Are you Resilient or Risky? Insights from Black Hat
Top Five Insights:
The emergence of few cloud providers creates an environment of concentrated risk
Cyberinsurance may help drive appropriate risk spend and behavior
The less you know where your data crown jewels are, the less resilient you can be
Develop the appropriate hooks into the organization to optimize impact
People continue to be key to any good resiliency strategy
We recently took some time during the Black Hat 2017 conference to gather several CISOs and senior security staff at Fortune 500 organizations to share their perspective on risk and resilience in today's information economy. The conversations and debates took us into what it means to be resilient and the challenges companies face today. Allow me to share some of those insights, some familiar and some new.
First, cloud environments operated by third parties has allowed many organizations to essentially “outsource” a lot of their resiliency requirements, letting the Amazons, Googles, or Microsofts of the world handle the “5 9s” of uptime. To an extent, this has been a great trade-off, allowing the cloud companies to optimize their offering while letting businesses focus investment elsewhere. However, there is still a concentration of risk. Given the dominance of those three companies, a lot of our eggs are in one basket – namely an outage (or worse!) can have devastating impacts to commerce. We saw a hint of this with a recent Amazon outage. For true resiliency, companies can’t put all of their trust in one breaking point.
Cyber-insurance was discussed, with many commenting on the current immaturity of the industry, but it is quickly evolving. Many see cyber-insurance, as it becomes more sophisticated, helping drive behavior much as auto insurance has done for car owners. Once the premium (i.e. risk) pricing becomes more precise, insurance underwriters can reward good behavior through discounts and discourage lax behavior with steeper pricing – driving overall behavior. This could have even more impact if, much like auto-insurance, cyber-insurance becomes mandatory. However, participants agreed that is wading into tricky territory.
Participants felt strongly that knowing where your data is, namely your “crown jewels” or most critical information, is key to putting a strategy in place that won’t break the bank. With rapid change, folks admitted this is a tough one to stay on top of. However, advances in technology and more sophisticated methodologies have helped improve data discovery at many organizations. Figure out which data is most important, its life-cycle in your organization, and then put the right protections in place.
Next, people shared various views on how best an information security organization can team with IT and the business to effect change. This is not surprising as a company’s particular culture (as well as level of agility and appetite for change) will dictate the direction to take. However, a few themes emerged when it came to resiliency. InfoSec needs to move beyond just auditory table top exercises and actually perform soup-to-nuts tests of their resiliency plans. Having representation in the business (e.g. Business InfoSec Officer) can effectively get (sometimes stubborn) lines of businesses into the fold. Physical Security, if not already part of the same reporting tree as InfoSec, requires close coordination.
Finally, people can be your greatest asset or your weakest link when it comes to managing risk and driving resiliency. Though not novel, participants felt it bears highlighting. Recent outbreaks of ransomware and the continued use of phishing as an easy threat vector mean we are still not creating sophisticated enough awareness programs and org processes to mitigate these threats. When you have the right people doing the right things your resiliency strategy can really take hold. Further, it’s not just technology outage that impacts companies, but people, and their roles, need to be considered in your strategy as well.
What do you think? Are there other major considerations for a good resiliency strategy that we didn’t hit on? Share your thoughts with us in the comments below.