Rapid7 Blog


CISO Guidance on Building the Team: Part II

Haven't read part one of this blog? TL;DR:The security talent gap is real.Creating and promoting strong company culture attracts and retains top performers.Security professionals should always be actively recruiting – both internally and externally.With that gross oversimplification under our belts,…

Haven't read part one of this blog? TL;DR:The security talent gap is real.Creating and promoting strong company culture attracts and retains top performers.Security professionals should always be actively recruiting – both internally and externally.With that gross oversimplification under our belts, let's start into the next set of takeaways…The job description – it matters.Job descriptions don't just ensure that qualified candidates are finding your organization in the course of their job search. Knowing the key functions, responsibilities, and daily duties helps to lay the groundwork for a satisfying and rewarding career path by setting expectations at the outset. This may sound obvious, but too often organizations rely on generic job descriptions without being specific about what the role entails, the required skills, and the work to be undertaken.Help your business partner on the HR team out – be very clear in the minimums you seek for each role, as we face a situation where there isn't enough expertise to cover our needs. Focus your minimums on what is required to get the newbie to a point where they are contributing in a meaningful way, and be realistic with how much energy and patience you (and the team!) have for getting the new hire up to speed.I asked CISOs about their strategies for finding the right people. “Not everyone needs a security background, in the beginning,” one told me. “I try to write job descriptions that reflect this. If you want a first line analyst, you don't necessarily need someone straight out of school with an infosec degree. You need someone who is passionate about solving puzzles. Maybe they did game theory, or something else that's completely outside of security. Let that come through in the job listing, so you're casting a wider net at the get go.”Another CISO echoed the concept that innate personality traits can sometimes be more important than learned skills: “I want people who like to experiment. Programming backgrounds are great, but you can't advise programmers on how to fix a problem if they don't understand how it got there in the first place.”“The job description is key,” another agreed. “Some are just awful – they don't talk about how success will be measured for that particular role. First off, know what your company pays, because that will determine whether you're looking for talent in the right places. In my case, the company has a mandate that security is important and so we don't want to under-invest; that means we're aiming for the top people. I've had experiences in my career where I've had to put ego aside and acknowledge that the business isn't in the market for the cream of the crop.”But here's my favorite summary of what to look for in candidate: “You want to find someone with the right kind of insanity.”Remember when I wrote about soft skills? Yeah, they still count.If you're a CISO, you'd better be good at playing the politics game – time and again, interviewees proved that interpersonal relationships are a core part of the gig. Hiring and retention is no exception. Whether you're best buds with HR or have developed a grudging respect over the years, you'll need to have a good working relationship if you want to attract and keep strong players.“Salary is tough to go to bat for,” said a CISO, “but I will do it for someone who I want to keep very badly. Things like out-of-cycle raises aren't easy to get, either. You have to know how to negotiate for one.”There was also a shared sentiment around how quickly talent can grow and improve, “It's not impossible to find fundamentally strong people that you can train up,” said another. “In those cases it's a question of starting low and then accelerating funding by maybe 10k each year. You can't always follow the 3-5% uptick that most organizations adhere to. So I'll work with HR and finance to explain that to them, and get them on board with the fact that otherwise we won't be able to hang on to these people.”Another iterated the same frustration, “I have had people get on the phone, entirely disinterested in the position, but the quick conversation helped re-calibrate HR's expectation of what someone with that skillset brings home.”`“Most of my guys have an appsec background and strong pentesting skills. HR will look at a candidate and say, ‘They have 15 years of knowledge, and as a security architect here is what their salary would be.' But no way will I get a 15-year veteran with the right skillset at that price point. I'm having issues finding good data that I can show to my organization that will demonstrate what someone in the role should actually get paid.”Budgeting, which I've explored in more depth separately, remains an exhausting process. “I always fight the budget battle. You have to pick and choose what you'll fight for; in some cases budget constraints aren't worth making a stink about. If I can, to avoid adding headcount I'll outsource the work to another organization with the right capabilities, so I don't have to reproduce them internally.” Another CISO gets creative with HR: “Sometimes we can sweeten the pot with a work from home program, or by encouraging employees to go to security conferences. Not everyone will be a rock star, so find a way to reward those who are.”Miscellaneous Sound BitesIn the course of conducting these interviews, I gathered a lot of cool tidbits. Not all of them qualified as top takeaways, but the insight is still valuable and so I've rounded up a few of my favorites, in the hopes that you may still benefit.Of particular note was the fact that many interview subjects expressed frustration about the lack of women in security. Unfortunately, this is a very real problem that doesn't have a simple solution—it will require a concerted amount of focus and investment, the benefit of which may not be seen for many, many years to come. There is a lot of energy being invested in STEM initiatives, pulling a variety of young people toward the security community early on is an excellent way to prime them for an infosec career, but that's a very separate discussion that warrants its own deep dive.“Maybe the talent gap is partly caused by people not wanting to pay [security professionals] enough money. It's like how people say it's impossible to hire a skilled welder for 10 bucks an hour – if you're not paying market wages, then yes you won't find people with the skills you want.”“Wannabe security practitioners who are still in their undergrad should find a local security meetup, like ISSA or BSides, or look to get involved in CTFs. These are great ways to learn the basics of reverse engineering, hacking, etc.”“The security mindset is different from other technology disciplines. ‘The how do I break this?' mentality is something you want to look for.”“I don't have a high attrition rate. My approach is to treat employees like my kids – a little bit of love, a little bit of discipline, lots of accountability, and some fun as well.”“You can't fear stolen talent. Talent will move – accept that. Instead, focus on having an environment that is interactive and engaged. People will always know whether you care or not.”“I don't worry about my people leaving or being stolen – it is *my job* to make the team, the work, the environment, and the opportunities hard to walk away from.”“I strive to make leaving my team a very long, exhausting, and emotionally taxing experience. We are a family.”As always, if you've got thoughts, or would like to join the conversation- comment below, or track me down!~ Trey

CISO Guidance on Building the Team

If I had a nickel for every time I read about the “security skills shortage”…well, suffice to say that everyone seems to lament the lack of strong talent in this industry, and the low number of eager young graduates seeking to…

If I had a nickel for every time I read about the “security skills shortage”…well, suffice to say that everyone seems to lament the lack of strong talent in this industry, and the low number of eager young graduates seeking to start a security career. So what better topic to explore by way of follow-up to the 2-part blog: Security Budget Tips from CISOs, for CISOs? (To recap: I'm interviewing CISOs for their guidance on select infosec issues.)Hiring and managing a capable workforce is arguably just as integral – and, dare I say, challenging – as setting a budget plan. (Personal aside: management has been core to many of my past roles, I'm quite passionate about people!) Any good business leader knows that without the right people on your team, you'll never get to where you need to go.First off, let's ask: Is the talent gap fact or fiction? Is it real, or is mass hysteria making us blind to the fact that the emperor isn't wearing any clothes? By way of response, here are some soundbites from the CISO interviews I conducted:“Finding the right people is near impossible.”“My company is based in NYC, where a lot of talent tends to pool, and we almost always get outbid by the highest paying firms, typically banks.”“There just aren't enough people coming into [this profession] anymore. Those that do don't have the right depth or experience.”“I have high expectations from my security people, and yet I'm getting applicants who want to be architects and can't tell me what a three-tier design looks like. Or someone who calls himself a senior appsec guy, but can't tell me any of the OWASP top 10.”In a word: Yes. It's real.The security community, on the whole, is full of skeptics, so it's pretty far-fetched to think that security professionals would all fall victim to a myth, even if it is widely propagated. The perceived “talent meccas” like NYC and Silicon Valley compete heavily to attract qualified individuals. Conversely, CISOs who weren't based in a large metropolis said that company location was a huge impediment to hiring, particularly at the lower levels where applicants are ostensibly younger. One interview subject, however, was an outlier: “[My company] is fortunate because people want to work here. We're in an unusual position: people know and love us.”Which brings us to the first takeaway:Culture! It Matters.It's not surprising that brand awareness and company reputation can affect the number of job applicants. But even CISOs at smaller, less well known organizations benefit from upping their public profile. “When you're out recruiting, reputation will lead,” a CISO told me. “People will inevitably look you up, so have a consistent persona. Leadership honesty and transparency matters – these people can smell BS a mile away.” This is one of many reasons security leadership should prioritize live events, speaking, and recruiting.Getting publicity for security efforts requires interacting with people outside of the security team. “We've worked at publicizing what it's like to work here,” said another. “That strategy has been effective. It's helped to communicate what we're doing in terms of security, and it's given me a chance to work with our editorial department, PR, and some of the engineering teams. You just can't be siloed as a security professional.” (Remember the CISO who called his job a “matrix discipline”?)Nothing Lasts ForeverNot only will it help with retention, but having a strong culture also pays off (no pun intended) during contract negotiations. Although money talks, it's not always the #1 selling point – especially for young professionals looking to build a strong foundation for their career by developing their knowledge base. Personalized guidance and continuous learning are core to retention.“I like to emphasize that, after three years here, you'll be a security ninja,” said a CISO. “I'll spend the money to give my team career guidance, to make sure the people who deserve it get to go to DEF CON each year.” Another echoed this mentality: “I like to work with entry level candidates on a 2-5 year growth path. I realize they may not be here forever, but I want to focus on giving them the right tools and a good experience.”Several of the CISOs I spoke with had similar personal contracts with their team, “Please don't leave without letting me help.” Many of my past teammates allowed me to coach them, make introductions, provide personal endorsement, and even coach them through the negotiation process. Teams with enough trust to discuss growth, development, and transitions with their management have reputations in the industry- they are families people seek to join.Always Be Recruiting As I emphasized in my budgeting blogs, having the right headcount is key. And you shouldn't rely exclusively on recruiters to source candidates.“To steal from Glengarry Glen Ross: Always be recruiting,” one CISO told me. “I met a history student and ended up hiring him because I thought he had the right skillset. If you're the kind of person who doesn't need a recipe to cook, then you might survive in security. I want someone with just the right level of insanity.”The moral of that particular story was that talent can come from unexpected places, and a lot of the CISOs I spoke with said that looking in the usual places can also be worthwhile. Consistently sourcing qualified candidates will ensure that you aren't left hanging in the wake of an unexpected employee departure. Let's face it: attrition is inevitable.Another CISO advised: “Take the three best security professionals you know, and ask them to work for you. If they won't, then ask for the three best people they know.” I asked another interview subject what recruiting tactics have worked for him. “What works is getting my staff to find friends,” he responded. “I send them to trainings where they can meet people and, hopefully, convert them. HR can only do so much in terms of hiring. I pay 5k USD to anyone who makes a referral we hire.”Colleges, of course, are fertile hunting grounds. “I like to pull in two to three college interns each summer,” a CISO told me. “Those that show promise, we will groom and take on at the end of their school year. Admittedly, they're starting off with grunt work: risk analysis if someone wants to open a firewall, or figuring out what caused an alarm.”The “always be recruiting” mantra doesn't just apply externally, either. Several CISOs recommended looking within your organization: “I try to ID testers, or QA people who are hungry to learn more. Then I train them up, if the role is right.” Some companies have a strong culture of growth and internal promotion, while others look down on, “poaching from other teams,” – your partner in HR or people and culture can guide you.***Obviously this is going to be a multi-parter? Stay tuned for the rest!If you've got ideas you want to share, experience, tips or tricks- reach out!~@treyford

Security Budget Tips [PART 2], from CISOs, for CISOs

CISO Series: Budgeting Part II Hopefully you've read (and maybe even benefitted from) Part I of my CISO Budgeting blog. To recap, I interviewed a group of CISOs about how they use budgetary discussions for career growth, and what advice they'd give to others looking…

CISO Series: Budgeting Part II Hopefully you've read (and maybe even benefitted from) Part I of my CISO Budgeting blog. To recap, I interviewed a group of CISOs about how they use budgetary discussions for career growth, and what advice they'd give to others looking to set a budget plan. There were five key takeaways that came out of these interviews; here were the first three: Whatever you do, don't under deliver. Budgets are about more than just the cost of technology. Prioritize your budget effectively. Understand what's “must do” vs. “could do.” Below are the remaining two. Key Takeaways 4. It is a good time for security. The conversation has changed, in a big way. Preaching that “we really need to do this” has been replaced. “The era of the mega breach has captured the attention of my business,” said one CISO, referring to the fact that when partners, customers, or even competitors are in the news, security typically skyrockets to the top of the business agenda. Most of the CISOs I spoke with said that, while panic-inducing, large-scale breaches have contributed to a heavy atmosphere of FUD (fear, uncertainty, and doubt), they've also made security a boardroom topic. And that's a reality they often use to their advantage. However, the question of just how much FUD is appropriate was a point of some contention. On the one hand, certain CISOs acknowledged the underlying validity and usefulness: “Just because it's FUD doesn't mean it's not true. I turn it on a little bit when finance pushes back on budget – when they ask, ‘Why are you telling me that you need this now, when it hasn't been a priority in the past?' I simply tell them that it's stuff we should have been doing all along, and that we need to prevent ourselves from becoming a headline. For instance, we don't want to skimp on human capital when it comes to analysis and response.” Conversely, some of the interview subjects felt that using FUD tactics was an unfair and unproductive way to approach budget discussions. One CISO, for example, acknowledged that “security has historically been met with skepticism, and hasn't gotten proper credibility with regards to delivering business value.” He added that, while the so-called “era of the mega breach” has certainly affected that perception, “if I don't run security well, or if I operate from a position of FUD, then I won't earn the right level of trust from my colleagues. These are partnerships that have to be built well in order for me to be successful.” Another echoed the same sentiment: “In order to get the business rallied around what I'm doing, I have talk like a business guy.” All the interview subjects were in agreement that budgetary discussions have become easier (if still not easy) thanks to the increased level of security awareness. A side effect of this unfortunate reality is that it has given CISOs more organizational visibility – which means they must set expectations accordingly. Any security practitioner knows that there is no silver bullet when it comes to preventing attacks; the important thing is to manage risk. “There's no such thing as being invulnerable,” said one. “I manage risk, so it's just about managing how vulnerable we are.” Put another way, enabling the business to make informed decisions with regards to accepting or mitigating risk is the path to success. Most of the people in finance are not comfortable making that call. 5. Work on those soft skills. In the course of their work, CISOs must employ one critical business tactic above all others: strategically navigating the political landscape of the business. This means approaching even tough budget conversations with patience, savvy, and empathy. “I understand that I'm the personal trainer you didn't ask for,” one CISO said. “I'm coming in and telling you that your eating habits suck, you're 30 pounds overweight, and you need to work out more – all without you asking.” Another added, “As a security executive, you want to be able to generate demand for your services; that means executing well from a tactical perspective. Make people want to engage with you.” Strong interpersonal skills are critical at the CISO level, but they're not qualities that are strongly emphasized throughout the course of a security professional's career. “Too often, as security professionals, we feel like the king of our domain,” an interview subject told me. “It's important to behave like a subject matter expert while still showing empathy; it's easy to transcend into over-confidence or even arrogance. Security is no longer a silo discipline, it's a matrix discipline that requires input from different parties. Bring people in, make them feel like they're part of the solution – it's almost like a Jedi mind trick.” The necessity of building trust throughout the organization was a theme in nearly every interview I conducted. Time and again, the CISOs I spoke with underscored the importance of having productive discussions, effective interactions, and forging strong relationships – all of which come into play when it's time to plan a budget. “Building trust with finance is huge,” said one. “I cultivated a relationship with the managing director early on, and it really paid off when I needed money down the line. Just do the gauntlet; be ready to answer the same question a million times, and wear a smile the whole time because you will, eventually, get there.” Many agreed that dealing with finance is often frustrating, and that patience is core to those conversations: “It's a little bit of a chess game; mostly finance just wants a good explanation of what you're going to do with the money. So be ready to explain it in layman's terms. And remember, value is measured in managing risk.” So there it is, folks. If you're a security professional approaching budget-planning time, hopefully the wisdom and experiences of these seasoned CISOs will help guide you on your journey. It is by no means an easy process (I'd be hard-pressed to find any interview subject who exhibited enthusiasm about setting a budget plan) but it's a great opportunity to demonstrate aptitude for prioritizing, building trust, understanding the needs of the business, collaborating effectively, and gaining stakeholder buy-in. For my part, conducting these interviews reminded me of how strongly connected security professionals feel to their colleagues. We see ourselves as a part of a larger web, small yet not insignificant, and integral to the success of the business. On the whole, the CISOs I spoke with displayed a great desire to provide sound guidance and deliver proven value, not just to further their own career paths but also because, to them, security is a way of life. The quote that sprang to my mind is from the Dalai Lama, who told us to “be the change.” It's doubtful that he was talking specifically about CISOs, but it certainly applies. Up next: CISOs discuss the so-called “Talent Gap.” Does it exist? What does it mean? How can we cope with it? If you've got thoughts, feedback, or know people you'd like heard and contributing to this project…let us know! ~@treyford

Security Budget Tips, from CISOs, for CISOs

CISO Series: Budgeting I have provided a brief overview of the genesis of the CISO series, and now it is time to tackle our first topic: security budgets. Whether you're the CISO of a large public company or leading security at an early-stage startup, rich…

CISO Series: Budgeting I have provided a brief overview of the genesis of the CISO series, and now it is time to tackle our first topic: security budgets. Whether you're the CISO of a large public company or leading security at an early-stage startup, rich in headcount or forced to be tight with the purse strings, reporting into the CIO, COO, or elsewhere in the organization, the fact remains that budget conversations are among the most critical and strategic conversations a security executive can have. Often times, setting a budget plan equates to prioritizing security projects for the business, which gives even more weight to the process. In this series, we have captured some recommendations for CISOs seeking to use budgetary discussions for career growth; the takeaways often bleed into one another, so don't be surprised when you see overlap. The crux is that, as a CISO, you must make a case for budget in terms which are easily understood by upper management, while sidestepping the common stigmas that still plague security teams today (getting past that house of ‘no' banner). Use empowerment, rather than fear, to your advantage. Of the many CISOs I've spoken to, all proved that they take their role seriously, especially the fiduciary duty to stakeholders, customers, and all aspects of the business ecosystem. Key Takeaways 1. Whatever you do, don't under deliver. One CISO labeled this the “deadly sin” of budgeting, and for good reason: in nearly all the discussions I had, CISOs agreed that promising the moon to get more budget will come back to bite you. “Do not ask for more budget than you will effectively be able to use,” another underscored. “You need to gain trust, especially if you're new to the position. Convince the board that you're effectively running security by not allowing money to be spent without results.” In the same vein, CISOs have to spend the money that they ask for – so coming in significantly under budget will not win you points either, especially if your company reports to the street. “I'm hyper aware of forecast, versus budget,” one interview subject explained. “Where I work, the budget is mostly guesswork; the forecast is what really matters. I have a weekly meeting with finance to walk through department spend: what's been delayed, what might not be happening, and where we can pull from to compensate for the fact that some work may not be starting.” Unsurprisingly, the human element plays a large part in determining how much a security team can reasonably deliver. Projects rarely finish on time, be fully aware in planning how other teams impact your ability to execute and deliver. Moreover, security professionals are in high demand but short supply, and some degree of turnover is inevitable – so plan with attrition in mind. So, in financial conversations, how do you set expectations accordingly? It's all about delivering value; CISOs who have had successful budget discussions said they focused on efforts that support business initiatives, as these find the most support and help to gain internal champions. “I create a prioritized list of initiatives, and IT often has final say over what's above or below the line,” says a CISO. “They can sometimes see security as simply a cost center, so I always make a point to schedule a conversation that underscores which parts are crucial to the business.” “The budget plan you deliver may be carried to higher echelons,” adds another, “so understand how the influence you exert can gain you a seat at the adults' table.” The idea that a CISO's job hinges on influence, rather than command and control, is one that resonated throughout nearly all the interviews (they must be more of a personal trainer than a drill sergeant). To establish clout, one interview subject said, “I try to present my teams as force multipliers. In other words, what can they deliver that will magnify the impact of other key business initiatives? I don't necessarily mean from a revenue or cost reduction standpoint, more so in the ability of the business to be compliant with contractual obligations that the business is already under.” 2. Budgets are about more than just the cost of technology. While under delivering can be a serious setback, that's wasn't the only cardinal sin of budgeting that CISOs underscored. Another common mistake: “starting with the technology – simply looking at the solutions you have in place and not taking external factors into account.” Why is this a problem, exactly? “The best way to screw up budget is to look at all the different tools and solutions you have,” explains one CISO. “You then say, ‘Oh I need an antimalware solution because I don't have one, so I'm going to go ahead and budget for that.' I call this silo budgeting, and it will mess things up. Give other departments the chance to add input. During the discovery process, talk to partner teams to capture their requirements, concerns, and success criteria. Perfect compliance with that guidance won't be required, but it can help inform your strategy and earn you internal champions. Their participation will help ensure that the business sees value. And when the business sees value, everybody wins.” Avoiding a myopic, technology-driven view of budget not only ensures a stronger security program, it also helps in conversations with finance. “You will need to justify your decisions,” was something that several CISOs told me. “There's often a perception that things have been done a certain way in the past, so people will ask, ‘Why do you need more money or more headcount now?' Have those conversations early, and be patient when having them. [One CISO used a sock puppet analogy here.] And remember, the world has changed and breaches have huge repercussions, which you can use to your advantage.” (We'll explore this concept more in takeaway #4.) Another added: “Look at the business plan and let that inform your security strategy. Evaluate the basics – what you need to do to keep the lights on – as well as what you can do to protect and acquire revenue. What revenue streams may be generated, and what controls do you have in place to protect those revenue streams? What risk might be introduced into the organization, based on the direction that the business is going to take?” One CISO factored IoT issues into his strategic plan. “Be aware of what you connect to the Internet,” he advised, alluding to the fact that more Internet connectivity will create more entry points for attackers. Headcount is also a key element. Several of the CISOs I spoke to were at high-growth organizations, but even those that weren't echoed the need to consider the human element in order to maintain or get to scale. One CISO emphasized the importance of the decision to keep in-house work versus hiring an external agency: “Does it make sense for me to hire technicians for my data center, or can I pool the work? Should I outsource this service, which would support the SMB community?” Regardless of whether it's your team, a partner, or a contractor, hours equal dollars spent. It's just a question of what makes the most sense from a resource perspective. “I look closely at the scope of effort and say, okay here's what I believe the hours will be,” recommended a CISO. “That way I can estimate the amount of money it will require. Once the list is vetted, we start plugging in capital dollars – hardware and software licensing, consulting, special services, and so on to get a final number.” 3. Prioritize your budget effectively. Understand what's “must do” vs. “could do.” “Some things need to get done. Period.” Budgeting is an exercise between wants and needs. In nearly every conversation I had, CISOs felt the pain of having to say goodbye to projects that simply didn't warrant time or money that particular year. The trick is to prioritize accordingly. One CISO shared his team's strategy, which was highly effective: “My team looks at what we want to do over the next 18 months. It's not a laundry list, it's a targeted game plan that we hash out, argue over, and discuss at length. If we don't think we can complete a particular initiative, then we cut it – we're not going to ask for the money if we can't deliver.” In most cases, the CFO planning group and IT weigh in after priorities have been determined. A strong strategy is to establish a collaborative dialogue in which security can explain the underlying rationale, to gain buy-in from other parties. As one CISO explained, “We draw a line with IT. While projects below the line can still be funded, the understanding is that they simply aren't a high priority. That's when we start plugging in numbers.” “When projects are not well understood, they get cut and security suffers,” adds another. “That's on me, because it means I didn't establish the value well enough.” Lower priority activities typically included general maintenance, such as systems nearing end of life and other routine enhancements perceived as taking more time than they are worth. There is an art to building the case for a higher priority activity. Compliance mandates, unsurprisingly, tend to float to the top. Many of the CISOs I spoke to acknowledged that PCI almost always falls above the line and one “sprinkles PCI data throughout” his network in order to be strategic about leveraging compliance to his advantage. One freely admitted that “compliance does not equal security, but it certainly helps to lay the groundwork.” Another added, “External clients are excellent motivators – you don't have to sell the business on something if their biggest client will.” Then there are the CISOs who have high profile projects, such as building a SOC, in which case it's less arduous to get stakeholder buy-in: “Adding an incident management team was a big company initiative when we were building the SOC.” CISOs must inevitably capitulate, to a certain extent. “A lot of what we're driven to do is to use our enterprise licensing better,” a CISO at a large corporation told me. “That can be counter to good security, so my job is to look at how we can be cost effective while still being focused on more advanced threat detection and response.”

Introducing the CISO Blog Series

Since joining Rapid7 I've gotten to work on some pretty cool projects, the most recent of which is capturing a body of knowledge for the community… by CISOs, for CISOs.The evolution of the CISO role, of course, is nothing new, and there's plenty…

Since joining Rapid7 I've gotten to work on some pretty cool projects, the most recent of which is capturing a body of knowledge for the community… by CISOs, for CISOs.The evolution of the CISO role, of course, is nothing new, and there's plenty of analysis on it for anyone who's interested (for example, Forrester has a great report called Evolve To Become The CISO Of 2018 Or Face Extinction). The mission of this working group is to enable CISOs to connect directly with each other, and although the ultimate goal is to produce content from which others might benefit, by no means does this limit the agenda or impair group members' ability to be forthright and open.It's a no-holds-barred discussion, and I love it.Over the next few weeks, I'll be recapping a few of the biggest takeaways from some of these meetings, relating some of the experiences of our members (anonymously, unless otherwise specified), and distilling lessons learned, recommended practices, and other pearls of wisdom.Those involved in this effort have my most sincere thanks. CISOs are notoriously strapped for time and pulled in many different directions, yet the group has been willing to share their knowledge, recount personal experiences, and tackle key issues. I could write a book on the insights gleaned from these discussions (and I just might!) but for now, blogging should suffice.First up: security budgets. If CISOs must learn to speak the language of business leaders, budgeting is a logical starting point. And when I raised this with the group, there was no shortage of feedback and recommendations. So stay tuned for my upcoming posts in this series- if you have any questions or comments, I'd love to hear them.~@treyford

Push vs Pull Security

I woke up from a dream this morning. Maybe you can help me figure out what it means.Your company hired me to build a security program. They had in mind a number of typical things. Build a secure software development lifecycle so app developers…

I woke up from a dream this morning. Maybe you can help me figure out what it means.Your company hired me to build a security program. They had in mind a number of typical things. Build a secure software development lifecycle so app developers didn't code up XSS vulnerabilities. Improve network security with new firewalls, and rolling out IDS sensors. Set up training so people would be less likely to get phished. Implement a compliance program like NIST or ISO. And you wanted all of that rolled out in a way that didn't disrupt the business or upset employees, or slow down the business people signing partnership deals and doing M&A work.I didn't do that. Instead, I hired a bunch of red team attackers. I bought them Metasploit Pro, WiFi attack hardware, and literally anything else they thought would be cool.I also convinced the CEO to do something odd. (You know I'm an actual hypnotist, right? Perhaps you find yourself smirking just a little at that thought. Feels good, doesn't it?) I convinced her to let me pay the red team minimum wage. And I convinced her that if the red team was able to acquire certain key bits of intellectual property, source code, customer data, marketing plans, or financial data, that they'd be able to claim a bounty. That bounty would be the quarterly bonus of their victims. If the red team can get those flags, they stand to win big. They stand to claim quarterly bounties measured in the millions.I announced this plan at the quarterly all hands. I heard some murmuring in the audience. When people went to the microphone to ask questions they seemed stunned, and asked for clarifications, if I was really serious, and if the CEO approved. It wasn't until the next morning that I faced the angry mobs. People from across the company were lined up outside my office.The head of HR was first. He pointed to printouts of the graphs the security team gave him each month. These graphs showed that his team was the most likely team in the company to get phished. By a lot. And most likely to not use a password manager (meaning they were almost certainly using weak passwords, and reusing them in multiple corporate and external sites). And that they were least likely in the company to keep their systems patched and free of personal applications. He pointed out that HR in general, but Recruiting in particular, were sitting ducks. After all, he reminded me, what do the recruiters do all day? They receive emails from people they don't know with attachments purporting to be resumes. They click on all those purported PDFs and Word documents without question. And they click on any links that might either help them understand a candidate's history, or lead to a phishing or malware site.He said the team was concerned that under those conditions, there was no hope for them keeping their bonus. If just one recruiter slipped up, everyone in recruiting would have to explain to their spouses why they were going to be getting less money this quarter. He started to raise his voice at me. “Have you seen the stats showing how bad companies are at patching? Have you seen the stats on the percentage of companies that are compromised by phishing? Have you even read the Verizon DBIR, Bob?!”I reminded him of some recent decisions that he had approved. I reminded him that he had several important people on his team who had previously demanded to bring their own laptop from home and to connect it to the corporate network. I reminded him that he had personally overridden the security team concerns about malware, data loss, and other security issues. He was furious. “This is SERIOUS, Bob!” (I almost asked, but did not, “Wasn't it serious when it was just customer data on the line? What about you personally losing money made it more important? Never mind, I just answered my own question.” )I asked him what he suggested.“First, I don't know how you can sit there in good conscience with so little control over the laptops. Given the example of recruiting, why on earth would you let IT give them a general purpose computing device with admin rights? That's insane! Take those away and give them Chromebooks with hardware backed certificates, and lock down the network so they can't bring other machines. And don't let me catch you rolling these out without a full time VPN so Infosec has complete pcaps for inspection even if they are off the corporate network!”I stammered a little. “W-What if something goes wrong with their laptop, or it's lost or stolen? You can't have people out of work over technology failure!”“Haven't you been listening to me Bob? It's far more important that we do everything we can to protect our IP and customer data than it is to guarantee 100% uptime for every employee 100% of the time. If someone is out sick and didn't bring their laptop home, they won't work and we'll deal with that. If a remote employee has a laptop stolen, they can wait 24 hours until the new one gets shipped out. Bob, the risks of not doing these things are small. But they add up. And in ways that are hard to predict. Those small advantages are how the red team will get in. Either through clever hacking, or social engineering, that's how they'll get in. And I'm not going to have my team members lose income because you and IT gave them technology that was insecure by design.”With that he stormed out of my office. But they weren't done with me yet. Next up was an engineer I barely recognized.As he sat down he immediately said “Looks like you're going to be having a good day! Here's the deal. I do all the right things from a security perspective, but I'm pretty much alone in that regard on my little team. I have two problems. First, the way we do builds. Second, the way we do appsec. For builds, as you know, all developers have the entire code repo on their laptops. Now if source code is one of the red team targets, we're doomed. Bob, I make an OK living as a junior dev, but not so well that I can do without that bonus. Here's my pitch: You need to move development into the datacenter. Make it so there is never any source code outside of a secure enclave. It's simply got to be easier to manage the security of a central system with known inputs and outputs, right? Plus, get this: The other devs are going to like it. Why? Because they get to do their builds on a $30,000 machine rather than a $2,000 machine. And that machine is on a 10G network rather than on wifi, so pulling a fresh copy of the tree takes seconds. Now, if source code is stolen, there's no way you can take my bonus from me. It simply cannot be my fault. It's going to be the security team that loses their bonus! Sorry, but I care more about me getting my bonus than you getting yours. True fact.”“OK, “ I said. What was your other concern? Appsec, was it?”“Yeah. We say we do application security here, but you and I both know that's a joke. Some engineers take security seriously and do really great code reviews. But most have no idea what to look for. They didn't learn any security basics in college and we've done almost nothing to remedy that sad fact. So here's what I'm going to ask the VP of Engineering, so I'm asking you also. We need 2 full quarters to ramp up. We need to stop what we're doing and start security boot camp.”“But, we have that,” I protested.“What, the 1 day class that half the engineers opt out of? That's not what I mean. I mean a real boot camp where we not only learn secure coding practices, but spend time in labs learning to attack code. And you don't get permission to check in any more code until you pass both the offensive and defensive tests. Most won't pass the first time, and that's OK. Learning to think like a hacker is a major mindset change. Bob, you can't really learn to write code securely unless you've spend time acting as the attacker. And once you get into the groove, it's actually a ton of fun.”“But that's not going to take 2 quarters. Maybe a month…”“Yeah, but here's the problem. If any of our existing non-secure code is implicated in the attack path, some team, maybe MINE, will lose their bonus because of code we wrote over 2 years ago. That's not fair! If we're going to make things fair, we need not only time to become modestly proficient in secure coding, but we need to review any code that the red team might use against us. We need to make sure everyone understands static and dynamic code analysis, and how to do a proper code review. We have to find critical code modules that should only be touched by gurus. We need to assign each critical module to an appropriate owner. We need tooling that will prevent obviously broken code from going into production. And the list goes on. And all that is going to take time. I'm confident that we can make the code close to bulletproof, but it's a long way from there now and we need the time.”“I'm not sure how I'm going to convince the Product teams to let you go dark for 2 quarters…” I warned.“Those guys?!” he blurted out with snark that almost rivaled infosec engineer snark. “How long do you think it will take the red team to completely own them? I think they'll get religion in the next few days. Or maybe by lunch.”Up next was a Director in the Finance team. He wasted no time. “So what are you going to do about the Finance people who move millions of corporate dollars around on the same machine they use for Facebook? Huh?! They all use old versions of Excel and Word on an old version of Windows. They love IE rather than Chrome or Firefox. Have you seen how many IE toolbars they have? How can those machines NOT be compromised?! It's a miracle we haven't sent millions of dollars to some overseas crime syndicate. And take a look at their workspaces. They have yellow stickies with bank passwords on them under keyboards. Does the red team get to come in late at night and go through people's desks? If so, we're going to lose our bonuses tonight! I have the team huddling today to come up with a list of improvements they need to make to secure employee and company data and money. I expect your full support in reducing the attack surface for my team and improved security training. Oh, and if you don't migrate us from this weak password-based authentication to something like a PKI-based hardware token, there's going to be hell to pay!” And off he went.One of the IT managers came in and sat down. “Let's dump all our corporate machines.”“Excuse me?”“Yeah, we have all these machines. Some are in the building, some in our colo. Let's get rid of all of them.”“And do what? No mail, no wiki, no HR apps…”“We need to move to the cloud. We shouldn't have any internally hosted services. Move all our apps to cloud providers.”“You told me once that the cloud wasn't secure…”“That's before I knew we were actually going to be attacked!”“You mean you didn't think the company was a valid target by disgruntled ex-employees, competitors, pranksters, hacktivists, crime syndicates, or nation states? That NO ONE would want to break in?”“Well I guess it was a possibility, but now it's a certainty and we need to take action Bob! This is serious! Plus, think about it this way: I have exactly zero people looking at mail logs, applying patches, or anything else that might help further security. And remember when that cloud provider admitted last month that they had a breach based on their internal security tools? The way I figure it, that shows that they are actually doing security right. They had actually put effort into Detection, not just Prevention. And they clearly had also invested in the Respond and Recover functions of the NIST framework. And even if they need to do better, what they have is already much more than I'll ever be staffed to do. If we move to the cloud, we'll get continuous upgrades, better security, and my team can focus on much more strategic projects. So please assign someone from your team to make sure my team can make this change quickly and securely.”Finally, the CEO came in. She confided in me that she just realized that her own bonus was on the line, and that it was a considerable sum of money. “Do you think the red team will come after me?” I told her that I honestly didn't know, but now that she mentioned it, probably. “It won't be hard for them, will it?” she asked. “Um, well, probably not”, I replied quietly.“They won't come after my personal accounts. Right? Bob???”I took a deep breath and explained that the red team was going to do what the bad guys do, and that it's common for the bad guys to do extensive research on targets, often lasting months, and to use personal information in furtherance of their attack of the company.“That's hardly sporting of them!”“Are you talking about the red team, or the criminals who want the data for which you are the top custodian?” She ignored the question.“I heard you have a document on how to secure personal accounts so you never get hacked. Please forward a copy to me. Looks like I'm going to be up late tonight.”  And with that, she left.And then I woke up.That was the dream I had. Or maybe you can classify it as a nightmare. Either way, it's a useful thought exercise. I like this thought exercise because it fixes, in one stroke, the underlying problem we have today in security.The core problem with security today isn't about technology. It's about misaligned incentives. We are trying to push security onto people, teams, and processes that just don't want it. The push model of security hasn't worked yet. If we want security, we need a pull model of security. We need to align incentives so everyone demands security from the start and that we give them systems and networks that are secure by design. We need to have serious conversations about the relative priorities of customer data, employee preference, and perceptions of employee productivity. We need to be open about the hard economics and soft costs (like reputation) around the cost of a breach. And if it's cheaper to clean up after a breach than to prevent it, let's say so.Short of the extreme “all red team, all the time” thought exercise, I don't have any easy answers. But I do have some suggestions that might help nudge the incentives in the right direction so maybe we can get a little more “pull”, allowing us to “push” a little less. I'll describe some of those thoughts in an upcoming blog post.Have a story or a dream for me about about incentives that worked? Or went awry? Drop me a line on Twitter at @boblord. If you want to tell me confidentially, send me a DM! My settings allow you to DM me even if I don't follow you.

Security in Energy & Utilities

Energy and utilities (E&U) companies must comply with standards such as NERC, protect their SCADA systems against compromise, and cope with the expansion of the smart grid as home energy systems become increasingly connected to the Internet of Things. So how do these…

Energy and utilities (E&U) companies must comply with standards such as NERC, protect their SCADA systems against compromise, and cope with the expansion of the smart grid as home energy systems become increasingly connected to the Internet of Things. So how do these factors impact the daily life of a CISO working in the E&U sector? In the enclosed video, you'll hear firsthand about some of the key security considerations – which include wanting to know what users are doing – as well as about how partnering with Rapid7 and deploying tools like UserInsight can help improve security programs.

CISOs: Do you have enough locks on your doors?

In a previous blog post, I referenced some research on how people plan for, or rather how they fail to plan for, natural disasters like floods. At the end of the blog post I mentioned that people who have poor mental models about disasters fail…

In a previous blog post, I referenced some research on how people plan for, or rather how they fail to plan for, natural disasters like floods. At the end of the blog post I mentioned that people who have poor mental models about disasters fail to prepare fully. I keep coming back to the idea of mental models because it starts to explain why we have such a gap between security practitioners and senior executives. I asked one CISO how he talks to other executives and the company's board about a recent breach in the news. He told me that the CEO doesn't have much time for security, so he uses a shorthand. He talks to the CEO in analogies. He explains that they've already put metaphorical locks on the front door, but to be sure that they don't make the same mistakes as the latest company in the news, they'll need to put locks on the back door. This approach isn't uncommon, but it has a few flaws. First, it doesn't take much time to show that this analogy doesn't work well. The way attacks work today, the attackers will not be prevented from breaking into this metaphorical house. Instead, they'll get a ladder from the garage and climb in the upstairs bedroom window. Of course, you can put more locks on those windows, but again, the attackers are going to find a way in if your security strategy is based solely on locks (prevention). In this analogy, where are other defender activities like identification, detection, response, and recovery? The second reason the lock analogy fails is because it tends to create a problem/solution dynamic. If it's a bug, go fix it. But again, that's not how the attackers work. In other spaces this approach can work. For example, if your web site is experiencing performance problems, you can assign an appropriate engineer to fix the problem. After some analysis, she'll come back with recommendations. Maybe she'll propose buying more machines/instances, or maybe there's a bottleneck in the code that can be refactored given the new website load patterns. But in general, she'll be able to fix the problem and it will stay fixed. That's not how security works. When the defenders make a change that improves security, the attackers get to decide if the cost of the attack is worth continuing or not. Or perhaps they're already in the network so far that the improved security doesn't affect them. In many cases, they'll modify their approach or tools to get past these changes. In many cases, the security improvements will be little more than a short lived setback. If you are an executive who views security decisions through the “problem/solution” lens, you'll be tempted to offer the security team budget or headcount to “fix” the problem. Someone presented you with a problem, and you gave them a solution. Implicit in this transaction is a shift of the responsibility and accountability back to the security team. They asked for money for more locks, and you gave it to them. If there is a breach, the security team will be accountable, not you. The metaphor of locks on doors isn't the only one you've heard. Others include outrunning the next guy rather than the bear, hard crunchy exterior/soft chewy interior, seat belts, guard rails, airbags, and so on. Bruce Schneier also talked about the problems of metaphors: It's an old song by now, one we heard after the 9/11 attacks in 2001 and after the Underwear Bomber's failed attack in 2009. The problem is that connecting the dots is a bad metaphor, and focusing on it makes us more likely to implement useless reforms. Trying to communicate using the wrong mental models leads to real problems for security practitioners and the data they are trying to protect. So what are the right mental models? The single biggest improvement in your mental models you can make is to understand that you are up against dedicated, human adversaries. Until defenders, executives, and stakeholders in an organization internalize this fact, we will continue to see them miscommunicate and then plan and execute poorly. And the results will be security by tool rather than security by strategy. And that will lead to more breaches in the news (and many not!). The key words to ponder are “dedicated” and “human”. In some cases, the attackers have a job, and they are being paid to attack you. Or maybe they feel a moral purpose in attacking you. Some work alone, some in teams with different specializations. But they are dedicated. And of course we know that they are human. But that has implications that most executives (and many security teams) haven't pondered. It means they read about your latest acquisition and begin to probe the target company as a way into yours. They can correlate previous breach data with your employees to find a likely candidate for a spear phishing attack. They look for your technical debt. They find systems orphaned by a recent reorg or layoff. Humans can be creative, patient, and insightful. As an aside, all of this makes security unlike any other part of your organization. No other part of your organization has the sort of dedicated, human adversaries that seek to benefit from the value of your data in the way security attackers will. What about the legal team, you may ask? Don't they have dedicated and human adversaries? Yup. But let's walk through the steps in a legal “attack”. First, the adversary notifies you that you are under attack. While there have been some high-profile announcements that a company's networks and systems were under attack, it's not common. As a reminder, the average time between intrusion and detection is measured in months and quarters. During that time, attack takes place without anyone knowing. Next, both the attacker and defender play by roughly the same rules, and those rules are enforced by a neutral referee who decides if both sides are abiding by these rules. You get the idea. The legal analogy isn't even close to what infosec defenders deal with. There's a common saying in the CISO world that ”security practitioners need to learn to speak the language of the business”. That's absolutely true. There's no doubt in my mind. We need to continue to learn how the business works, and we need to get better at saying “yes” while at the same time reducing risk. That fact is necessary but not sufficient for us to close the gap between security people and senior decision makers. The other major factor will be those senior decision makers breaking free of simplistic metaphors and faulty mental models. It's never really been a communication gap. It's been a mental model gap. Without shared mental models, communication will always be faulty. Getting all levels of an organization aligned on the right mental models is clearly not an easy task. What will work in one organization isn't what will work for another. Not all stakeholders understand the importance of spending time to learn how attacks work. However, I would propose a few things. If you are a security practitioner, don't shy away from teaching others how attacks work. You should be looking at your security program through the lens of a kill-chain or attacker lifecycle model. When you present, teach people how you think. Explain why this next budget request will address a specific concern, but that others remain. Explain what you think your adversaries will do next. Resist the temptation to reduce those complex dynamics down to locks on doors. Focus your conversations on models, not metaphors. That's true for all your communications, reports, quarterly plans, and elevator chats. If you are a senior decision maker and don't come from a security or intelligence background, you may find it challenging and time consuming to learn to think more like an attacker. Resist the urge to say “I don't need to be a subject matter expert in security; that's why I have a security team”. While that statement is true, just by saying it you prevent yourself from learning just enough to make smart decisions. You are already expert-enough in numerous other domains. Security and privacy awareness will be critical skills for your success in the coming years. Think ahead to the inevitable (yes, inevitable!) breach where outsiders will hold you accountable in potentially unexpected ways.  Assess your organization's culture of security objectively rather than the way you hope it is. And make sure your actions match your words. Have a story for me about about mental models gone wrong? Drop me a line on Twitter at @boblord. If you want to tell me confidentially, send me a DM! My Twitter settings allow you to DM me even if I don't follow you.

Insiders and Outsiders in Security

“Those fools. They didn't even bother to do X. And everyone knows you have to do X.”If you've been in Infosec for even a short time, you've seen this sort of statement, whether explicit or implicit, about something in the news. It…

“Those fools. They didn't even bother to do X. And everyone knows you have to do X.”If you've been in Infosec for even a short time, you've seen this sort of statement, whether explicit or implicit, about something in the news. It comes up often after a company has suffered a breach. And it's often true. The company should have done X. Everyone knows you need to do X. Even my dad knows that. But then again, the security people making these comments often work at companies that really should be doing Y and Z, but may not be. What is it that makes people feel they can criticize others while not having their own house in order?I've also noticed a few examples of executives being grilled by government officials. The line of questioning is harsh and with no wiggle room. The questioners only want to know about the state of security, and are not interesting in hearing comments about the level of difficulty to make things secure, or how programs are now in place to address the issues.This gap between the viewpoints of insiders and outsiders is hugely important, and will be more so in the future.Outsiders might be members of the press, commentators, Twitter accounts, regulators, or opposing counsel during a shareholder lawsuit. They may be schooled in security matters, and may even be security experts. Or they may be non-technical people who reuse passwords, but will point fingers at you when you failed to implement a robust PKI key management scheme on your complex multi-national WAN.But it doesn't matter. Their position is what it is. And it's hard for the defenders on the inside to see eye to eye with the outsiders. Here are a few of the differences I've noted.Insiders measure effort. Outsiders measure outcomes.Insiders understand that they must find a way to do more with less. Outsiders look at how the attacker succeeded.Insiders prioritize against many possible outcomes, breach scenarios, and black swan events. The actual crisis may not look like the ones theorized. Outsiders have 20/20 hindsight and ask incredulously how it could have happened.Insiders focus on the many things that went well. Outsides focus on the one thing that went wrong.Insiders know it's hard to hire security talent, and hard to change an organization's business practices to be more secure. Outsiders look at a failure of management to make security a priority. Period.Insiders know it's hard to get management attention without sounding alarmist and like fear mongers. Outsiders wonder why the security team didn't escalate on a daily basis.Insiders know that security budgets are not limitless, and the security team has limited influence whenever people feel they are slowing the business down. Outsiders know that without trust of your customers, you have no business.Insiders know you can't log everything. Not every packet, netflow record, OS log, and app log. That would be too expensive. Outsiders point out that disk is cheap, even at scale. They point out that your lack of forensics data increased the time to respond and recover after the breach was detected. And that there are still lingering questions about how the attack happened. And that it would have been cheaper to buy the disks to support the logs than to deal with uncertainty.Insiders know it's nearly impossible to keep tabs on all the machines at the company. Outsiders point to the one orphaned machine that was attacked and think you should have known.Outsiders will ask what went wrong. Then they will ask what you are doing to prevent this from happening again. When you tell them, they will respond by saying “Well, then that's what you should have been doing all along”. This is a key element of the insider/outside friction.Insiders look for a root cause analysis. Outsiders will look at superficial symptoms. When they give guidance to the insiders, it can generate more friction if the insiders think they are being tasked with fixing symptoms rather than causes.Insiders know that you have to allow employees the right to bring their own devices onto the corporate network to be productive. Outsiders know that the cause of your breach was caused by an unmanaged employee device, and that it was completely foreseeable and preventable.As in many of the examples above, the divide between insiders and outsiders is shown after a breach. This “before and after” analysis offers the most striking examples of this divide.If you are caught in a line of questioning from an outsider, how will you answer their pointed and loaded questions? Some questions can be all rhetoric, and even attempting to answer can cause more issues. Questions might include variations on the following.Why was this group of users exempt from 2FA policy for so long?Was it a policy to ignore warnings from your SIEM?Why did you allow source code on laptops, knowing that's a common exfiltration path for criminals?Why did you prioritize the convenience of your employees over safeguarding the trust given to you by your customers?If the data had no immediate value to the company, and only had value to criminals, why did you retain it rather than deleting it?Given that the excessive access rights for this one user were abused by the attackers, what process had you gone through to prevent this exact attack path? How exactly did you fail?As a security professional, you know that most attacks involve the exploitation of known vulnerabilities. Please explain again why you failed to guarantee software updates on so many systems? After all, that's job #1 for reducing risk. Do you disagree?You said you prioritized the desire of the sales/business development team over the concerns of the security team. How are your sales/growth numbers looking since the breach?Knowing that executives are prime targets for cyber criminals, why did you allow them to opt out of software updates and phishing training?Explain why you allowed a network design to include unsecured connections to remote offices that failed to meet your own written security standards?Given what we know about how valuable customer and employee data, and reading about all the other similar attacks in the news, can you explain why you failed to encrypt the customer and employee data?You admitted that the machines in the attack path were no longer used for much; that they were orphaned, not managed, and unpatched. And yet you failed to remove this obvious risk from your network. Why?Why was this not raised to the CEO? (or if you're the CEO: Why did you not take appropriate action?)Why was this decision made at the Manager level rather than the VP level or by the CEO?You claim you spend millions of dollars on your information security program. Do you think you got your money's worth?Some questions are much more pointed or slanted than others. But if you were asked these questions, perhaps in public or under oath, would you feel good about your answers? Would you feel confident in not just your efforts, but in the results? Would outsiders feel you did the best you could, or would they feel that you hadn't taken security seriously?Have a story for me about being judged by outsiders? Drop me a line on Twitter at @boblord. If you want to remain anonymous, send me a DM.  My settings allow you to DM me even if I don't follow you.

Introducing the CISO in Residence

At the start of 2010 I started as Twitter's first security hire. You may recall a number of security challenges we were facing at that time. We had to build out a number of teams to deal with the entire spectrum of security issues. Today…

At the start of 2010 I started as Twitter's first security hire. You may recall a number of security challenges we were facing at that time. We had to build out a number of teams to deal with the entire spectrum of security issues. Today Twitter has what I believe to be some of the best security people and teams in the industry.Today I'm very excited to be joining the Rapid7 team as its first CISO in Residence.What does a CISO in Residence do? Well, there aren't a lot of examples to go by. This is a new type of position, created by organizations that recognize the need for people who have run security organizations to share their experiences, knowledge, and perspective with other leaders. In my case, I'll be working with Rapid7 customers on topics ranging from security programs, to threat profiling, training, and anything else that contributes to an organization's security posture and health. My role here is to explore, compare, and cross-pollinate. I'll be doing as much learning as anyone else.I know I'm not the only one asking:  Why does there seem to be such a gap between what companies state as their security goals, and the behaviors they exhibit?  Why does it seem that companies are pouring increasing amounts of money into security programs, only to be breached?  Are there characteristics of highly successful programs that haven't been getting enough attention?  Why do companies not seem to suffer long term consequences for having under-invested in security?Under scrutiny, questions like these evolve—and that's when the magic happens.I believe we're nearing a transition point in how organizations think about security, work with security, and how the world thinks about trust. I'm excited to be able to work with key players in this space to help usher in this new era.I'd like to thank to Nick Percoco and Corey Thomas who had the vision to create this position. It's going to be a fascinating journey.If you've been thinking about some of these bigger questions, I'd love to hear from you too. Feel free to reach out to me on Twitter at @boblord.

Top 3 Takeaways from "CyberSecurity Awareness Panel: Taking it to the C-Level and Beyond"

Hi, I'm Meredith Tufts. I recently joined Rapid7 and if you were on the live Oct. 30th's webcast, “CyberSecurity Awareness Panel: Taking to the C-Level and Beyond” – I was your moderator. It's nice to be here on SecurityStreet, and this week I'm…

Hi, I'm Meredith Tufts. I recently joined Rapid7 and if you were on the live Oct. 30th's webcast, “CyberSecurity Awareness Panel: Taking to the C-Level and Beyond” – I was your moderator. It's nice to be here on SecurityStreet, and this week I'm here to provide you with the Top 3 Takeaways from our CyberSecurity Awareness month webcast where we were joined by a panel of experts:Brian Betterton - Director, Security, Risk and Compliance at Reit Management & Research Trey Ford - Global Security Strategist at Rapid7Nicholas J Percoco - VP of Strategic Services at Rapid7Key Takeaways on how to win the hearts and minds of your company's “C-Level and Beyond”:Data Custodianship – Make the conversation personal. We know that there is the Holy Trinity of regulatory data (PCI, PHI, PII), but, as Brian Betterton explains, there is another type to be considered: EI (Executive Information). Executives are being targeted and now is a good time to make the conversation around custodianship, personal. Your executives could be targets of phishing, malware, etc. Do they want their valuable, personal information out in the world? Policies – Nicholas J. Percoco shares how one company's policy on their IT department's maintenance/testing taking place during a very specific time of day, helped a sales clerk determine that the activity taking place on her POS system was malicious in nature. There can be huge pros to making your policies as specific and detailed as possible and ensuring that all employees are educated about these policies; policies are great to have, education is essential. Specifically outlining what each role within the company is responsible for as well as timelines for security activity can be the difference between detection and a full-fledged breach. Crisis Communications – Making it personal, again! Rehearsing for a crisis is necessary, knowing who is going to write the press release, who will be the face of the company, who is the expert, who is going to communicate to the customers, etc. is a must. Brian also highly suggests that cyber insurance and Director & Officer Insurance be part of the crisis conversations. Talk about getting personal with your executives, getting sued with personal financial repercussions at stake can be about as personal as it gets! To learn more about how you should be talking to your company's C-Level - view the recording of his webcast on demand now!If you want to hear more about security trends and methodologies, take your pick from our webcast resources: Webcasts

Cyber Security Awareness Month: Data Custodianship

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber…

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security matters now. This post focuses on duty of custodianship, and in the coming weeks we will be posting on building security into the corporate culture through policies and user education; how organizations can make security into a strength and advantage; and crisis communications and response.For this week's topic, we're discussing data custodianship.When choosing to keep data, we have a legal and custodial responsibility, because we do not own that data. As a result, keeping data introduces an element of liability for your business, and protecting it is expensive and complex. . Inventorying and eliminating regulatory data reduces liability, saving time and money.Imagine hiring a babysitter for the first time, and they show up five minutes before you are scheduled to leave the house. No prior communication, no advanced information requested – and now you're worried you're going to be late.“Hey there, I'm here- have a good time tonight!” the sitter says walking in the door and sitting down on the couch.That's it!? “Do you care to know the number of, ages and names of our children? If there are any special needs, medical issues, habits, dietary restrictions, bed times, or the last time they ate? Do you need to know when we are coming home, or how much we are paying?”There is a very clear difference between the concerns and interests of a parent and this babysitter; those differences nicely illustrate the decisions companies make unintentionally when handling sensitive and regulatory data. Unlike babysitters, enterprises may have the luxury of choosing what responsibility we inherit.As corporate decision makers, we have the option of not storing data.The holy trinity of misunderstood data is PCI, PHI, and PII. PCI is information relating to the Payment Card Industry – think of credit and debit cards.PHI is Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA).PII is Personally Identifiable Information – also under HIPAA.Said again differently – companies are hesitant to destroy data, but retaining certain kinds of data involves expensive protection in the face of very real liability.  More often than not, a very expensive decision to retain regulatory data is made without knowing what is at stake, often at a business level unacquainted with the associated costs and risks.The current pervasive thinking is that gathering data creates “business intelligence,” which enables the business to operate more effectively and build new or stronger lines of revenue. Unfortunately, this data also attracts criminals who know they can turn a healthy profit for this stolen information on the black market. Defending against these attackers is time-consuming, expensive, and extremely challenging. Attackers cannot steal data you don't have, so eliminating specific data sets can massively lower your liability and reduce your expense.A solid business case review makes sense. Some data must be stored for a period of time. Some abstracted data can provide business and market intelligence. Custodianship drives us to make informed decisions and to be deliberate about the investment required to protect data the company does not own.By choosing to retain this data, we choose to retain risk and liability; your company will be held accountable for success or failure in safely caring for this data.Keep only what you really need. Make sure whatever you need to run your business is vigorously protected. And we strongly urge you to look into what liability protection you have around security threats.  You may think you're covered and actually find that you are not.If you like this series, check out last year's series of user awareness emails covering  phishing, mobile threats, basic password hygiene, avoiding cloud crises, and the value of vigilance.

A CISOs Cloudy Reality

An OverviewFor many organizations, especially fast-paced hyper growth companies like Rapid7, the appropriate use of Cloud services can be the difference between success and failure.  As these products and solutions revolutionize the way we do business, CISOs must contemplate what constitutes appropriate use. In…

An OverviewFor many organizations, especially fast-paced hyper growth companies like Rapid7, the appropriate use of Cloud services can be the difference between success and failure.  As these products and solutions revolutionize the way we do business, CISOs must contemplate what constitutes appropriate use. In the past five years we have watched Human Resource, Customer Management, Learning Management, and other major business functions move into the Cloud. This has forced CISOs to push their comfort levels, and has methodically eliminated our ability to halt deployment.Security teams are uneasy with third-parties consuming business data and operations, yet great CISOs must have an understanding of risk across their organizations. We must understand how decisions impact business partners, customer commitments, regulatory compliance, and overall risk posture.  It has taken several years, but many of us are beginning to accept and operationalize the era of a new perimeter - people and data.  Practical ConsiderationsThis perimeter shift is evident in the frequency in which CISOs are approached about adding additional Cloud services to their respective toolkits.  These requested services often lead the pack in usability and affordability, and the only remaining ‘roadblock' would be lack of security sign-off.  Most CISOs evaluate Cloud services with (at least) these core questions:Does implementing this service increase or decrease my overall risk-level?Does this service utilize or require any sensitive or protected data?Do the benefits justify any additional risk that may be incurred?Each proposed service has an inherently unique set of responses to these questions and the final disposition is rarely clear.  For services increasing aggregate risk and involving sensitive data, it becomes a much scarier (but frequently necessary) proposition to verify that benefits outweigh increased risk levels. Interestingly, as these tools flourish and operate without major security incidents we become more comfortable with Cloud-based products, to the point of leveraging them in to enhance our operational security posture.  Migrating into Security OperationsAs I started deliberating the use of Cloud solutions to support Rapid7's security operations, I had a hard time getting comfortable with a third party service, hosted where I have little visibility, managing sensitive components of my Security program. I had to wrestle past the emotional static, and focus on the pragmatic and data powered risk perspective - and that is not as simple as it seems.Looking at the bigger picture, I started to believe that letting an established Cloud provider, with a proven track-record, contribute to security operations may actually reduce risk to Rapid7.  Established Cloud services generally allow for a swift roll-out, orders of magnitude faster than on-premise offerings, and day-to-day operations can take significantly less time, so engineers are freed up to invest energy in reducing other risks.Final ThoughtsEven with a fractured consensus on what the ‘right' approach to the Cloud looks like, it is pretty clear that adoption is increasing, and every decision a CISO will be placing a bet. Every environment is different, and frequently the use of Cloud services can free up engineering cycles.  We never know when the extra time a security engineer has to operate will prevent a compromise or if the same decision that freed up that time will ultimately result in a data-loss event.  I do believe there is help on the horizon, and candidly Rapid7's UserInsight tool is a fantastic example of the type of help we need.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now