Symantec questioned 3,000 European CISOs from the UK, France and Germany. The results (PDF) highlight what many in the security industry will immediately recognize: 82% of CISOs already feel ‘burnt out’; 65% feel that their work and position are set up for failure; 64% consider quitting their job; and 63% have considered leaving the cybersecurity industry altogether.

It is, in short, a highly stressful position. But despite this, 92% are ‘thrilled’ by their work; 92% are fully immersed despite the stress; and 90% are motivated by high pressure situations.

But despite the adrenaline junkie thrill of the job, CISOs remain pragmatic about the effect they can have. They are short-staffed, overwhelmed by the volume of security alerts received, and generally believe that the attackers have a higher skill set than the defenders. This leads to the common belief that it is not if, but when, there will be a breach.

The most interesting part of this report analyzes the ‘after the breach’ change in CISOs’ attitudes. Although 55% of CISOs fear they will be fired if a breach occurs on their watch, and 40% are afraid they will be held personally liable for that breach, nevertheless the experience of navigating an avoidable breach seems to favorably affect the CISO’s outlook.

The survey looked at the impact of known stress factors and compared responses between those (26% of the respondents) who had been through a breach with those that had not. The stress factors included increasing regulation, the alert workload, too much data with too many access points, infrastructure complexity, and the skills gap. On average, only 23% of the experienced CISOs felt that these factors increased their stress levels, while 47% of those that hadn’t experienced a breach felt associated increased stress.

This reduced stress appears elsewhere. “Only 19% of the ‘experienced’ group say they are concerned about [dismissal resulting from a breach] compared to 28% of those who had not been through a breach,” says the report. “They also cite less feelings of personal responsibility for incidents that could have been avoided (22% versus 37%) and are less likely to feel like they’re in a position where they were set up for failure (21% versus 35%).”

The beneficial psychological effect of experiencing a breach continues into job satisfaction. Twenty-three percent versus 47% feel burnt out; 22% versus 42% feel apathy or indifference toward their work; 20% versus 34% consider quitting; and 20% versus 34% consider leaving the industry.

At the same time, however, some of the adrenaline-based excitement of the work seems to dissipate. Far fewer breach-experienced CISOs remain thrilled in their work, fewer feel fully supported by the business, fewer believe they have the opportunity for creative problem-solving, and fewer believe the work provides an opportunity to make an impact/difference on the world.

“This data is fascinating,” comments Darren Thomson, Symantec CTO EMEA, “but it’s important to understand the context — in my experience, those people who have experienced a cyber security breach and come out the other side, become much more sanguine and less emotionally charged in their approach. It doesn’t mean security leaders become less committed to their responsibilities after a major incident. If anything, more of a ‘I’ve seen it all before’ mindset enables them to think more clearly, with a greater focus on longer-term, strategic priorities.”

One of the changes between breach-experienced and unexperienced CISOs noted by the survey is an increased willingness to discuss breach/attack experiences with others. Seventeen percent of experienced CISOs don’t talk to professionals outside of their business, compared to 32% of those who haven’t experienced a breach. Similarly, 14% versus 18% worry that sharing such information might adversely affect their career.

There is no direct data from the survey to suggest that cross-industry information sharing benefits cyber security, but it is a widely held belief supported by the authors. The report notes, “The problem is that there isn’t a substantive culture of sharing insights in the cyber security sector: 54% of respondents don’t discuss breaches or attacks with peers in the industry. Over a third (36%) of security professionals are also worried that sharing information about a breach during their watch — with peers, colleagues or prospective employers — would adversely impact their career.”

It then quotes Dr Steve Purser, Head of Core Operations at ENISA: “Security leaders, and the industry more broadly, need a framework for structured information sharing — whether for ongoing best practice, or as a process for learning from a breach. Enterprises or governments should be set up to handle at least three types of information. The first is strategic information for high level decision making. The second is operational information, used for improving best practices over the longer term. And the third is tactical information, such as indicators of security compromise, used for day to day responses. In each case this information should be shared with the context of a specific goal that’s being addressed.”

The implication is that CISOs do not share information, and that they should do so within a formal structure — that is, despite all other pressures and workloads, they should do something extra. It is possibly the formality of this type of information sharing that is the problem. In practice, CISOs actively seek their peers at conferences and forums, and do talk to each other about problems and solutions — but informally.

Overall, this survey provides an excellent overview of the pressures and difficulties faced by CISOs on a day to day basis. They don’t need to be told this, because they live it daily. The big takeaway for the CISO, however, is the less obvious discovery that not only is there life after a breach, it may well be a more contented life.

Related: Being CISO Is No Longer a Dead-End Job 

Related: How CISOs Can Demonstrate Business Value 

Related: Cisco Publishes Annual CISO Benchmark Study 

Related: An Ode to CISOs: How Real-World Risks Became Cyber Threats 

Cybersecurity complications are expected, but the most common perception is that so far this has been limited to the rise of massive DDoS botnets able to deliver huge attacks — like Mirai — from thousands of compromised IoT devices. A new survey now shows that direct cyber-attacks against IIoT have already started, and that DDoS is not a primary concern to security teams.

The survey, conducted by Vanson Bourne for Irdeto, questioned 700 security decision makers across Connected Health, Connected Transport and Connected Manufacturing, and the IT and technology firms that manufacture devices. Data was gathered in March and April 2019 from China, Germany, Japan, the UK and the U.S.

Eighty percent of these organizations experienced a cyber-attack against their IoT over the last 12 months. The highest rate was in the UK at 86% (three other regions had attacks against more than 80% of respondents), with Japan at the relatively low 60%. Within the industry verticals examined, 82% of healthcare organizations, 79% of manufacturing and production organizations, and 77% of connected transport organizations have experienced an attack.

While attacks against IIoT have already started, organizations have little confidence in the immediate future. Globally, 83% of organizations are concerned about their IoT systems suffering a future cyber-attack (with 32% being ‘very’ concerned). Concern is highest in the UK (91%), with the U.S. at 87%. Japan and China show the least concern at 76% and 77% respectively.

Coupled with these concerns, there is little confidence in the existing device security. Globally, 33% of user organizations believe that device security could be improved to a great extent. Only 2% felt that security could not be improved. Even among the IoT manufacturers, there is little confidence. Forty-one percent of the IoT device manufacturers feel their own device security could be improved to a great extent. This was highest in Germany (49%) and lowest in Japan (32%).

The degree of concern differs between the verticals. Connected transport is most concerned about compromised customer data (35%) followed by loss of customers and operational downtime (both at 15%). Healthcare is most concerned about compromised customer data (39%) followed by compromised end-user safety (20%). Manufacturing and production is primarily concerned with compromised end-user safety (21%) followed by operational downtime (19%).

None of these figures are surprising given the nature of the verticals — except, perhaps, that healthcare is more worried about loss of data than end-user safety (presumably patients). This may reflect the success and effect of HIPAA.

The average cost of an IoT security incident has been relatively low in cyber breach terms — just $330,602. It is highest in connected transport, and lowest in manufacturing and production. This surprises Irdeto. “Itís possible that these organizations may not be taking into account all of the costs associated with a cyberattack, including lost business, costs to correct any vulnerabilities that led to the attack, etc,” it writes. “It is also possible that with IoT proliferation in these industries being in its relative infancy, the current cost of cyberattacks on these devices is not as catastrophic as in other parts of the business. However, if this is the case, the costs will surely skyrocket as IoT devices become more abundant and connectivity continues to increase throughout the business.”

It is fair to say that as IoT becomes more deeply embedded in manufacturing — especially in the operational side — the cost of a serious attack could increase dramatically. When a variant of WannaCry got into the OT network of the Taiwanese TSMC chip fabricator in 2018, it resulted in costs of around $170 million.

The Irdeto survey demonstrates that direct cyber-attacks against IIoT have already started, and that industry is not yet well prepared. In fact, Irdeto found only one promising response: 99% of the respondents agree that a security solution should be an enabler of new business models, and not just a cost. It took IT security many years to come to the same position. It demonstrates, says Irdeto, that “The previous mindset of security as an afterthought is changing, and one of the most promising results of the study found that today’s organizations are thinking even more strategically about security.”

In their newly published State of Federal IT 2018 report (PDF), Accenture reveals that only a few agencies have fully adopted new approaches like cloud computing, digital platforms and agile software development. This reveals gaps that many agencies are facing in supporting more-agile operations.

According to the survey, IT organizations are making progress in modernizing technology systems and infrastructures, yet 70% of the responding IT decision makers say they’re still playing an enabling role within their agency.

Only 47% of them believe they’re effectively contributing to mission agility (integrating, automating, and digitizing key processes and services), but 67% believe they can protect the agency from insider threats/security breaches. 66% say they can protect it from outsider threats/cyberattacks.

The report, which received responses from 200 federal IT executives, reveals that only 39% of the respondents believe they’re able to transform mission and business requirements into compelling business cases for new IT investment.

The research unveiled a focus on modernizing IT operations rather than on deploying capabilities to directly empower mission and business stakeholders. 54% of respondents consider commercial cloud infrastructure as either very important or essential to accelerating IT impact, and 40% say the same about software-as-a-service applications.

Regardless, commercial cloud adoption among federal agencies remains low. More than half (54%) of the survey respondents admitted to running only 25% or less of their infrastructure in the cloud.

Although federal agencies tend to focus on IT investments, the respondents cited lack of funding (48%), cybersecurity concerns (44%) and a reliance on legacy IT (40%) as challenges to technology adoption. 28% of government executives said digital skills shortage was a barrier.

The report also outlines three key principles that are critical to IT modernization, which should help federal agencies in their journey to implementing new technologies.

These include the fact that IT leaders must use their understanding of technology’s potential to help their agencies improve their capabilities. New partnerships and collaborations are needed, as well as readiness for constant change, given the pace at which technology advances.

“Enterprises recognize as fundamental the need to digitize their operations to become more scalable, efficient, adaptive, innovative, and precise. This is equally true for federal agencies. To thrive in this new era, federal IT leaders must prepare for dramatic changes in how they operate and deliver value,” the report reads.

Related: Many Federal Agencies Fail to Meet DMARC Implementation Deadline

Related: Senator Urges Federal Agencies to Ditch Adobe Flash

The industry is looking toward the promise of AI tools to stay a step ahead of the cybercriminals. Experian’s 2018 annual Data Breach Preparedness Study found just 31% of respondents were confident in their organization’s ability to recognize and minimize spear phishing incidents, and just 21% were confident in their organization’s ability to deal with ransomware. Malware and cyberattacks evolve over time. ML uses data from previous cyberattacks, leveraging what it knows and understands about past attacks and menaces to identify and respond to newer, similar risks. The thinking also goes that AI and ML will help save time for overburdened IT departments.

The threat comes from the bad guys also employing AI to create more sophisticated attacks, enhancing traditional hacking techniques like phishing scams or malware attacks. For example, cybercriminals could use AI and ML to make fake e-mails look authentic and deploy them faster than ever before. Criminals could apply AI to develop mutating malware that changes its structure to avoid detection. AI could scrub social media for personal data to use in phishing cons. Data poisoning is another danger, in which attackers find out how an algorithm is set up, then introduce false data that misleads on which content or traffic is legitimate and which is not.

A lesser threat comes from within the industry, as companies rush to market with so-called AI cyber security tools. There is a difference between AI and machine learning. ML algorithms train on large data sets to “learn” what to look for on networks and how to respond to various scenarios. Generally, ML needs new training data to calculate and reach new conclusions, while a true AI system does not.
Some products are based on “supervised learning,” requiring the data sets that algorithms are trained on to be chosen and labeled, by tagging malware code and clean code, for example. Some vendors are using training information that hasn’t been thoroughly scrubbed of erroneous data points, which means the algorithm won’t catch all attacks. Hackers could switch tags so that some malware is designated as clean code, or simply figure out the code the ML is using to flag malware and delete it from their own, so the algorithm doesn’t detect it.

Given the fast-changing landscape, here are some tips to realize the enormous potential of AL and ML and still protect your organization.

Resist the hype. AL and ML are the hot buzzwords and technologies of the moment. But there’s also a great deal of confusion. According to ESG Research, just 30% of cybersecurity professionals feel they are very knowledgeable about AI and ML and their application to cybersecurity analytics. When purchasing an AI or ML tool, try to do your research and understand what you’re buying so that it’s an effective and appropriate solution for your organization.

Keep a human involved in the process. There used to be an old IT truism of bad data in, bad data out. The “intelligence” in AI is based on data inferences and correlations, which need to be checked and monitored so the model is addressing risks appropriately and evolving as you need. ML systems shouldn’t be totally autonomous. They should be set up with a human in the loop, and the ML should know to ask for help with presented with an unfamiliar situation.

Have a strong data breach plan. According to Experian’s Data Breach Preparedness Study, 88% of organizations have a data breach response plan in place, but less than half (49%) think it is effective or highly effective. If you have a plan, it shouldn’t just sit on a shelf. Make sure that it is robust, with buy-in from all the key departments of your company, and drill on it early and often. If you need to get started on a plan or refine it, Experian’s updated Data Breach Response Guide can serve as a resource.

AI and ML are the wave of the future. But the cyber threats are real now, and so are the limitations of the technology as a foolproof protection tool. Be aware, both of what’s ahead from the cybercriminals and how you’re applying AI solutions, so you’re not lulled into a false sense of security.

About the Author: Michael Bruemmer is Vice President of Experian Data Breach Resolution, which helps businesses mitigate consumer risk following data breach incidents.

(Kevin Townsend – SecurityWeek) – The finance sector has one of the most robust cybersecurity postures in industry. It is heavily regulated, frequently attacked, and well-resourced — but not immune to cybercriminals. Ninety percent of financial institutions were targeted by ransomware alone in the past 12 months.

Endpoint protection firm Carbon Black surveyed the CISOs of 40 major financial institutions during April 2018 to understand how the finance sector is attacked and what concerns its defenders. Two things most stand out: nearly half (44%) of financial institutions are concerned about the security posture of their technology service providers (TSPs — the supply chain); and despite their resources, only 37% have established threat hunting teams.

Concern over the supply chain is not surprising. Cybercriminals are increasingly attacking third-parties (who may be less well-protected or have their own security issues) to gain access to the primary target. The Federal Deposit Insurance Corporation (FDIC) is also concerned about the supply chain, and has developed an examination process that includes reviewing public information about the TSPs and their software.

One of the areas that concerns the FDIC is consolidation within the service provider industry. “For example,” it notes, “a flawed acquisition strategy may weaken the financial condition of the acquirer, or a poorly planned integration could heighten operational or security risk.”

Carbon Black recommends that this potential risk be countered by hunt teams and defenders closely assessing their TSP security posture. But, it adds, “Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs.”

But it also considers threat hunting to be important in detecting direct attacks. There are two primary reasons. The first is the increasing tendency for attackers to use fileless attacks that are not easily detected by standard technology; and the second is a growing willingness for attackers to engage in counter-countermeasures; that is, to counter the defender’s incident response.

Fileless attacks are increasing across all industry sectors. A typical attack might involve a Flash vulnerability. Flash invokes PowerShell, feeding instructions via the command line. PowerShell then connects to a stealth C&C server, from where it downloads a more extensive PowerShell script that performs the attack. All of this is done in memory — no malware file is downloaded and there is nothing for traditional technology defenses to detect.

“Active threat hunting,” says Carbon Black, “puts defenders ‘on the offensive’ rather than simply reacting to the deluge of daily alerts.” It “aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.”

But the need for threat hunting goes beyond simple detection of intrusion. “Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks,” warns Carbon Black. “These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker but, with counter incident response, attackers maintain the upper hand.”

Compounding this, attackers are beginning to incorporate a secondary command and control in case one is discovered or disrupted. Carbon Black notes that this tactic has already been found in 10% of victims, and predicts it is a tactic that will grow in future months. The principal is that an attacker’s ability to improvise and change directions at speed is best countered by a human defender rather than simply a pre-programmed set of incident response steps.

“Financial institutions,” suggests Carbon Black, “should aim to improve situational awareness and visibility into the more advanced attacker movements post breach. This must be accompanied with a tactical paradigm shift from prevention to detection. The increasing attack surface, coupled with the utilization of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cybersecurity program.”

In reality, of course, this does not just apply to the finance sector. The same evolving methodology is being used by attackers across all industry sectors. The need for threat hunting is not limited to finance. “All sectors should take heed,” Carbon Black chief cybersecurity officer Tom Kellerman told SecurityWeek. “Generally speaking, financial services tend to be the most secure as they’ve come under attack with high-profile attack campaigns in recent years.” The implication is that if the finance sector is slow to switch to active threat hunting, other sectors will be slower.

In April 2018, Carbon Black filed an S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock. Shares of the company (NASDAQ: CBLK) jumped 26% on its first day of trading on May 4. The company has a market capitalization of nearly $1.6 billion at the time of publishing. The company emerged in its current form after its purchase by Bit9 in February 2014.

(Kevin Townsend – SecurityWeek) Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files.

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell’s dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

There is no simple answer. Atlanta does, however, get almost unequivocal support from the CISO of another U.S. city, who spoke to SecurityWeek requesting anonymity. “Unless paying the ransom provided details of how they were breached, what would it really get them?” he asked. “Firstly, they don’t know if they would actually get the decrypt keys; secondly, they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.

“By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, has a different view. “The ethical dilemma whether to pay or not to pay a ransom becomes very complicated today. This incident is a very colorful, albeit sad, example that refusing to pay a ransom may be economically impractical and detrimental for the victims.”

He agrees that Atlanta should have been better prepared. “Taking into consideration the scope and the disastrous consequences of this incident, one may reasonably suggest that Atlanta has a lot of space for improvement in cybersecurity and incident response. Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable.”

But he disagrees with one of the primary arguments of those who advocate not paying. “Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay.”

In the final analysis, he believes that each case needs to be decided on its own merits, but adds, “In some cases, paying a ransom is the best scenario for a company and its economic interests. Otherwise, you risk spending a lot of valuable resources with no substantial outcome.”

The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton’s 1998 Presidential Decision Directive PDD 63.

The FS-ISAC’s 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization’s reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.

This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.

Request an invite to SecurityWeek’s CISO Forum

“I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components,” he suggests. “Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training.”

Dan Lohrmann, chief security officer at Security Mentor, agrees. “The mission-essential business aspects that end user security awareness training is now playing in global financial organizations must be front and center surrounding around all data handling and incident response.” He recommends metrics-based training so that progress can be monitored.

The report finds no common reporting structure within financial organizations. Only 8% of CISOs report directly to the CEO. Sixty-six percent report to the CIO (39%), the CRO (14%) or the COO (13%). Despite these differences, there appears to be no impact on the frequency of reporting to the board of directors on cybersecurity.

Reporting most frequently occurs every three months (54% of CISOs). Eighteen percent report every six months, and 16% report annually. Only 6% report monthly.

There is no indication within the report on structural trends, which could provide an insight into the evolving role of the CISO. Greg Reber, CEO at AsTech, thinks this is an omission. “At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds,” he explains. “CIOs may need to get things done quickly to realize financial goals — moving processing to the cloud environments for example — while CISOs are chiefly concerned with risk management.”

He also notes a failure to comment on cyber risk insurance. “This falls into an ‘event response’ category, which we see as a top priority. However, it didn’t appear in the top three responses in this survey.” Reber equates ‘cyber defense’ with a Maginot Line philosophy, and believes resources should be balanced between defense and response.

“This report from FS-ISAC highlights the continued need for cyber awareness and vigilance from staff,” comments Stephen Burke, founder and CEO at Cyber Risk Aware. “Hackers are great at exploiting human nature, using social engineering tactics to gain their victims’ trust. Once they can get through defense and onto a user’s machine they may use sophisticated methods to stealthily move laterally across a network stealing data or credentials.”

FS-ISAC’s recommendations to its members based on its survey findings is that staff training should be prioritized regardless of the reporting structure. “People can be the solution to these growing online risks, or they can be contributors to the growing level of security problems,” says Lohrmann. “Effective security awareness training will enable the enterprise to successfully stop cyberattacks.”

Venture and M&A

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.

 This model, which it calls CISO Impact, rests on two fundamental capabilities: technical excellence and organizational engagement. The former involves eight domains from access control to incident response; while the later includes seven factors from running infosec like a business to getting Business to own the risk.

From this model, combined with insights from more than 1,200 high-performing CISOs and information security teams, IANS has developed what it terms ‘The 5 Secrets of High-Performing CISOs’.

“The connected world is a dangerous place,” says Stan Dolberg, chief research officer at IANS Research, “and because of this, CISOs and their teams must lead their organizations to adopt safe business practices. However, the challenge remains that many CISOs are leading from a position of little authority or influence. The CISO Impact diagnostic provides specific ways for CISOs to assert information security leadership skills that are commonly found in organizations one step ahead on the maturity curve. Our goal is to inform, contextualize and prioritize where to invest skills, practices, and technologies. Armed with this strong guidance, CISOs can chart their own paths to leadership.”

Put bluntly, the purpose of this report is to help lower performing CISOs to perform better through using the methods already used by high performing CISOs. The five secrets to achieving career success are: 

• Lead without authority

• Embrace the change agent role

• Don’t wait to be invited to the party

• Build a cohesive cyber cadre

• It’s a 5 to 7-year journey to high impact

Each of these ‘secrets’ is discussed in the report and supported by statistical research evidence. For example, 100% of high performers lead despite having no authority, using “persuasion, negotiation, conflict management, communication, education.” Only 3% of low performers succeed in this.

For the second ‘secret’, the report states, “High-performing CISOs know the value of engaging to drive change,” says the report. “In the CISO Impact data, 3 out of 4 of high performers embrace this approach, compared to 1 in 20 of the low performers. To embrace this role, know the business, know yourself, and get ready to ‘make lemonade’.”

The third secret is not so widely adopted by the high performers. “More than half of high performers in the CISO Impact data set didn’t wait for executives to have an epiphany that security matters,” states the report. “They leveraged the power of simulation to generate the emotional experience of loss or compromise that is fundamental to an engaged executive team.” Less than 1% of low performers did similar.

In secret 4, “High performers patiently assemble and train more than a team — they culture a cyber cadre.” This approach is adopted by 85% of high performers; but by only 1.4% of low performers.

The fifth secret warns that there is no quick fix. “Five to seven years is a realistic time frame for building the trust, the program, the team, and the value of information security to the point where information security is baked in.” 

These five secrets provide excellent advice for improving company security and enhancing CISO careers. As stand-alone research, however, the report has several problems. The first is the distinction between a high performer and a low performer. The second is that it is easier to be a high performer in some companies than it is in others. 

Martin Zinaich (CSSLP, CRISC, CISSP, CISA, CISM and more) is information security officer for the City of Tampa, comments: “‘You must lead without authority’ — that is so very true! You have to do that both technically and from an organic business integration standpoint. Yet,” he told SecurityWeek, “the study shows that 60% of high performing security leaders report into risk and business roles (that have authority) — and 95% of lower performing CISOs report to the CIO (where they don’t). Those two stats show the simple reality that it is very difficult to lead without authority. Almost every non-technical safe corporate wide business practice I have seen where the CISO is lacking authority has come via post breach, regulations or working with the Audit department.”

The danger for research statistics is that some of the low performers could be high performers in a different company with more resources and/or a more receptive C-Suite. 

A similar issue occurs in the fifth secret; that is, ‘it’s a 5 to 7-year journey to high impact’. The reality is that few CISOs will remain in one position for that long — in fact, it is probably only the high performing CISOs already occupying a high-flying position with a security-aware company that will do so.

Such concerns, however, only impact the statistical difference between high and low performing security officers. The basic arguments contained within the five secrets remains quality advice for any CISO who wants to better secure his organization and improve his career potential.

The IANS Research report, “The 5 Secrets of High-Performing CISOs” will be presented at the RSA Conference next week.

To address this challenge, I recently invited several of my industry peers to meet with some of the most cutting-edge security startups in Silicon Valley in search of some new solutions. This unique CISO-VC Briefing Program was organized by our technology partner Trace3, which has built up strong relationships with many of the Valley’s most prominent venture capital firms and their portfolio startups.

I was joined by my IT security colleagues from Scripps Health, Millennium Health, NuVasive, Ringcentral and Bank of the Internet. Many of us are members of the San Diego CISO Roundtable, a tight knit community of local security executives, while a few participants presented a unique Northern California/Southern California CISO networking opportunity. We all grapple with the same challenges, yet we don’t view information security as a competitive advantage. In fact, we try to help each other by sharing updates about the latest types of attacks and the newest security strategies.

Visiting with Security Startup Leaders in Silicon Valley

Even with the rapid pace of cybersecurity innovations today, the bad actors continue to evolve their threats too. Many of us CISOs still rely on legacy security tools that have been leapfrogged by new types of attacks in recent years, so we need to continually adapt our people, processes and technologies.

Older defense systems such as network firewalls and intrusion detection systems remain important, but they are more easily circumvented today. For instance, firewalls only block certain network entry points, but attackers simply use sanctioned ports in firewalls to deliver their malicious software.

Many of the latest security products take a different approach rather than trying to build a moat around the network, which is no longer effective in this world of cloud computing and mobile computing. Some next-generation technologies incorporate machine learning systems that become smarter over time.

One clever approach is known as user behavior analytics (UBA). This type of software sets up profiles for the expected normal online behaviors of each user. By monitoring all users, the system can detect anomalous behaviors which may be the result of stolen password credentials. Or perhaps such unusual patterns are due to a disgruntled employee who is downloading proprietary company data. Employees with sensitive data access may be detected reaching beyond their authorization and into files they don’t have a legitimate reason to see.

My team at Sharp Healthcare is very interested in adopting UBA to detect such intrusions, and we are planning to purchase a solution in the New Year. 

Staying One Step Ahead of the Bad Guys

Another cool new security technique shown at our briefing involved network anomaly detection, which is used to track network traffic for abnormal patterns. For example, when terabytes of financial information start getting downloaded at 3 AM, that event triggers an alert to mitigate a potential breach.

New tools for identity and access management allow IT managers to give employees the mobile reach they need to access data from any device, while still protecting the company’s interests with cloud-based security. In addition, data packet inspection solutions examine the reputations of email senders to thwart any possible phishing attacks.

As a result of the briefing, I also set up meetings with DB Networks and Imperva, makers of database monitoring systems, along with Immuta, a firm that specializes in data security while providing an integrated experimentation platform for data scientists.

Many CISOs and CIOs shy away from buying cutting-edge technologies. Some prefer to instead stick with the big incumbent vendors. However, it’s critical to develop a familiarity and trust for the technologies that today’s leading startups are developing.  From a security perspective, this is the only way to stay one step ahead of the next potential data breach.

As most security professionals will attest, the task of setting up, maintaining and altering an integrated enterprise security system, often containing multiple vendor solutions, is not simple. There is no lack of solutions for security teams to choose from. What is important is knowing what type of solution to implement and why. The first step to combatting this challenge is to examine a number of common variables at work that point towards why cyber security problems seem to be getting worse despite the availability of innovative solutions in the market.

Expanding networks. Agile hackers. Let’s look at the variables.

• Networks are getting larger with each user connecting multiple devices into the system.

• While not necessarily smarter, attackers are more agile than most organizations and can afford a “low and slow” approach before pulling the trigger.

• The explosion of social networking and the subsequent high volume of data and users it has created help hackers get even easier access into corporate networks.

• The widespread reach of black markets and rampant utilization of automated systems has created a marketplace primed for maleficence.

• The proliferation of technology has created a world that is more diverse and disparate than ever. We continue to be pulled in a million directions as information travels quicker.

The above scenarios are just the tip of the ‘cyber-risk iceberg’. In reality, there are hundreds of variables to identify, assess, and use when looking for the right solution. In this brief write-up, we will do our best to turn those variables into tangible steps in search for a more comprehensive security strategy.

Understand. Articulate. Act.

Where is a cyber security professional to begin when the stakes are set against the corporation? The key is better preparation. Below are five steps that will provide an approach to help build a strategy that offers the potential to outsmart the attacker.

1. Stop guessing. Assume your enterprise has already been breached. This is where detection technology is critical. Implementing a signature-based system is helpful but it is not sufficient. What is needed is a system that detects behavior anomalies by correlating seemingly disparate events. Think of a night watchman on patrol, noticing potentially unrelated incidents that he can then tie together. He sees a security light has gone dark; this is not necessarily cause for alarm, but it could be if there is broken glass where the bulb was broken, not burnt out. Thus, it is the pinning together of isolated events that could shine light on abnormal behavior that leads to the discovery of a malicious intruder.

2. Assess the most critical assets and potential compromises within your network.For example, are your end users reliant on mobile devices? Are your employees constantly working remote or on-the-go? The 2015 Cyberthreat Defense Report shows that 59% of respondents experienced an increase in mobile threats over the past year. If you have a mobile-heavy workforce, make sure you’re monitoring all apps and mobile traffic. Also, know the storage location of the most critical assets of your organization, such as corporate IP, client info, project plans, etc., and have consistent management of access permission settings.

3. Understand your risks and core infrastructure. You must be aware of the most vulnerable risks posed to your organization in the event of a breach. What assets pose the greatest danger to your stability if they fall into the wrong hands? What is the level of security as defined by your existing cyber security stack? How much of your resources have been deployed to your perimeter versus network core?

4. Articulate. Learn the way in which your organization’s board communicates and receives information best. They typically do not have time to review hundreds of metrics; therefore you must be able to organize your findings in a succinct, action-oriented manner that makes it easier for them to make decisions that help your organization. They certainly have the means to move resources. Make them your advocates.

5. Act. Once a plan is in place, execution is vital. Make sure you put the necessary time and effort into building a resilient and secure system prepared to fight off invaders both inside and outside the firewall. In the end, it will save your organization valuable time and money while protecting your reputation.

Securing your network from the inside out via detection is crucial. Since we know that more than 90% of networks already have intruders present, we must take steps to detect their presence, identify how they got in, and make a plan to protect the network from future intrusion.