Cybereason CISO Interview Series: The end of the CISO?

Could CISOs become obsolete, or at least suffer a significant demotion and focus less on securing IT generally and instead develop more niche levels of responsibility such as threat hunting and penetration testing? That’s the perspective of Jonathan Sinclair, Associate Director of Information Security at the biotech company Celgene, who sees this scenario playing out only if CIOs “become security aware.” Sinclair, whose information security career includes leadership positions at Hewlett Packard Enterprise and Novartis, admits that his peers don’t share this view but in this interview he makes the case for why security needs to be the responsibility of an entire organization. He also touches on why the information security industry should rethink how risk is modeled and how getting to know an organization’s developers and technology enablers can lead to better security.

What advice can you offer security leaders on talking to their boards about information security?

In my experience, never underestimate the naivety of those outside your profession. Remember that they are exposed to those details published in popular media and that this can be a blessing and a curse.

Placing existing security concerns in the context of emerging threats, gives one the ability to bring esoteric security concerns real impact and relevancy, but can also cause board members to only pay attention to what’s ‘popular in the moment’, like WannaCry and NotPetya.

The problem is a lack of long term vision and the transient nature of executives at the enterprise level. They want you to react directly to what is pressing at a particular instance in time and are inordinately focused on how their competitors are dealing with similar threats.

A tool I find myself leveraging whenever addressing board members is to context switch according to particular preference. One must be able to analogously abstract an existing threat (like ransomware) and make it relevant to the entire IT program while tying it back to corporate strategic direction.

For us in IT security, an analogy often doesn’t portray the actual details and semantics of a problem, however for communication purposes, it can go a long way when addressing people who are outside our area of expertise. As soon as you go into the boardroom and start talking about the technical stuff, they'll just glaze over instantly because it's not about ROI or core business benefit.

This will be self-evident to most reading this, however getting the analogy correct, which in turn results in direct action, is not easy. It’s unfortunately a social-skill most of us think we have, but often don’t.

We are seemingly tolerated in the boardrooms because of a market driven insistence around due diligence, but truth be told, we’re not being invited to the C-level social events and this should be the actual goal.

You’ve helped organizations threat hunt. Do companies understand what threat hunting is and how to conduct a hunt?

In my experience, no to both questions.

I’ve been involved in a number of threat hunting activities and observed many hunting programs in operation. I have only rarely seen these come to anything and when they have, they’ve been operated within a highly restricted scope.

What I’ve seen is that most organizations aren’t interested in threat hunting and it’s a hard sell to those at C-level. Partly because threat modeling is something still not regularly talked about in the boardroom and partly because the ‘so what’ question is raised all too often: So we know we we’re being targeted by a hacking group in a hostile state, so what? So we know that we are the target of animal rights activities and our IT defense’s are under strain from their attacks, so what, have our business lines been effected? “We’re being targeted by spear-phishing attacks. Isn’t everyone, that’s why you’re here, to protect us, so what?

With a more reasonable position being stated as “If our IT footprint is global and our adversaries are operating together with us in this sphere where the legal mechanisms and international agreements aren’t harmonized and our reach insufficient, so what? What can we really hope to achieve by understanding the threat?”

As attribution and assignment of attribution are very still difficult things to determine, as well as the legal and privacy mechanisms to support such activities, it’s not easy for most organizations to bring together the interdepartmental cohesion and external authorities required to support this activity.

Having said this, when these have been established, integrated and work harmoniously, operational threat hunting can shine. Unfortunately, many organizations struggle with the most basic IT security fundamentals that threat hunting often seems to be a very distant service to target.

There is however an additional facet to the situation that is not always considered: risk determination. In many situations I’ve seen enterprises have control of the usual security perimeter defenses - firewalls, web application firewall, host-based intrusion detection system.  However in order to leverage the expert knowledge needed to carry out real threat hunting activities such as diversion, deception, honey potting and reverse engineering, we hit an inflection point where multiple n parties need to interact in a highly trusted way. This n-tier relationship often results in no single party being able to comprehend the threat landscape and what type of risk assignment needs to be applied at any given time, to any particular asset, ultimately resulting in the dissolving of accountability, giving rise to a disconnect from the original goal.

These are logistical and integration problems rather than anything technical but too often contribute to these activities failing in practice.

Jonathan-Sinclair1.jpg

Should the IT security department report to a CISO or a CIO?

Great question and very poignant for the time as there's a lot of talk about who should answer to whom in the security zeitgeist currently.

My opinion is that the CISO role should disappear and that the IT security department should report to the CIO.

I’ve seen many philosophies and models concerning this question played out in organizations from business verticals such as financial, governmental, pharmaceutical and technological. I’m a believer that security is not a ‘black-art’, nor a policing force, and therefore shouldn’t require a separate reporting line for organizations to deal with.

I really wish the industry had evolved so that security was part of everything an IT professional would do and/or be engaged in. I see the rise of positions like the CISO and the establishment of specialized security teams and SOCs as a general failing of education and awareness on the part of existing IT which has chosen to focus on delivery times, A/B testing and fail-fast work practices rather than embedding a security-orientated mindset.

I’m of course not naïve enough to claim that there is no need for specialized groups of people who can reverse engineer, fuzz, develop exploits and conduct red/blue team exercises. But, in my perspective, such teams should be integrated into the working methodologies of IT work streams.

Building separate security and IT teams as part of two organizational units breeds an ‘us and them’ attitude, working counter to the strategic business goal of maturing an organization’s overall security posture.

Removing the CISO position will force the CIO’s position to increase in scope, whereby an explicit security remit will have to be considered. This increase in scope will foster an awareness that will percolate down into all stratums of IT.

I acknowledge that this position maybe out-of-step with the rest of the industry, or may even be considered outdated by some, given modern matrix organizational set-ups.

Some people will even propose models such that, the CISO role should embody the entire breadth of information security, including physical, others will claim that the CIO should report to the CISO. Many models are being fielded at the moment as a result of the many failures that existing organizational structures are bringing about like security breaches.

I have tended towards something a little more radical based on my experiences working within enterprises whose central business models tend to not be driven by IT, yet.

Is this more of a realistic perspective given that CEOs are willing to accept the risk and fallout from a security incident?  

I believe so.

We’re only just starting to see CISO’s lose their positions and/or face prison sentences for gross negligence, as the result of security breaches, however even in such cases the CEO’s are often the ones that need to face the media and explain things to the shareholders. CISO’s currently enjoy luxurious positions where accountability is relatively low given their status.

The existing perception is that the CEO ultimately drives the company, therefore if accountability can’t be adequately delegated to subordinates what sense does it make to keep employing expensive CISO’s?

This reinforces the idea of building security in. If it’s driven from the top, because it’s a main concern of the CEO, and your developer and security teams are working side-by-side in the same organizational unit further downstream, you’d hope that the bottom up behavior is also being driven up, ensuring a 360 vision of security awareness through all levels.

This will also prevent situations arising where two executives (CIO/CISO) are debating security versus operational return - reduced deliverer times, increased ROI, improved scalability versus a poor security model, controls, governance.

Here, the CEO will often side with the CIO, unless the CEO has an explicit concern for security (which is not the general approach), either way, having two executives arguing the case doesn’t help anyone and it would be much better to streamline the decision making process with a single individual who can balance risk in a coherent manner.  

Security, as a separate organizational unit, is always going to be seen as the policeman of the infrastructure until you create the sense that security is everyone's problem. We've got to reach the point where security, as a separate team dissipates. I don't expect the developers to reverse engineer malware but security still has to be part of an IT organization.

An additional dimension for consideration is the vendor accountability model: Given the leveraging of third-party vendors, through; services, purchasing commercial off the shelf software, open-source integration and cloud providers. There is still a complete lack of accountability to the vendor space and here CEO’s and CIO’s are in much strong positions to address this concern than CISO’s.  

How do you get developers to understand that IT security is not meant to stifle innovation?

That's really tricky because it's about the social aspect, which us IT and security folks are pretty bad at.

Coming from the developer space, I can go and talk about algorithmic complexity issues and then bring in the security perspective. A lot of IT security folks I know just can't do that. They often sit isolated, breaking stuff or testing how to break stuff. They don't open up for the social connection.

Even worse, at the higher management levels, the CISO’s don’t possess a technical background, meaning leadership by example can never be exemplified.

There is a real need to get closer to the development teams. Nowadays you probably have a really strong in-house developer team that’s manageable in terms of numbers. Security professionals need to make the effort to go up to those development teams and talk to them about their problems.

If you've got collaboration groups, for example, start following the developers’ channels and conversations. Get involved. If there's a code repository, take a look at it. Have a look at what the main projects are. Talk to your senior leadership teams and ask what big application development activities are happening and who the champion developers are. You’ve got to get to the more unsocial developers, too. They’re usually the ones everyone listens too. It starts with a coffee.

In my experience, conversations are better than presentations because those are very isolating and people can just switch off.

It takes a lot of work and is a huge amount of effort, especially for security folks, however in terms of instilling cultural change, that's what needs to be done. It's not enough to just have a security awareness program or secure programming course. These things just don't work in practice without other complementary or direct ancillary initiatives.

Another thing that's beneficial to the security mindset are hackathons. Get application developers interested in things outside their remit. It gives them a chance to break stuff and gives them a taste of what it means to be in security. Empower them to make their own security decisions.

You’ve written about the potential for an IT security winter. Could you explain this concept, and do you think that a cold front is approaching?

Here I’m paying homage to a popularized phrase referenced in connection to the field of artificial intelligence (AI). The so-called AI winter took place in 1980s and 90s. AI got to a level where, much like now, a great deal of financial expenditure was being levied at the field and unfortunately, the overly optimistic predictions were never able to deliver, causing backers to redirect their funding elsewhere and the field stalled.

I feel the same hype-cycle is happening in security. During the unruly 70s, 80s and 90s the viruses and worm outbreaks made the headlines. With asset destruction being one of the principle threats and attacks generally targeting the operating system layer, protected with polymorphic code generating engines and assembler/C code-bases, making them efficient and nimble.

To tackle this threat, we saw the rise of signature based detection, with antivirus vendors stockpiling malware samples to halt impending threats. This worked for a while, generally speaking. However as the threat landscaped metamorphosed into something altogether more complex with the rise of DDoS, botnets, adaptive SPAM, Web-based attacks, and IoT, signature detection started to fail.

In response to this, every AV vendor is now embedding machine learning, adaptive AI or some sort of purported behavioral analysis capability which is supposed to identify adaptive malware.

I worry, however, that these ‘new methods’ will start plateauing again soon.

I’ve witnessed first-hand companies’ machine learning models break and when they do, they break spectacularly. They're actually reasonably fragile, in some sense, with little in the way of graceful degradation. I’m therefore wondering when the industries venture capital funds will dry up as the new cybersecurity ‘AI’ space fails to deliver the magic bullet it seems so purportedly well positioned to provide.

For this reason, I feel a chill in the air and wouldn’t give the existing cycle more than a few years of continued success, before things start to plateau. I hope to be proved wrong.

Has IT security become more about reducing risk instead of stopping every attack?

It's been clearly demonstrated that we can't stop every attack. I would therefore say that yes; IT security has become more about dealing with risk than total prevention. Side-channel attacks have shown, with remarkable clarity, that this is not possible.  

What’s really interesting is how people understand risk and it’s here that I think the existing IT security community doesn’t have a good quantitative grasp on this topic and subsequently relies on non-reproducible qualitative methods.

With insurance companies getting involved in cybersecurity and insurance it's an interesting play because you finally get organizations that really understand how to categorize risk, from a quantifiable perspective. I really want to see what models come out from the insurance players and how they evaluate things.

For the longest time you've had these security people come in, become managers, possessing no comprehension of what risk actually means and how it really applies to business factors. A step change to this approach would be most welcome.

How will that change occur?

I think it could be through the re-training of existing security professionals, however personally, I think it will be triggered by a disruption in the field and I’m hoping this will come from other disciplines such as insurance, banking and science.

There has to be more dialogue between business and IT and although most senior-level IT security professionals will support this, their ability to talk business language and decide on risk factors in this contextual space is often lacking

Maybe companies are more inclined to accept the risk or buy technology that may reduce that risk instead of asking difficult questions around what risks the organization really faces.

I think this is very much the case.

I try to ask those questions and haven't found a way to diplomatically pose them without upsetting people.

When you ask those types of questions at board-level meetings, people get worried that they can't answer them adequately. They rarely state: “We know this is a risk because we've carried out research and here’s the quantified evidence”. Instead they too often feel they're being attacked because decisions are not being conducted in disciplined manner.  

Unfortunately, I've never had a pragmatic CIO or CEO say, “That's a really good question and given we don’t have that answer, why don’t we empower you with X amount of resources so that you can quantify this risk for us?”

Do they fear learning what they don’t know about security?

Perhaps.

It could be because of the dynamic between the CIO and CISO. As soon as you start asking those questions, it takes resources to answer them and this can slow things down.

For example, the following scenario could be played out:

CIO/CEO: So you’re worried about us deploying infrastructure to country X. Why do you have security concerns about this?

CISO: It’s been documented that country X has confiscated enterprise laptops and asked for security information from our personnel (passwords, encryption keys, corporate connections, personally identifiable information).

CIO/CEO: Ok. But have we seen any real evidence this extracted information has led to any negative effects being felt with regards to our corporate portfolio? Have we got evidence that we’re being targeted by that government? Is our IP really at risk from those employees to whom the information was requested? Even if our IP has been stolen, does this malicious party have the means to act on it?

CISO: Not exactly. Through our security monitoring mechanisms and open source intelligence services we see that targets originating from this country are attacking us through SPAM and phishing attacks. from this we are assuming that our operational risk is higher in this country than others we may be dealing with.

CIO/CEO: Ok. But do we have any real evidence of the risk profile? I’ve heard about this threat hunting stuff. Are we actually being targeted by these threat actors and if so what’s their modus operandi. What are they trying to achieve? By entering this market it’s been projected we’ll make X million dollars for the company. What risk profile can you demonstrate to me that will dissuade me from deploying infrastructure here?

CISO: Hmm…

The originally proposed question was probably asking if CIO’s or CEO’s fear learning what they don’t know about security. I think however it’s the CISO’s that have this fear. Much of security at the enterprise level seems to focus on the hard sell of increasing IT security budgets and grabbing new technologies in a desperate drive to find a silver bullet. This lack of vision and strategy means they miss being able to comprehend and accurately navigate the risk landscape and support a pragmatic drive forward.

One hundred percent IT security is never attainable, so let’s get smarter at understanding our environment, democratizing accountability and building security in.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.