by Paul T. Cottey

You‘re not paranoid if everyone is against you

Apr 05, 2018
CIOData and Information SecurityTechnology Industry

When it comes to security, it's not a question of whether you're going to be attacked. You are. So, what's a CIO to do?

Sometimes I wonder how Chief Information Security Officers (CISOs) and other IT security professionals manage to get out of bed in the morning to face another day of bad guys.  It seems like the most sensible course of action would be to pull the covers back up and hide.  Churchill anecdotally pulled the covers up to his chin and had a glass of Pol Roger, but only about half of the world was against him at the time.

Every CISO wakes up every day knowing that significant parts of the world are out to compromise his or her organization.  Apocryphally, Willie Sutton was said to have robbed banks because “that is where the money is” and your IT operations are being attacked for the same reason. 

It is not a question of whether you’re going to be attacked.  You are.  Size no longer matters.  Small companies get attacked.  Large companies get attacked.  Companies with personal data, financial data, or other valuable information make the headlines, but everyone is a target.  The good old days of security by obscurity are long gone.  Now it is not good enough not to be a BIG bank, but even if all you have a jar of silver dimes buried in the backyard, there is someone who will be going around digging looking for it.

So, what’s a CIO to do?

Don’t panic

As the CIO, work with your CISO daily.  If you CISO is not panicking, you should not.  Although there are bad guys in the world who want to cause you harm, panic won’t help you.  Like the old saying goes:  The first thing to do in an emergency is take your own pulse.  The way I break things down is:  Prevent, contain, recover.  Now, take a deep breath and go to the next step.

Look at your own operations

Work with your CISO to decide what you have that is worth stealing or harming.  If you are running a business that is in possession of PCI, HIPAA, PHI, PII, SEC, FDA, or any of the alphabet soup of types of data, you have more to assess than if you do not have credit card, patient, health, personally identifiable, public company, or drug data.  Look at your operations as a potential bad guy would and focus your attention on the most valuable assets.  This is a good part of preventing an issue.

Get someone who does this for a living to look at your operations

You may love your general practitioner and trust that he/she can help you stay well and can treat relatively minor illnesses and injuries, but if you needed surgery, you would go to a surgeon, and if you needed you needed your car fixed, you’d go to a mechanic.  It is not a commentary on you or your team’s skills to bring in an expert to look at your operations and security posture.  It is actually a positive statement that you know when you are in need of an expert.

Your only risks are not technology risks

While you are looking at your operations, don’t forget the non-technology risks.  An open door on the loading dock could inappropriately “relieve you of inventory” just as surely, and perhaps more easily, than someone hacking your warehouse management system.  The stack of paper mail left at your front reception desk probably has as many account numbers and information someone could exploit as your computer systems.  Be aware of the non-technology risks and engage the broader business team in helping to mitigate them.

Get better every quarter

Your goal is not perfection or no risk at all, since, not only is that impossible, but the target changes constantly.  Your goal should be that you get better every day/month/quarter/year.  You should be finding new items on which to focus not re-discovering items you found previously.

Make a plan for when things do go wrong

Not to discourage you, but you are unlikely to succeed in having no incidents.  You should be able to avoid breaches, but if you have read this far, you probably have something worth having someone try to compromise.  Have a plan for when something bad happens.  A full-blown business continuity/disaster recovery plan is great but triggering it can be overkill.  Have a plan for what you do if one end-point gets compromised, if one server gets compromised, and so on.  Your job at this point is to keep the problem from spreading.  This is the “contain” part of prevent, contain, recover.

Execute the plan

So, something happened.  Because you made a plan back when your pulse rate was low, you can now recover from what happened.  Again, get all the help you need.  This is not a time to be a hero and try to do everything single-handedly.

Be appropriately paranoid

Get out of bed each day and face the world but be appropriately paranoid.