This is why your Carnegie-Mellon Hire won’t save you Cyber Attacks!

CISOs fail all the time — here’s what needs to be done to save merciless attacks.

this article was originally published as a Quora answer.

Lets decipher what it takes to have bulletproof cybersecurity. More often than not, one is sprung a loooooong laundry list of check-boxes when he asks that question. This standard, that standard and all kinds of alien boxes from every company which ever blurted security even while sleepwalking. The checklists and boxes will save all the security attacks on your organization — nothing could be further from truth. The checklist-based approach to security is a surefire recipe to disaster.

Get over it. How can one prevent breaches by following set standards while the evil guys are following none?

The entire hacker ecosystem thrives on finding ways around standards to wreck mayhem on all kind of IT rigs. To save breaches and attacks, a potent CISO, CTO or whatever C you want to abbreviate your Ironman with, needs to take these steps.

• Role Based Access Control (RBAC). Contrary to the popular belief that most attacks ride poor authentication mechanism in place; it is more of an authorization issue. The good ol’ phrase need to know basis needs to kick in. Having measures that ensure that an individual accessing an IT resource, has only rights which measure up his role in that IT ecosystem, goes a long way towards ensuring cybersecurity. Measures like Domain Controller, IAM etc help one implement RBAC.
• Defense in Depth. This entails having all paraphernalia that is commonly associated with security — firewall, IDS, IPS, SIEM, DLP etcetera. The underlying idea is to have a digital fortress set; presenting number of layers of obstacles to an attacker with each layer presenting a unique hurdle to him.

• Awareness of People. This is extremely important. While everyone can’t become a cyber expert overnight, it needs to be understood that each employee in a facility needs to understand the basics of safe IT resource usage. Cybersecurity is much like medical science. While it is unfair to expect every employee to pull off a bypass surgery; it is only fair to expect them to know the importance of washing hands and using hand-sanitizer.
• Log Analysis and Alerts. You can only improve what you can measure. The defense in depth step is going to help only if it is exploited to its full potential. All devices employed for defense in depth generate logs — which is like pulse for IT health. If the generated logs and alerts are not addressed, all that your infrastructure will provide you with is a silver bullet styled false sense of security — this is as dangerous as it can get.
• Threat Intelligence (TI) Collaboration. All security measures employed as part of defense in depth need to learn about the threats in order to prevent crisis situations for your IT ecosystem (like your antivirus needs updates to block contemporary viruses). As true for humans — even your IT infrastructure can’t afford to make every possible mistake (get attacked) and then learn from it. One gotta employ the learning from attacks suffered by other organizations and the way to do that is by collaborating TI. The TI feed including indicators of compromise (IOC) is a precious resource for increasing the efficacy of one’s defense-in-depth routines.
• Weeding Out Pseudo Cyber Experts. Shortage of cyber skilled talent is projected as the biggest challenge haunting the cybersecurity world; however, a challenge bigger than that is abundance of pseudo cybersecurity experts. Since last decade, cybersecurity has emerged as the most sexed-up domain to be associated with. No wonder so many rats have lined up behind the pied piper. If your organization is doing with one of these guys who just keeps up with top 10 cyber security blogs, has managed to get a dozen thrift shop certifications and could be seen at every cyber security conference offering cappuccino and gourmet lunch — you are in for some serious trouble. With each passing second, this astrology styled practicing of cyber security by this lot is taking your organization towards its doom. These self proclaimed geniuses ruin the work environment, drag your cyber security drive back in time and just indulge in kissing up and kicking down gigs. The higher in hierarchy these conmen sit, the greater the risk of carnage. The primary agenda of this evil lot is not the security of your organization but to hide their own ineptness — and that is a 24x7 job. Use the services of a talent management firm which specializes in IT security to hire the right fit for your organization. Meanwhile, buckle up, find your bird-droppings-laden-scarecrows and get rid of them asap.
• Cyber Resilience. Breaches are the new norm. No matter how hard one tries, attacks will happen. Attacks will be successful too. So more than saving attacks, its important to reduce the bouncing back time post them. Saving confidentiality, integrity and availability of IT resources still stays utmost important. Following quick steps are advised

1. Encryption of data at rest and in motion.
2. Backup — Software, Hardware, Configuration, User Data and Key IT Personnel.
3. High availability for both networks and applications

Hope this helps.

—

• Defense in Depth. https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525
• Role Based Access Control. https://www.sans.org/reading-room/whitepapers/sysadmin/role-based-access-control-nist-solution-1270
• The Economics and Impact of Bad CISO Leadership. https://www.csoonline.com%2Farticle%2F3203968%2Fleadership-management%2Fthe-economics-and-impact-of-bad-ciso-leadership.html