I just returned from two of the first RSA Archer Roadshows. On Tuesday I was in the great city of Minneapolis and quickly flew to DC for the event on Wednesday. Both sessions had a great turnout and served to educate existing and potential customers on the capabilities of Archer. With plenty of time scheduled for networking, customer use cases, and product news, the events were definitely worth attending and I was able to catch up with friends I hadn’t seen since the Summit.
Throughout all of the interesting presentations from users I heard one recurring theme: Make it easier! Every amazing success story of Archer implementations in organizations of all types and sizes came with a lesson learned or feedback that was common among all six sessions. “Our users want a more intuitive experience with less clicks.” “We implemented Archer to make our business processes simpler, yet we get pushback on the user experience daily.” “Why is there still an Apply Button?” It was a message that many of us Archer practitioners had experienced ourselves over the years, yet had come to accept as an unavoidable cost of using a very powerful GRC tool.
“One ‘simplify’ would have sufficed”
Ralph Waldo Merson, In response
These concerns were addressed, however, when RSA made the biggest revelation of the Roadshow with details on Version 6.0. All of the improvements we got an early glimpse of focus on an enhanced user experience and an improved interface. The screenshots alone prompted smiles and whispers of “Finally”, and we left really excited about the future.
It’s hard to get large organization to go with you on a GRC journey and everything we can do to limit the impact on our stakeholders and improve their experience with the tool helps. Through the awesome Community idea submission site and events like the Roadshows, Archer has always listened to customers and has sought to implement the features the users want. I’m excited to be attending the other roadshows in Boston and New York in the next few weeks to see what others think of the future ahead for eGRC.
This post will be broken into multiple parts…taking readers through my experience from the customer side of the equation and how to derive real value out of security assessments.
Before I get too far into this posting let me provide a disclaimer similar to a financial pundit who has to disclose the stocks he/she owns as they pontificate on the merits of said stocks. DISCLAIMER: One of the services my company sells is assessment services and I think they are invaluable, not because I sell them but because in past lives I’ve used them to literally transform the organizations I was leading. Assessments tell you where you are and provide the map that will get you where you want to go.
Security professionals share a common trait, they all have more work than resources and that is not likely to change anytime soon. So, every day is spent fighting fires and you end up “living” on the hamster wheel of security. Fun, right? Because there is always so much to do its difficult to know what to do first, then second, then third….so that eventually you have strung together a series of investments that measurably improve your security posture. More likely than not you will make a series of investments in response to a series of crisises and probably not have the time or system of management in place to measure the effectiveness of those investments. Assessments can change that paradigm, permanently and for the betterment of your entire company, if you do them correctly.
The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one off point solution improvements.” If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off of which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.
Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Lots of mediocre companies can produce assessments that follow a boiler plate template and answer all of your obvious question leaving you no better off than where you started and a little poorer. Take time up front to write a statement of work that forces your provider to deliver real value and not just a 100 page report. What’s real value?
In my next post I’ll take you through my experience as a customer and how I derived transformational value from security assessments, multiple times…
Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.
1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.
2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)
3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.
4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.
5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.
As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.
I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.
What We Do
We integrate your compliance activities with security activities and measureably reduce your risk.
How We Do It
Set a security strategy, select standards, implement controls, measure effectiveness.
What Results Look Like
A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.
What We Did
Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.
Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.
Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.
Our focus is on implementing real results that make you more secure, we guarantee it.
The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.
The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.
The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.
I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.
It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?
Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake-off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.
All checked in @RSA 2013 here in San Francisco!
It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.
It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.
Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, firstname.lastname@example.org.