The biggest concern for CISOs isn’t necessarily a nation-state attack or a user unknowingly clicking on a link in a phishing email or protecting their company from a new, nasty piece of malware. Instead, the biggest challenge for security leader is figuring out how to get the security department’s priorities aligned with the business' priorities.
The tactics that security and IT professionals employ to apply software patches exemplify this struggle, Cybereason CSO Sam Curry said during a Washington Post panel discussion on cybersecurity.
“The patches that have to be deployed to stop this destructive ransomware, we know what they are,” Curry said. “The problem is there’s an accumulated tech debt every time you touch IT. And that impacts people’s tickets and time to ticket resolution, which are two metrics that a business monitors.”
Meanwhile, an organization’s security leader is aware that multiple patches may need to be rolled out, but applying all of them would inevitably break something, leading to lost employee productivity as IT personnel troubleshot frozen machines or software that constantly crashes.
The CISO, wanting to avoid interrupting the business, decides to compromise and patch a handful of vulnerabilities in multiple stages. This decision, though, can create a game of patch roulette and potentially end a security leader’s career.
“So you pick your five or 10 and guess what? Because you patch them, they never become an issue,” Curry said. “So you become the person who’s always screaming, ‘I need to patch these things.’ If one of the ones you didn’t patch happens to get exploited, you’re out of a job.”
This situation leaves CISOs in an awkward and somewhat contradictory position: They realize the need to build relationships that will enable them to practice security. But even with these relationships, they may still be unable to accomplish all of their security goals.
“That leads to long-term anxiety. Some CISOs ask themselves why are they even doing this job,” he said, adding that the tenure of some security leaders is as short as 13 months.
Should companies pay a ransom?
The panel touched on a range of cybersecurity topics, including ransomware and whether organizations should pay to have their files decrypted.
“I think it should be illegal to pay a ransom. If you pay ransoms, you are exacerbating the problem for the rest of the community. You’re funding criminals who are going to take that money and hire more people and develop new tools and come back at us three times harder,” said panelist Rob Knake, a senior fellow at the Council on Foreign Relations. He did acknowledge that C-level executives would likely hand over money if there was a chance that paying the ransom would get them their data back.
Curry noted that whether or not to pay a ransom is “a risk-based decision” and warned against passing legislation that would penalize organizations for paying the ransom.
“We shouldn’t be talking about making [paying a ransom] illegal yet. If you’re a hospital and you’ve just been nailed and people are going to die if you don’t have data, what do you do? It’s not an easy answer,” he said.
Instead of legislation, Curry called for the security industry to take measures that allow companies to quickly restore backups after a ransomware attack and become more resilient to this threat. Ransomware attacks should be made less profitable for perpetrators but a blanket law that outlaws paying a ransom “is a horrendous thing.” Public safety isn’t the CEO’s job, Curry said. Corporate executives care about protecting shareholders and following the company’s mission. A better route, he said, would be to advise companies to not pay the ransom if they don’t have to.
“It’s a risk-based decision for a business. An organization may go under or people may die [without data]. And that’s a tough call to make,” he said.
To see the full talk, which includes discussions on how attacks are really conducted and how companies have handled recent breaches, check out the video below.