I spotted this meme flying around the Internet this week:
Being a Chief Information Security Officer is easy. It’s like riding a bike — except the bike is on fire — you’re on fire — everything is on fire — because you’re in hell.
Being a CISO, I’d have to agree there are days when it feels like everything’s ready to burst into flame.
Sometimes it’s because of something enormous. You’re suffering a cyberattack. A malware infection is spreading. You discovered a massive security hole.
. . . Or maybe you just work at Equifax. Zing!
But more often it’s 10,000 little things. Everything you have to manage. All the things you have to be concerned about. Everything you have to protect. All the reassurance you have to provide to customers, employees, executives, auditors, regulators. Everything you have to know — and all the things you don’t know.
You could easily have 50,000 networked devices to keep safe — and just as many people doing insanely insecure things with them.
Oh man, you’d love to think that you have deep visibility into what every server, computer, application, and user are doing continually. And that every system has been hardened against attack. And that everything’s being monitored 24/7 by smart people. And that some dumb-dumb hasn’t misconfigured anything. And that evil insiders aren’t secretly hellbent on wreaking havoc.
That’s a lot to keep in view when you’ve also got policies to write, metrics to gather, meetings to attend, candidates to interview, auditors to appease, contracts and laws to absorb, advice to provide, questions to answer, forgotten systems and data to discover, fraud to investigate, trainings to give, applications to test, holes to fix, and culture to improve.
Susan Mauldin, Equifax’s security chief of 4 years, made strategic mistakes that paved the way for the theft of 145,000,000 Americans’ personal data in 2017. My information was stolen — and probably yours too.
Don’t get me wrong: Equifax’s mistakes were catastrophic. But as a CISO, I have to sympathize a little with Mauldin’s challenge of trying to secure networks, devices, and software being pounded on by 10,000 employees across 24 countries. If somebody wants to steal information in a sprawling landscape like that, how many possible points of egress could allow data to escape? A hundred thousand? Millions?
Even if you’re a security genius, that’s a lot of holes to plug — disaster only requires a single leak. You have to be on point 100% of the time.
Mauldin’s gravest sin was failing to patch Equifax’s systems. This should’ve been near the top of her to-do list, given most hacks are the result of unpatched vulnerabilities.
But even though patching seems like it should’ve been obvious, actually doing it isn’t trivial. There’s a lot that can go wrong. After inventorying your 50,000 servers, computers, and other networked devices — and all the software running on them — you’ll need to begin watching their manufacturers’ websites for news of any security patches that need to be installed. With new patches emerging daily, that’s a lot of watching to do — and of course, every new patch must be fully tested before installation to make sure it doesn’t break anything, so you’ll need a test environment that looks identical to Production — and a dedicated team to manage all of this day in, day out — or risk facing your own Equifax horror show.
But even a dedicated team may not catch everything. Can you name every piece of software installed on your computer? I can’t — and most Fortune 500 companies where I’ve worked can’t name everything running on their systems either. Programmers and engineers quietly install software all the time for various tasks, and then forget about it, where it can fly under the radar for years.
Make no mistake: even though it’s difficult, patching is a CISO’s responsibility — but so are 100 other things ranked as critical. And this, my friends, is every CISO’s problem: with so many critical problems to solve, which do you focus on first?
The answer is that you have to focus on all of them — even if this means giving each only minutes of attention per day. “Attention deficit” is almost mandatory, if you want to make sure you’re not missing a minute detail that’ll ruin your career later.
To give you an idea of what this controlled chaos is like, I made a list of all the things I did yesterday. This list is pretty typical, and no matter how fast I type during my 9-10 hours at work, I end each day feeling like I barely made a dent. Enjoy.
- Read daily threat intel feed from FBI and other orgs
- Read hacker news websites
- Reviewed data dump sites for signs of data leaks
- Reviewed logs for fraud investigation
- Reviewed logs for signs of data leaks
- Reviewed and updated project list
- Compliance meeting re: European Union data laws
- Continued manual penetration testing of mobile app
- Reviewed results of perimeter security scan
- Finished review of firewall rules
- Compliance meeting re: New York data laws
- Provided direction to security team re: testing encryption tools
- Short meeting re: improving physical security of facilities
- Answered emails re: security policy for India
- Formatted security status report for executives
- Quick meeting with I.T. Operations director
- Investigated possible infection on legacy system (false positive, thankfully)
- Updated risk rankings on security roadmap while eating lunch
- Quick meeting with Chief Information Officer
- Edited awareness/communication calendar for the new year
- Booked meeting with executives
- Took 2 phone calls from vendor sales reps
- Quick meeting with recruiter to discuss staffing for upcoming year
- Updated budget projections for the new year
- Gave direction re: a project to document data handling practices
- Quick meeting with senior project manager
- Wrote official answers to questions from state auditors
- Clarified global policies governing external storage devices
- Wrote security language for a vendor legal contract
- Circulated new security best practices to development teams in U.S. & Latin America
- Wrote test plan requirements for new firewall product under evaluation