As cyber threats grow in the Middle East and around the world, TECHx spoke with some of the most experienced CSOs/CISOs to understand how they have combated these threats. Sam Curry, Chief Security Officer, Cybereason, is second in the series. Read on to learn how Cybereason is addressing growing cyber risks.
TECHx: In your conversations with customers, what are the most pressing cybersecurity concerns facing today’s organizations?
Sam: The superficial discussions are about the symptoms, like ransomware which is a clear and very real danger. The real conversations, above or below the security poverty line, are about the gap between the business and security, making security a risk function and a set of business processes similar to how legal, operations and financial risk are managed.
Yes, we need to get the controls right and the staffing and the processes within information security, but the real understanding of that value and the proper funding and management of investment; there is the real job of security.
TECHx: What are some of the best cybersecurity practices your company has adopted to ensure not only a secure working environment but also a simplified adoption process?
Sam: In a phrase: continuous improvement. The culture has to not just want to check boxes but to refine and tune and incrementally improve at a high rate. It’s about efficacy, of course, but most importantly about efficiency. Red team results, penetration tests, red metrics are our friends. They are the feedback loop, not for bayonetting the wounded, but for improving ourselves. So, get the tools and people, the strategy and processes and then work at removing waste, improving productivity, and getting really good at managing investment for the best return on security value.
TECHx: Hybrid work culture is now a reality; how are you protecting your remote workforce from potential cyber threats?
Sam: Prior to the great office exodus, we were already fully capable of working from home. We already had the notion of an “Internet Cafe” approach, where we assume compromise of the local network and means of connection to the Internet and build on that. Therefore, moving to fully remote was more a cultural challenge than a technical or security challenge. And as more threats evolve to target home networks, ancient printers, out-of-date home routers and the like in a typical home environment, we continue to re-assess the risk and improve incrementally. The race against attackers is a race of rates of improvement, and that is the innovation and improvement game where we seek to stay ahead.
TECHx: The human factor remains one of the most serious threats to an organization’s cybersecurity; in light of this, what kind of security training should employees receive?
Sam: The human factor remains one of the most serious threats to an organization’s cybersecurity. However, the human factor is also the single most valuable asset for organizations too. That’s the conundrum.
Most of IT is here to use and take advantage of that human factor; so, it’s not fair to turn around and vilify it. It’s the cybersecurity function’s job to design for the human factor and not in spite of it. Security training is necessary and should be engaging, fresh, use gamification and all the other goodness, but that isn’t enough. After a certain level of training, there are diminishing returns and over-sensitizing to security that creep up. It’s time for security departments to go further and dig deeper. Design for the user, and improve rather than abdicate responsibility to the user. Most departments write a strong password policy and tell end users to deal with it, then blame them for breaches. That’s not good enough. The way to reduce the risk and maximize the value of the human factor is to keep improving how people are trained and continuously assessing and improving security, beyond that training.
TECHx: What is the best and most immediate strategy for CSOs/CISOs to implement if a data breach occurs in their organization?
Sam: If a breach occurs, it’s too late for strategy. The strategy should exist and be in place long before the breach occurred, and it should include detailed plans of what to do in the event of a breach. That should be trained, drilled and practiced. Before, during and after a breach is where strategy and its execution are put to the test. Prepare for war in peacetime, not after the invasion has begun.
TECHx: What do you consider to be the most important skills of a modern CSO/CISO?
Sam: Soft skills and business skills. CSOs and CISOs are technical. We know it. They understand security and they have been living and breathing it all their lives. Now, they need to find lieutenants, give up being the smartest security mind in the room and bring the department what it most needs: a relationship with the board, integration with peers, a voice in business discussions, an understanding of logistics and the real C-level sponsorship that isn’t seen to be the hobbyist lingering at the edge of the C-level offices.
TECHx: What advice or tips would you give to other CSOs/CISOs in light of the current global cybersecurity landscape?
Sam: Build a talented team, stop thinking in terms of products and instead in terms of systems, make friends outside IT and DevOps and become the best (risk) storyteller in the company.