We learned a lot in 2021. Headline-making breaches like Log4j, Colonial Pipeline, JBS Meatpacking and Kaseya each taught us something about what our security systems can handle and what needs to be improved on in 2022. For more on these, read 5 Cybersecurity Questions 2021 Threw Our Way by our CTO and Co-Founder David “moose” Wolpoff.
As a person who has operational/functional cyber experience in both the business world (CISO/CRO) and the military (retired two star Admiral in cyber and information warfare) I am often asked how I view the security industry’s near future. In conjunction with Moose’s 5 Cybersecurity Questions, here are 5 themes I recommend you keep in mind when doing your strategic planning for your security organization in 2022.
Look Back to Move Forward
We all want to mature our cyber organizations. In order to do this, you need to understand where your gaps are today and you need an honest assessment of where your organization is on the cyber maturity scale. The biggest mistake we can make after the revelatory breaches of 2021 is to have the hubris to believe it won’t happen again. The reality is that the threat landscape continues to evolve in both complexity and speed. This is not cause for alarm; it simply means we must take a look back at what works and what doesn’t work, and then double down on what’s working and throw the rest off the proverbial island. Having a clear view of which assets are exposed and the risk they pose has long been recognized as foundational to an effective security program (CIS 1, 2, and 7).
In the military, we always sit down for what we call a “debrief” after a mission or operation is carried out. This is where we examine what happened on the ground, and what we can do better in similar scenarios in the future (think in terms of the title of Clint Eastwood’s western, The Good, The Bad and The Ugly.) As Sir Winston Churchill said, “Those that fail to learn from history are doomed to repeat it.” When we as defenders take the time to learn from our mistakes, we are far less likely to repeat them during future events (attacks). You must always debrief each cyber event to get what we call “lessons learned” and update your playbooks so the mis-steps of the past don’t happen again.
Don’t Set It & Forget It
Security is a process, not a state. You must continually do the work to maintain and enhance your program. This means you have to maintain basic block and tackling — such as maintaining protocols like zero-trust and default deny — as well as continually stress-test your environment with offensive security. Environment, technologies and bad guys will all continue to evolve. You have to maintain constant visibility and a proactive approach to keep up with your adversaries.
In terms of being proactive, you need to get outside your network and view it from the outside looking in. This means seeing it from the attacker’s perspective. Don’t fall into the trap of thinking parts of your environment are beyond reproach. This is exactly where attackers want you to be, thinking you are secure. You need to always assume the bad guys are on your network. While they may or may not be actually there, it keeps you and your team in the right mindset when formulating strategies, executing playbooks and getting after your cyber issues.
You need to be able to focus and deploy resources where they are needed most. This requires “proactive” visibility of your attack surface. You may be the best in the world at configuring security postures, but just setting it and forgetting it will make you a soft target. Real world conditions are constantly changing and those who are proactive about understanding and managing their attack surface have a much better chance of successfully defending against attacks.
Security is Not Serial
Oftentimes during high pressure situations, teams tend to fall into the mode of doing things serially rather than in parallel. While sometimes serial is appropriate, most times it is not. You not only have to be working through multiple tasks at the same time, it’s also important to do them in the right order.
As an example, one of the areas where security fundamentals give us trouble is communication, or a lack thereof. Poor communication around security events can trip up more organizations than the security incident itself. Solving the technical issue is difficult, and can be especially challenging in high-stress situations. However, a technical fix or workaround can usually be implemented fairly quickly. To be blunt, you can never over-communicate.
Do you have a solid communication plan? Doing it on the fly during an incident is not the time to develop one. Make sure part of your cyber playbook has a communications plan that addresses how you will communicate to all parties involved — the customers, the executive suite, the board and the media (including your social media). All need to be kept informed, and just as importantly, in the right order with all the right information. Missing any one of these can have an impact on the reputational risk of your organization and company. Don’t let this happen to you!
Security is a Team Sport
Security requires engagement at multiple levels. We see this play out in three distinct ways. First, within your Cyber and IT organization; second, within your company; and third, within your business sector.
- Teams within IT and security need to be collaborative. This means the SOC team has to communicate with system architects, system architects need to collaborate with vulnerability management, and so on. These units need to operate synchronously, and that means they need to communicate.
- The security apparatus needs to protect but also enable the business. The employees and executives need to understand they have a part to play in the company’s cyber security program. Employee behavior is part of an effective security operation, as well as making sure all executives understand what security is doing for them and how they can help. Basically, you need to have as many executives in your corner as possible – especially during your budget cycle!
- Security teams need to collaborate to graduate. At a minimum, you MUST work together across organizations within your business sector. This requires partnering with other security teams to share intel, develop best practices and make everyone part of the cyber solution. A great example of this is your ISACs. They are an excellent resource to help get cyber professionals around the same table to understand current issues and trends, disseminate intel on the threat landscape and keep people talking. Another process I instituted as a CISO was to have a working relationship with other CISOs who worked for our competitors. We never discussed “the business,” but we did meet on a periodic basis to exchange what was on each other’s radar. Since adversaries sometimes go after companies in the same sector, we had a standing rule to reach out to each other if something out of the ordinary was going on. I refer to this as the “NATO model” – an attack on one is an attack on all. There is strength in numbers and we all share the same common adversaries, so everybody wins when we work together!
Take the Offensive in 2022
In order to get your organization to the next level, you must be willing to take the offensive. This means you need to be thinking of the bulleted items below as you are maturing your organization with new technologies and processes. As you bring on both, ask yourself:
- Is it proactive vs reactive?
- Will it create situational awareness that is actionable?
- Can it take into account the perspective of the adversary?
- Does it help empower, compliment or enhance a “Defend Forward” strategy?
- Does it enable a “persistent engagement” mentality as opposed to a set it and forget it mentality?
Do not wait for the next log4j to occur before you question your security program’s effectiveness. Take these lessons now and start putting them to work while the waters are relatively calm. This way, you can scrimmage and improve your program so you are resilient when the time comes. The more work you put in now, the less impact the next incident will have on you as we move into 2022.