From the Desk of a CISO: The Five Core 2020 Cybersecurity Resolutions

Over the recent years, cybersecurity, and certainly the role of the CISO, have evolved – in many ways, for the better. Thanks in large part to the rapid digitization of business, the explosion of data and data sharing across the enterprise, and the move to cloud security and mobile, the nature of information security has to change. And it has to change quickly.

At Code42, as we work to provide an insider threat detection, investigation and response solution to organizations that need to securely share data and collaborate to succeed at their work, we find ourselves in the center of it all. As 2020 is taking off, it’s a perfect time for security teams to reflect on what areas they can improve on when it comes to providing the most effective security to their organizations. As I’ve considered the state of enterprise security over the past few weeks, I’ve developed my list of 2020 resolutions. To be sure, some organizations, including Code42, are doing these things already. Yet there’s always room for improvement – and in security, we all need to work together toward the constant goal of improvement. 

Here are the areas that are especially important for businesses to focus on throughout 2020 and, as necessary, resolve themselves to improve.

Make sure security is a business driver

With the increased competitiveness of today’s business environment and the drive to digital transformation, cybersecurity can no longer be viewed as a reason not to move a business forward. The 2019 Harvey Nash / KPMG CIO Survey found that 44% of CIOs and technology leaders expect significant changes to come to their products, service offerings, or even their business model in the next few years. Security teams need to support, not hinder, this business change.

One way security teams can improve is to better understand and appreciate how their company drives revenue and ensure they are making smart decisions to support its specific business model. What does this mean in practice? Consider how a manufacturer will have a different risk posture than a healthcare provider and how a healthcare provider’s risk posture will also be quite different from that of a trucking company or software provider. It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. 

At Code42, our focus is on helping to secure this faster world of collaboration, which fundamentally enables security to be at the cornerstone of driving the business forward. We believe in supporting all forms of collaboration and innovation. We also believe that collaboration needs to be secure.

“ It’s important that security professionals think of themselves not just as security professionals, but as risk managers that help direct and inform the business on taking on the risks that allow the company to meet their overall goals. ”

Embed security throughout the business

In many organizations, it’s still common for new applications, services and business decisions to be made without the security team being part of the decision-making process. Unfortunately, when security is brought in at the eleventh hour and finds a number of risks that must be resolved, it causes considerable re-work, increases costs to remediate and unacceptably slows down the business.

Further, the more rapidly businesses digitize, the more aggressively they add new product features, change business models and enter new markets and geographies (which come with their own geopolitical risks). As such, security leadership needs to be a part of discussions around planning and implementation from the beginning.

Having security embedded early saves time, costs and lots of headaches. To do this requires that security is built into the development and business decision-making process. In practice, this means that security engineers are integrated into the software lifecycle process – helping to write code, fix vulnerabilities, or address developers’ needs with consistent security solutions. (I advocated for security to be ingrained in these types of activities in a recent blog.) Or it means that your security org helps to vet a product or solution before it’s acquired. Or it means that the board asks the CISO for a security risk analysis before entering new geographies and business segments.

To stay competitive, however, it’s just not enough to make sure security is part of the process – security needs to be as effective and efficient as possible. Which brings us to our next resolution.

Automate all of the things

Security teams not only need to be involved early on to identify risks, they need to be enabled to fix those risks themselves through integration and automation. Automating security means mundane tasks can be handled without human interaction, freeing up security engineers for more important, strategic, value-added work.

Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. Automation can help ease the security talent gap, alleviate alert fatigue, speed up time to incident resolution and reduce errors.

“ Automating security tasks in the development workflow not only saves time and enables speed and scale, but it’s also critical for solving key issues faced by security professionals. ”

We are always working on improving our processes in these areas, i.e., areas that can be automated, including software testing, vulnerability management, malware incident response, and more. Any mundane task is a candidate for automation. For instance, when vulnerabilities are identified from an automated scan, it’s possible (sometimes) to automatically patch and, other times, gather all of the necessary context and package it for admins so they can get to work instantly.

If there’s an alert to malware, automatically grab the necessary context from a source, such as Virus total and, when necessary, possibly quarantine the infection. If a remedy cannot be automated, gather the associated content so analysts can quickly make a decision and respond.

The move to DevOps helps with security automation. Some call this DevSecOps. It doesn’t matter what you call it, but what does matters is that security processes are an automated part of the development lifecycle. It matters that the security person is part of the cycle.

Focus on the human side of security

For years, we have focused on external actors and perimeter defense. We now need to shift the focus to include internal threats. We know that insiders have a considerable impact on an organization’s security. Yet, many organizations expend too much focus on external threats and not enough on internal threats. It’s time organizations appropriately reallocate their focus.

“ Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. ”

How do insiders create risk? Let me count the ways… For one, some users sidestep company-provided file sharing and collaboration tools for tools of their own choice. This creates risk. Our 2019 Data Exposure Report found that 31% of business decision-makers use social media platforms, e.g., Twitter, Facebook, LinkedIn, to share company data, while 37% use WhatsApp and 43% use personal email to send files and collaborate with their colleagues. Another way? Seventy-eight percent of CISOs and 65% of CEOs admit to clicking on a link they should not have. This shows that it’s not just staff, but also senior leaders that can make poor data security decisions. Have you ever emailed or shared a document with the wrong person? It’s not difficult to do. Though unintentional, the end result is still a risk to data.

Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach.

Organizations need to dedicate more time to identifying insider threats, deciding what monitoring to put in place and optimizing how they detect and respond when events occur. Importantly, we have to do this without losing sight of our main focus to enable the business to collaborate securely.

“ Ultimately, enterprises can put protections and controls in place at every turn. Still, it only takes one internal user to abuse their access in a nefarious or careless way to cause a data breach. ”

Build a culture of security

No program or software solution will prevent all data from being at risk of exfiltration. It’s the security team’s job to educate employees on security risks and help foster an appropriate security culture.

What does it mean to build a good security culture? Consider security culture to be how those working within the organization act when it comes to data security. When there is a healthy security culture, everyone thinks before they click on links, for instance. If they have security questions, they’ll feel free to reach out to the security organization for answers. When they want to use a new product or service, or work in a new way, they will ask security about the risks. This is what good security culture looks like in practice.

Good security culture is actually a pillar of an effective insider threat program. Consider how many people in your organization would “say something if they see something,” to take a line from homeland security. Most staff, if they see a peer sharing a document out of policy or in an unsecure way, won’t say anything at all. It’s because people aren’t taught how to say something or help co-workers do the right thing. An effective security culture helps change that for the better.

While every organization is different, some organizations may be further along with these resolutions than others. However, with the rising insider threat and the increased pace of digital transformation, all organizations will benefit by making sure they are on track to continuously improve themselves.

From the Desk of a CISO – Leadership Lessons

Quite a bit has changed in information security since I began my career more than a decade ago. 

Talk of cloud being the primary enterprise development platform was based on complete speculation. Mobile computing had yet to hit full stride. Software as a service (SaaS) was in its infancy. Since then, we have seen the rise of the nation-state attacker, extensive malware attacks, highly-publicized insider threat cases, exponential growth of data due to the declining costs of storage and considerable digital transformation investments. As all of these trends evolved and took hold, the nature of information security also changed.

Throughout all of these changes, I have worked in information security; previously, at a national retail enterprise and, more recently, as a CISO here at Code42. Over the years, I’ve learned a few important lessons about how to be successful in information security that I’d like to share here.

Lesson 1 – Be Part of the Solution

Too often security teams do a great job at identifying and pointing out risks and then handing them off to others to solve. In their earnest desire to eliminate those risks, they forget how important it is to understand how people go about getting their work done. So, rather than try to help others deliver their work or projects in a secure way, they identify risks and throw them over the fence for other teams to fix. That has to stop. We need to create partnerships, build empathy and become part of the solution. Building empathy helps us understand how others deliver work and the struggles they might go through to get their jobs done.

Because we are developing software at Code42, our top risks lie in the software development cycle. That’s why my team works very closely with our developers to help identify and address security gaps. To build greater empathy, I have challenged my team to learn the basics of a coding language. This has helped us gain a fuller understanding of the challenges developers face everyday and, more importantly, how we need to work with them to be part of the solution.

Lesson 2 – Balance Risk

In security, it is less about eliminating risks— and more about balancing risks. Think of a retail floor. Sure, everything on a shelf that isn’t locked down is at risk of being stolen. But if you lock everything up behind glass, your sales are going to plummet. At the end of the day, you are in the business of selling goods, which is why retailers don’t lock up everything. It’s the same with all business risks. You have to balance the business benefit with the business risk and put reasonable risk mitigations in place. For a retailer, this could be cameras, security guards, and/or only locking down items with a high risk of theft.

As a security leader, we don’t want to place overly aggressive security controls on everything. We are trying to tune the right level of security for the organization. You have to balance what the board, CEO and customers want and, at the same time, match the culture of the organization.

In a lot of cases, security leaders push forward with their own security risk posture ideals versus trying to truly understand the acceptable risk posture of the organization.

Lesson 3 – Build a Strong Team

While a bit more obvious, I can’t stress enough the importance of building and retaining a strong team. The team here at Code42 is close-knit. I have worked with many of these people for more than a decade. It’s hard to place a value on that. It’s a lot like professional athletes who know the moves their teammates are going to make before they do. That makes it possible to build a well-tuned, committed and effective team, not to mention retain talent in a talent-deficit industry. When you have a team you trust, it makes security much more effective and laser focused on the overall mission of the organization. I am thankful to be a part of such a strong, dedicated team that trusts one another and has a high degree of respect for one another. 

Lesson 4 – Transparency Trumps

To be effective in this industry, security professionals need to be transparent. In some cases, security teams still operate like the man behind the curtain: No one knows what magic they are operating, and  budget is gained by claiming that the sky is falling. But with today’s skepticism, seeing is believing. That’s why it’s so important to demonstrate how risks could be exploited. I recommend having your red team perform an exercise to determine exactly how easily a risk may be exploited, and share the results with other decision makers. 

In the same vein of transparency, it’s important to explain risks as they really are. Many security professionals will overhype a risk in an attempt to get attention or budget for a project. That tack may work in the short-term, but it will diminish trust in the long run.

As a security team, we are 100% transparent on the risks we see and the areas where we are digging deeper. This way, when a threat or new risk arises, we have a tremendous amount of trust and support to mitigate the risk. 

Lesson 5 – Provide Value, Don’t Fear Failure

Finally, being a CISO, or data security professional in general, is a stressful job. There is a lot of discussion around stress in the information security profession and how, as a result, the average tenure for CISOs is about two years or less. CISOs must balance the stress by focusing on the good, which is the value they’re providing to their business. At Code42, we strive for a blameless culture – one where we learn lessons rather than fear failure. This type of a culture helps contextualize stress. 

In my job, I want to feel challenged throughout the workday. I’m energized and get a lot of joy knowing that we are providing value and actually helping our company and customers address their security risks. We are working for a company that helps all of our customers deliver on security with the software we develop. For a security professional, it doesn’t get more exciting than that.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure Report: A Must-Read for Security Decision-Makers

We’re thrilled to announce the release of our Data Exposure Report. It reveals some startling truths about how human behavior drives data security vulnerabilities, despite the billions companies spend on data loss prevention.

IT leaders and CISOs will find some of their suspicions validated by the findings, particularly that CEOs are among the worst offenders at violating data security policy. But many of the disconnects we found between current data security strategies and the reality of the threat landscape will be surprising and sobering:

  • Almost three-quarters (72 percent) of CEOs admit they’ve taken valuable intellectual property from a former employer. Yet 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise.
  • As many as 80 percent of CISOs agree that “you cannot protect what you cannot see.” Business leaders, however, have a different perspective. Among business leaders, 82 percent believe that IT can somehow protect data they cannot see.
  • Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public, which has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.

The report, based on surveys of nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany, provides a comprehensive view of attitudes toward data security in this age of rapidly evolving cyber threats. This is the first in a series of four blog posts. Each post will delve into one of these key areas:

  • Emotional drivers of employee behavior that can put a company’s data at risk.
  • The importance of data visibility for security to do its job of safeguarding company data.
  • How to recover from a data breach while maintaining continuity.

Potentially most valuable for IT and security leaders, this report provides insights on ways to build business continuity and resilience in the face of an increasingly complex threat landscape. The upshot: resilience comes from companies evolving their data security strategies to include recovery from data breaches as well as prevention of those breaches in the first place.

“ To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats. ”

“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”

Data is precious, but talk is cheap

The report reveals that, while most CEOs say their IP is one of their most valuable assets, they are the very people who put IP at risk through data practices they admittedly know are unsafe. Some key findings:

  • Among CEOs, 59 percent admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but disregard the warning.
  • The majority of CEOs (93 percent) admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. More than 68 percent of CEOs think there’s risk in keeping data solely outside of company storage, but they do so anyway.

So even though they know it’s risky—and they may have even lost work as a result of it —C-suiters continue to put their companies at risk by defying company policies and data security best practices.

The risks of playing data hide-and-seek

In this digital age, more flexible workplaces result in employees saving data on their endpoints, making it increasingly difficult for security departments to see data to protect it during a breach. Some key findings from the report:

  • Nearly three-quarters (73 percent) of security and IT leaders believe that some company data only exists on endpoints, such as desktops or laptops.
  • As many as 71 percent of security and IT leaders and 70 percent of business leaders believe that losing all corporate data held on the endpoint devices would be business-destroying or seriously disruptive.
  • In addition, 86 percent of security and IT leaders believe employees saving files outside of corporate storage poses a serious risk to the organization.

While clear and strong company policy about data security is critical, clearly it’s no match for the reality of human behavior. Companies must resign themselves to employees working and saving precious IP on their endpoints—not to mention engaging in other risky behavior that could result in a data loss incident.

Playing defense in an unpredictable threat landscape

In the evolving threat landscape, companies that experience a ransomware attack are increasingly faced with the untenable choice of paying off cybercriminals or losing precious data. Some key findings from the report:

  • Among CISOs, 61 percent say their company has been breached in the past 18 months.
  • The threat of cyberattack has led 73 percent to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.

The most sobering part about these particular findings is the unnecessary use of resources to react to cyberthreats in this way. If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster.

An ounce of prevention no longer worth a pound of cure

“ Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security. ”

Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape.

  • Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

Read Part Two of our blog series on the Code42 Data Exposure Report, “Is Your C-Suite Putting Your Data Security at Risk,” to learn how emotional drivers contribute to poor data security habits among employees.