Before the current millennium, enterprise talent would go to the office. It was so straightforward. Talent would all just sit at enterprise stations on prem and exist within a knowingly defined perimeter. The Firewall, VPN, LAN, Antivirus environment was within the gaze- and right under the nose- of the CISO.
CISO prioritization has always been on securing that perimeter. Managing technology vulnerabilities to ensure visibility over the complete threat landscape was the day-in-day out activity. The castle and moat strategy worked well when everything was inside the castle. But as cloud migration began and remote work continued, the perimeter expanded. The best CISOs in the business evolved with these changes and increased focus on nimble privilege-based access as opposed to a simple VPN on/off switch. Data at rest was always in view. Data in transit had been tougher to track. With global enterprise moving to a distributed structure reality, visibility over data in transit is truly an issue.
With the user consistently accessing data via non-enterprise endpoints an updated mindset and approach come into focus. In our Interactive Discussion on the CSHub Mid Year Report, Dennis Leber noted, “data is the new perimeter.”
Infinite Perimeter
We’ve been using the phrase infinite perimeter on CSHub to showcase what must be managed- access, endpoint, cloud and now IoT- as ever expansive. The distributed workforce, plus your 3rd party partners, plus their 3rd party partners thrusts access management and the concepts of least privilege and zero trust to the fore. Those same distributed users bringing their own devices turns endpoint security into a game of cat and mouse. Your network now includes the home routers of your distributed workforce as well as their smart speakers.
The data breach can now occur via myriad means. And so, rather than focus on the perimeter point that has been breached, focus on the data.
Controls For The Data Breach
A breach has always been focused on the data. But with an easily defined perimeter, the focus of the information security officer was rightly on the breach. Gaining an ever-widening scope of focus on the exponential expanse of the perimeter is mandatory. An additional focus on data at rest and data in transit will assist in that infinite perimeter scope of focus achieving clarity.
The focus has been on knowing where the crown jewels sit and protecting that space. CSHub Executive Board Member and IEEE Public Visibility Initiative spokesperson Kayne McGladrey notes, “if you don’t know where your data live, you can’t apply any effective policies around access controls or do any meaningful incident response or do any meaningful security awareness.”
Focusing on the Data in the Data Breach
As data exfiltration abounds, getting a handle on data in transit is of course, key. McGladrey continues, “right now, for almost all businesses data is the most important thing they have, whether it’s PII, PHI, IP. The threat actors are not attacking because people have nice office spaces that are currently empty, and they’re not attacking because they have nice manufacturing capacity, that’s also operating at a lower rate. They’re attacking because they want to steal the data and do things with it, depending on their motivation. And if you can’t say empirically, ‘We know where all those data are,’ you can not apply controls.”
But having basic controls over data in transit is simply not good enough. McGladrey expounds, “Build both policies to require encryption of data in transit, as well as policies around approved services to use, and then implement telemetry. If you don’t have a policy that says, ‘We’re going to have a standards list of approved services for transmitting data across organizations, and we’re going to have enforcement of that in our technical control,’ – think like a CASB at the very simplest level- then ultimately you have no idea where your data are going at the end of the day.”
Risk
Knowing everything about that most-important data in transit leads you to a cogent understanding of your actual enterprise risk. Horizon Power CISO and CSHub Executive Board Member Jeff Campbell notes, “It’s all got to be based on risk. Tapping into the corporate risk framework at your organization and understanding what they consider to be important as a strategic enabler, and then understanding that security- particularly now in this digital future- plays a very, very important part in enabling those strategic initiatives.”
Prioritization and risk go hand-in-hand. If the wrong things are prioritized, your risk increases. McGladrey notes that’s all the more important in a distributed enterprise. “Some of the projects that get spun up aren’t really going to have a material reduction in risk- and they’re not going to have a significant benefit to the business and with a nomadic workforce- that becomes a challenge.”
Prioritization
The organization should of course be already running in line with an industry standard like Center for Internet Security’s critical security controls. That ensures that you know that the enterprise is secure with where the business is. Zeroing in on the larger long-term enterprise goals provides a context of where the business is going. Understanding the Board and C-Suite cyber security focus points denotes how you can connect cyber security to those business goals. And when that connection is made, so is the business case for your current and future budget.
Campbell sums up, “So how do you prioritize? You develop metrics consistent with what your board likes to see around cyber security, as well as how that ties in into delivery of those initiatives. Those metrics need to be framed in a way that is a common language, and the common language at the board and executive layer. And that’s how you prioritize.”
The theme of business enablement has rifled through the industry over the past few years and the focus now has a fever pitch. A focus on business enablement has been about ensuring that the CISO can simply do what they know they need to do. We have now turned the corner in that business enablement can now help a CISO understand how to prioritize what they need to do.