2015 is nearly three weeks young and I am afraid we are going to see more of the same exposures as we did in 2014. Not much has changed in organisations. They are fundamentally following the same tactics and techniques to 'defend' against adversaries as they have for the past several years.
There are 12 areas that continue to cause problems for the CISO and information security as a whole. Here they are:
1. The CISO still reports to the CIO in most organisations seeing security still as a technical issue. CISOs battle the CIO quietly trying to move security to the forefront only to be pushed to the back of the pack in the name of features and functionality.
2. CISOs continue to beg for financial table scraps and the scraps they do get are used to double down on existing technology.
The same technology that is failing them now but with a new twist or new buzzwords describing really what they cannot do. And since organisations still see the issue as a technology problem, the CISO gets a budget that is a single digit percentage of the overall IT budget.
3. There are also CISOs in positions at major firms who do not have the credentials necessary to be in those positions. Whether through outright lying, gift for gab, opportunistic timing, cronyism, nepotism, verbal berating techniques, companies who have dumped them quietly or just plain foolishness, these CISOs are false prophets leading their organisations down the path of data loss doom. Their resumes rife with false statements, LinkedIn full of modifications, and embellishments of the most minor infraction.
4. Many organisations continue to give information security lip service but avoid embedding information security at the beginning and throughout each and every corporate project. Not just IT but each project. Information security vulnerabilities discovered during the SDLC of a project are not treated as defects but separately identified as vulnerabilities that require a waiver to remediate (this while code defects slide through the process without issue). In fact, most vulnerabilities identified during the SDLC and even thereafter with vulnerability scanners are configuration errors made by IT staff since they follow no build guide, configuration standard, have root access to change configurations (and do so) outside the change / release cycle.
5. What amazes me still is the limited access by CISOs to corporate leadership or boards. Treated as the corporate scapegoat, CISOs in most organisations are not included as part of the corporate brain trust. They are still seen as the messenger deserving of disdain and bullet wounds for issues 'packaged' as security problems.
6. This leads us to the age old problem of IT administrators of any platform, infrastructure or software not securing what they own. They do not believe security is their responsibility. While at the same time they do not believe security is theirs, they do not allow information security into the process to examine information security. CISOs are still the red-headed step child of the organisation.
7. Law enforcement staff have their place but the continued see-detect-arrest paradigm is auto-fail. Anyone who argues just need look at the last 15 years of information security fully built on that foundation. A foundation of after-the-fact information security with huge investments in process, procedure and technology that supports the failed paradigm.
8. We need defensive technologies and we need incident response but a double down financially and organisationally on failed structures supported by the majority of the IT and Information Security vendors in the industry just does not make sense. If you have law enforcement as your leadership, be prepared for tactical programs focused on immediate short-term gains. Liken it to entering a room with the goal of getting to the other side. Go half way, and the half way continually. You will never get to your goal.
The theme of advanced persistent threats, kill chains, and incident response as the main focus of the organisation is another auto-fail. There is no such thing as an APT. That is made up to sell product. Even though the USAF coined it, it is a falsity. If you can't define it, you certainly don't know how to deal with it.
The kill chain that so many vendors and organisations tout is just a method to detect and stop activities after they have penetrated your perimeter. Meaning you have already given up and it is too late. It may prevent the ship from sinking but not until massive data leakage has occurred. Oh and my favourite that still amazes me is the mentality of the cyber janitor. Backed by the APT myth and the kill chain model, today's incident response groups are the cyber janitors of the industry with a whole supporting industry built to back fill the janitors who by day are IT admins.
9. When you hire military intelligence analysts, be sure they know how to spell cyber. Just because they are analyst trained does not mean they have a clue in the information security arena. They need to have a solid indoctrination in industry and the information security space. Establish programs to get them there. They will get the job done for you if properly trained.
10. Why is it that CISOs need a multitude of certifications and CIOs don't need squat? There are complete programs at colleges and universities around the globe built for training information security staff yet nary a one I can find that is completely dedicated to creating CIOs (CIOs with information security as a standard, required pedigree). Each CIO needs to have three to five years' time in security grade, time in security service before consideration as a CIO. They cannot be the CEO's buddy, the CFO's junior staff or from the outside auditing firm who audits your books while another segment of the same firm performs IT audits.
11. We still see an extreme lack of maturity in the IT space for foundational elements. IT shops don't know what assets they have, how they are configured, who has access to them, or how and when they were changed last and by whom. Software is not written with closing holes in mind nor written (and I really hate this misnomer but have to use it for understandings purpose) securely. There is no such thing as secure code only code that has been properly written, tested and validated to do what it says it is going to do and only that no matter the input. Monitoring is incident driven and projects are not run with full-fledged project schedules including dependencies, slack, costing, (and even a mention of earned value management).
12. And then there is #12 who by the time they have read to this point are completely incensed at the above words largely since they are part-of-the-problem.
To cover the 12 areas without the narrative:
I have been in this game for nearly three decades. Almost every IT program encountered, every information security organisation engaged, the problems remain the same. You can close your eyes and hear the same people making the same excuses, deflecting the same issues today as they did and have for 30 years. The CISO is held as the scapegoat. The CISO is shot for communicating the message. The process of communicating the message becomes the target for remediation. True causal analysis is not performed only analysis to keep the finger pointed at the wrong individual or group. All while IT and the CIO skate away on the thin ice of the new day (thank you Jethro Tull).