent incidents, such as the British Airways service outage, are especially contributing to this pressure. Shareholders, investors, and regulators are looking specifically to the board of directors for answers about business continuity and disaster recovery planning. These questions obviously trickle down. If it is found that profits were put ahead of customer service, it will be bad news for those responsible for such decisions.
Another pressure that I don't see mentioned is how difficult it can be for security leaders to keep their technical skills sharp. At the executive level, many security leaders aren't in the trenches anymore. With the threats evolving so rapidly and the root causes so complex, it is absolutely crucial that today's security leaders find the time to attend educational events and seek out the technical sessions. Sessions on reverse engineering of malware, the latest best practices in digital forensics, and others like these are so important for security leaders, as they enable them to fully participate with their technical teams when necessary. For a long time, security leaders lacked business acumen. We may soon be in a time when the pendulum has swung and security leaders with business acumen now have to make an effort to stay current in technical matters.
Tom: I think more security leaders are having to deal with the fact that there are unique security issues that need to be addressed more than ever before. As an example, look at all the mobile and IoT devices being developed with no or very little security in mind. It’s our job as security leaders to work with the business and manufacturers to solve these problems. It’s a challenge with our already-heavy workloads and responsibilities, but it’s pivotal if we want to start fixing the supply chain. IoT is never going away—it will help everybody later on if we can implement processes and frameworks now.
In addition, the demand for highly qualified professionals in the security industry is becoming more of an issue. As a hiring manager, I find it becoming more challenging to find qualified security people. This causes additional pressure for security leaders when the work and responsibilities keep increasing.
How does media contribute to the difficulty of leading a security organization? (e.g., when media gets hold a news story about a breach or Ransomware outbreak and creates a frenzy, à la WannaCry.)
Angie: The media seems to either over simplify attacks, or overhype them. While the awareness that the media has brought to the issue of cybersecurity is welcomed, I worry that it may also be breeding irrational fear. As we learn about publicly disclosed attacks, we find out that the root cause of so many is either unpatched systems or misconfigured systems. Add to that the lack of consistent, relevant security awareness training for end users, and we make the job of the attackers easy. That part doesn't get reported, and if it is mentioned, it's not given the gravity it deserves. None of this, though, should be shrouded in fear—this is basic security operations.
Tom: Some media can blow “breaking” security news out of proportion. Many times news headlines amount to "clickbait," in an effort to entice readers into an emotional, shock-and-awe reaction, when, really, the object of reporting should be to provide facts (and hopefully some actionable advice for businesses).
Unfortunately, many security vendors capitalize on these news stories, using them to sell their own products and services and don't provide the information that a security leader is looking for. Most times, when I am reading one of these articles myself, I have to piece together news from various sources (i.e., Twitter, Facebook, trusted friends in the industry) and come to my own conclusions as to the relevance of whatever the latest "hot" security news story is. Oftentimes if you read too much into media, you’d think that every reported breach is groundbreaking and highly sophisticated. As most security practitioners know, this is rarely the case, but the media isn’t helping when it comes to convincing our business colleagues—CEOs and boards of directors.
What would be your first 2-3 actions when/if you’re notified that an incident has occurred at your organization?
Angie: The first thing I would do is initiate my fully up-to-date, fully tested, incident response plan. Every step after that is dictated by the plan.
Tom: The first thing is to determine what and who is impacted. If it's IT systems, that's one thing, but if it's customers (or has impacted customers) it’s another situation that needs more immediate attention.
Second, find out the facts of the incident.
Third, promptly and swiftly communicate a remediation plan to affected parties—internal and external. The biggest mistake I see with organizations is failure to communicate about a breach or incident to its affected customer base. This communication must be crafted carefully (which is another potential “gotcha”), but it should be one of the first things companies consider after a breach has been declared.
What would be on your “wish list” to improve your security team’s ability to produce an improved outcome for the organization?
Angie: My biggest wish would be that the organization supports the IT security team with excellent and continuous training in incident response. Incident response is not necessarily intuitive, as the organization (thankfully) does not experience incidents frequently. That said, having the ability to act as if it did—through training, outside resources, tabletop exercises, etc.—is crucial to responding quickly and appropriately during and following an incident. Without proper training, one could accidentally stall or lead an investigation off track.
In addition, I would wish that my technical team were fully trained on how the regulations that govern our industry relate to the security controls, response, and analysis.
Tom: The biggest downfall I see in any team is miscommunication. The more that teams can work on communication skills, the better. Improvements to communication shouldn't just start at the security team level, it should be company-wide. From the CEO down, company cultures must evolve and change to implement better communication for everyone.
My other wish would be to not have to rely on email for communication). Seriously. We need to pick up the phone more to sort out issues and problems. Face to face or over the phone. I can't tell you how many times I’ve seen poor email communication cause small issues to be overblown and/or made bad situations worse. If someone would have just made one phone call...issues would have been more easily defused.