The Cybereason series Stories from the Front Lines of Security Leadership will present insights from CISOs, security leaders and IT executives on topics including what's required to succeed as a security executive, how to convey the importance of security to an organization and how security leaders can advance their careers.
Security executives can’t shy away from risk. Often times, security improvements happen only after something goes wrong. That advice comes from Robert Bigman, who retired from the CIA in 2012 after a 30-year career, including serving as the agency’s CISO for the last 15 years. In the second and final part of his interview with Cybereason, Bigman, who is now an independent cyber-security consultant, talks about what he learned as the person responsible for keeping the spy agency’s secrets secret.
You can read read part one here.
Former CIA CISO Robert Bigman
You’ve said that security drives everything the CIA does. The private sector may not share this perspective. How can private sector CISOs elevate the role security plays in their organizations?
It was actually easy for me at the CIA to do that because I had a willing customer. We were always invited in and security is part of our DNA. The CISO has to be in an organization that wants to accept their contribution and welcomes participation in the IT culture. I’ve been in many organizations since I retired and the culture, frankly, is not enabling security to successfully operate. Some companies CIOs and IT officers go to great lengths to work around the CISO, behind the CISO, and make deals without involving the CISO.
What I’ve found works, frankly - and I’ve seen a few CISOs do this and do this is well - it’s really about personalities. The ones who do it well are the ones who get involved early and really become partners - and I truly mean partners - with the business units, with the IT organizations, with the application coders and develop a really strong personal relationship with them. CISOs and the IT discipline must develop a relationship where they can have a level of trust and show that they’re not just here to do cyber to interrupt or interfere with the business activities or interfere with company profit margins, for example.
We’re here to protect your interests and make sure from a regulatory and compliance perspective and from a common sense, good business perspective that you’re doing all the right things. The ones who transmit this message to the organization are the ones who have more successful programs.
What can private sector CISOs learn from how the CIA handled security incidents?
In addition to being a partner, you really need to make smart decisions about system security. Organizations get too caught up in cyber-security compliance and regulatory requirements. Hackers don’t care about what your regulators are telling you to do to. It’s of no interest to them. Your threat really comes from bad guys getting malware into your network and executing it. If you focus on that risk and where the attack surface is, you’re going to do pretty well.
One of the things I don’t see done well in the private industry is cyber/IT governance. You need to have a process in place to understand both at a tactical level and at a strategic level what the organization’s IT and business units are doing/planning. CISOs need to be part of what’s being - again, early - discussed and be ready to discuss risk in an organization. What I tend to find is a lot of CISOS learn about risk when the phone rings and they get told ‘By the way, we’re doing this’ or ‘We signed a contract to do that.’
There is often no integrated corporate decision making or thinking about these IT plans and strategies. It’s often a bunch of business people making what they believe to be are business decisions. To the degree they can, CISOs need to work better - and that’s where the personal relationships come in - with the business people. There can’t be any surprises.
How do you stay calm in a security incident?
You don’t. Calm under pressure is ignorance. I’m not saying you have to run around like a chicken with its head cut off. You have to be the leader and make sure people understand your anxiety. I’m saying you have to be a little crazy.
The way we did it was you take a page from the military. We had very clear operating process. When anything happened we had the incident manager do a triage. Having this process in place really helped reduce the stress on everyone else because we all paid attention to how the process worked and made sure that all things were done in an orderly fashion.
I also always used an incident as a learning opportunity. When we had an incident that meant somehow, somewhere something went wrong. And you should never let a good crisis go to waste. The right answer is you need to have clear, set of operational procedures.
So a cyber security incident is an opportunity to learn instead of a mistake?
Yes, it’s like the adage that you learn more from your mistakes than from your successes. If something went wrong, you almost always have improvements in your security as a result. This never happened as the result of something going well. When things go well the opposite tends to happen. You tend to lose budget. When there was a crisis that’s when there was more interest in what we did and people were more receptive to hearing how to fix this. I was not crisis averse. I looked at a crisis as an opportunity.
Could you comment on the recent Vault 7 leak?
I found it to be a horrible incident for the agency. It sounds to me more like the work of an insider instead of a cyber incident. I don’t have any special insight into the cause or impact. Certainly it’s not good news. I just hope they learn a good lesson and put some new protections in place to minimize the risk of this happening again.
When you’re running an intelligence organization there’s always a risk that any incident becomes a big incident because almost everything you do has a really big impact. There’s almost no small easy fix because of what we’re doing.
How did the CISO role evolve when you were at the CIA?
It mostly evolved from a focus on system protection - protecting access to the system, protecting access to the networks, which continued all through my career - to being more focused on being a data sensitivity expert.
I became what they today call a DPO, or data protection officer, in the corporate world. Not only did I make decisions about who accessed which systems, but my staff and I made the policies and decisions about what different parts of the U.S. government got to see what data under what conditions. Could we send this file to this organization on this network to be stored in this system for these people to see? I became more of a data security person than just a systems security person. That was they key change.
Did the type of threat actors you faced change?
The threats are always the same. Russians, Chinese. Chinese, Russians. Chinese, Russians, Israelis. Israelis, Chinese, Russians. It was always the same actors. It got to the point where I kind of knew these guys by name. That’s not to say there weren’t other actors trying to attack our networks.
Although it was the same cast of characters, the risk changed. The risk got greater as we were forced to - for a lot of reasons, mostly good - really connect more with what we did to other parts of the government, like the military that’s fighting wars. And getting intel faster to our customers is a good thing. The actors didn’t change but the risks increased as we became more connected to our partners and customers.
Do you know a security executive who has great insights and would like to talk with us for this series? Email us at firstname.lastname@example.org.