Risk and Reward – The Importance of Knowing the Network
Fact: CISO’s who don’t have a reasonably complete understanding of the state of their network are inviting risk into their house, period. A CISO from a well known Silicon Valley tech company once told me that his job was effectively dealing with corporate risk – “I accept it, I manage it, or I offset it.” This is fine when you have an adequate understanding of what you’re protecting, but when you don’t, you can’t even identify the risk let alone manage it, and unmanaged risk can neither be dealt with nor insured against.
This is one of the difficulties of the job. As an established leader at a company, you have to constantly challenge yourself to make sure the hypotheses that you made about the world haven’t become deprecated. Last week, I discussed these challenges with Anthony Johnson, Managing Partner at Delve Risk on the Cyber5®. He emphasized that one of the top priorities for an incoming CISO should be “to understand the assumptions that were made by the existing security team.” Part of the difficulty is that you have to both empower that new team with your trust, while at the same time work to understand and challenge the hypotheses their team is built on. It’s not an easy position to be in.
Whether you’re an established CISO at your company, or a new one, one of the biggest challenges you face is how you organize your team. Anthony specifically stated that when it came to team building, that you should “build your team around the hard questions that your organization has difficulty answering – if you’ve dedicated most of your staff to focusing on questions you can successfully answer, you should consider re-refocusing them on those problems and questions that you can’t.”
Working in cybersecurity, you see a wide range of situations and teams. Small companies that have their things in order, large companies that don’t, and vice versa. A prudent security leader should eventually be able to account for your network like the CFO balances the corporate books: down to the nearest host. If you can’t account for the assets in your environment with near precision, you cant protect the network.
If you’re looking for good place to start evaluating your own understanding of the network your responsible for – try this thought experiment that Anthony recommended. “Think of a zombie movie – if you’re running from zombies and go to hide into a house, in order to survive you need to know: where the doors and windows are, where the choke points are, where the weakest areas and strongest most defensible areas are etc.” If you can’t answer these types of questions about the network, chances are there are some zombie processes creeping around unimpeded.