Having attended the ISACA EuroCACS conference for the first time this week, I am delighted to report that of all the sessions I attended in the cybersecurity tracks over my two days there, only a couple failed to deliver any learning content.
One of the main themes appeared to be that of incident response, and security awareness. I am aware that these are two different themes, but if you have a security and privacy aware workforce, then perhaps your incidents are fewer and response capabilities are more practical in a security culture theory?
Well potentially, but what I did see at EuroCACS were some excellent presentations on how to do things better. Speaking on Monday was Monika Josi, head of group security consulting at AXAS AG who spoke on the concept of ‘building a sustainable security program’. She said that many times, she has seen ‘companies struggle and see all the things they need to do’ and often they fall into the concept not knowing where to start, and how to communicate what they are doing.
Josi admitted that this is less an IT problem, but it can become a company problem, especially as ‘hackers don’t care about classification, they look for a way in’. In a nod to a talk that would take place the next day, she said that businesses should ‘assume breach and focus’ as they need to get ready on what is crucial, and on how fast they can react as ‘incident response is more important than protection’.
Across the two days I spent at the show, the NIST framework got plenty of mentions, and Josi recommended this as you “need to identify what you have, determine how to protect things and detect things and be able to respond and recover.”
In the right sense, a good incident response plan should contain all of this, and Josi recommended having a CISO who can translate the details to a higher level.
Speaking on Tuesday morning was R.V. Raghu, director of Versatilist Consulting exploring establishing and sustaining a security awareness program. He claimed that a security awareness program touches on the weakest link, the human being, but like an audit, this was something we may not want to think about, but it is a "necessary evil."
Raghu explained that the insider, who he named ‘Dave’, travels at the speed of light and the problem is you have to deal with Dave on daily basis. Referencing the SANS survey on securing the human, he said: “If you don’t have top management support you will not get budgets, responsibility and buy-in, and there is a lot of interesting information out there.
“Technology is not the silver bullet, and humans are increasingly the single point of failure as passwords become so predictable.”
He claimed that security awareness programs are not given enough importance, and are often poorly designed and have low engagement as it is "often seen as someone else’s problem."
What is the way forward? He encouraged looking at the communication platform: it is often poorly built and not engaging, and users can run through them and can swap answers, and companies need to create awareness and this is done by training and done by building culture, "not an add-on and done proactively as a business engagement."
He said: “It needs to get reinforced over and over again, and needs to be communicated comprehensively. Most important is what is actionable, and what leads to behavior change.” To design a great security program, he recommended using four elements: making sure there is appropriate coverage that is specific to an organization’s requirements; that the enterprise is aligned and not driven by technology and systems of application; that it needs to be effective; and has to be current and up to date.
“Keep the program current and talk to stakeholders; look at statutory/regulatory requirements; look at insights for performance; also many think once done training you’ll be OK but you’ll be more prepared and go back to drawing board and know what is to be done.”
Finishing up the second day was Tony Clarke, head of information security and cybersecurity at ICON, who spoke on ‘how to develop a cybersecurity playbook’. Much like a typical sports tactics playbook, he recommended coming up with this so security operations know what to do, acknowledging the nod from Monika Josi.
He explained that a playbook is a "repository of pre-defined responses to cybersecurity incidents", so as football team will have tactics on a free kick, this is the same within the cybersecurity landscape.
“It will reduce time taken to recover, and reduce pre-made decision time. You can base on real scenarios and practice as a drill so people get familiar with it.” This can include bringing a team together, both in the CSIRT form and company-wide, get indicators of compromise and understand what the issues are and have scenarios that relate to DDoS attacks, data breaches and ransomware attacks.
“Early stages are characterized by chaos as people have assumptions not based on reality and bias not on decision making,” he said. “Also there is no best course of action, as you select from three or four unpalatable options, and really you know key staff may be unavailable, so what do you do without the VP of IT operations?”
These three talks in particular were very interesting, as they were the best at setting an example of how to prepare and deal with an incident, and the best you can do to avoid one in the first place. What is the view of ISACA to the concept of preparedness and awareness? Jo Stewart-Rattray is a director of ISACA and director of information security and IT assurance at BRM Holdich, and she told Infosecurity that it is interesting that this a recurring hot topic, particularly after WannaCry and the range of issues that were faced.
“Security awareness has also raised its head as it is about ensuring that you have support from the executives on the board who are prepared to invest in security, it’s also good to have a governance structure as if you just have your policies and procedures on the shelf, it is simply shelfware, so it has to be delivered by the organization who have to embrace it and it has to be in the DNA of the organization rather than it being simply a security issue, or for compliance.
“As employers, we have a duty of care to our employees that they understand what secure behavior online looks like so they don’t endanger themselves and the company online, and security awareness is one way of doing that. It can be something that can be engaging and gamified.”