What it takes to be a cybersecurity ‘maverick’
It’s easy to ride the rising cybersecurity tide, but some chief information security officers are taking things a step further.
In a new study by the Darwin Deason Institute for Cyber Security, researchers concluded that a broad shift from reactive to proactive strategies is occurring, as Fred Chang, director of the Deason Institute in Southern Methodist University’s Bobby B. Lyle School of Engineering, told FedScoop.
The study involved interviewing 40 executives — mostly CISOs — and allowed Chang’s team to draw a number of conclusions about the cybersecurity climate.
Three CISOs, however, stood out as “exceptional in their approach to cyber risk management,” and provided “great clarity and insight into the practice and possibilities of cybersecurity.” These, the report deemed the anonymous CISOs “mavericks,” and dedicated a separate section of the report to their techniques.
So, what does it take to be a cybersecurity maverick?
One maverick CISO delegates all “risk” elements to a chief information risk officer, who is tasked with quantifying cyber risk into annual expected loss for the company, better enabling the CISO to negotiate with board members and also freeing his time to directly manages operational security — the “threats.” He mitigates risk by phasing new technologies — like firewalls — into only one third of the organization at a time. He also uses an “ethical hacking team” to perform internal analyses of his own systems from the inside and the outside, attempting to penetrate sensitive networks as a sort of cybersecurity field test.
“If [I] can’t put a purely informational website online which is secure, how could [I] expect a customer to trust [us] in other business contexts?” The report quotes him.
The second maverick developed his own custom cybersecurity framework by hybridizing National Institute of Standards and Technology, International Organization for Standardization, SANS, and Control Objectives for Information and Related Technology frameworks into something tailored for his organization. As part of this construction, his team mapped out potential threats — hacktivists, organized crime, nation state actors, insiders — and traced likely “attack vectors” from their point of view, evaluating cyber vulnerability by attempting to breach systems the same way that certain attackers likely would and tooling defensive software to counter each stage: “recon, weaponize, deliver, exploit, command and control, and exfiltrate.”
“[It] seems like we’ve all been engaged into a cyber arms race for which we have no option to opt out or seek treaty. There’s no other choice but to respond to that threat,” he told researchers.
A CISO at a security compliance and audit firm, the third maverick’s primary tactic is assuming from the beginning that data will be breached and attempting to mitigate the consequences by strategically structuring the IT environment.
“I don’t believe that email, the internet, anything is secure, period,” he said in the survey.
To ensure that the policies he implements are always in place, he routinely attempts to hack the firm’s outward-facing applications from an external location. He also has a working scenario book of potential zero-day attacks and how his team would act to defend against them. As a former penetration specialist, he feels that firewalls and perimeter defenses are easily bypassed, and doesn’t dedicate much attention to those aspects of his systems.
The mavericks, argues the report, are the vanguard of the cybersecurity world, pressing past compliance standards and into a more thorough realm.
“These are the conversations that are most likely to impact our assumptions and thinking,” the report states.