Last Updated on April 22, 2021
It’s axiomatic that many organizations “fail” information security, in the sense that they have significant unmitigated vulnerabilities that they are unaware of… until it’s too late.
What are some of the reasons why? At the level of organizational culture, Pivot Point Security CISO and Managing Partner, John Verry, has noted—with tongue firmly in cheek—2 “biases” or lopsided mindsets that thwart development of a holistic information security strategy.
Mindset #1: Too product focused
“I can think of one guy in particular who I think is comical, and he’s in a huge organization,” John shares. “If you say to him, ‘What’s your security strategy?’ he starts spooling off all the products that he’s bought and how they’re tied to like the Gartner Magic Quadrants. And the funny thing is, he goes to the board and that’s his answer to everything. It doesn’t matter that they haven’t resourced the right people to run the tools. It doesn’t matter that the tools haven’t been configured properly. It doesn’t matter that not only do they have knowledge gaps, but they have coverage gaps. They’ve got monitoring gaps, so they’ve got tools that are not being properly managed. Or they’ve got multiple panes of glass instead of [a unified view]. They never really truly operationalize any of their tools.”
John continues: “We ended up going in there to do some testing, and it was comical. It was a super high-risk environment. They were like, ‘This is just a dot the i’s exercise. We scan this environment once a week.’ Which is really a lot, to scan an environment for vulnerabilities once a week. So we’re thinking, ‘Okay, it’s going to be a clean pen test.’ A minute into the pen test we’re like, ‘These guys don’t scan this environment every week. This is a crap show.’ We chew up the environment, we gain all kinds of access and the guy is like, ‘I don’t understand how this could possibly happen.’ He’s yelling at his people. So we log into their Qualys console to see what kind of scanning they’re doing. And we realize that they’ve checked a little box that says, ‘Enable fast scanning.’
“And we’re like, ‘You know what that box does. You don’t scan all of the 65,535 ephemeral ports. You’re actually only scanning the top 100. You’ve been running your scans wrong for years.’ That’s an example of a product-focused guy.
“So if you’re listening to this podcast and you’re trying to figure out security, and you either think you should go to the market and buy something for each one of those things people tell you about, don’t do that. Or if you’re working with a vendor whose answer to every security question is a product, you’re working with the wrong people.
“The answer to most security questions is process, procedure, policy. … Management’s policy is promulgation of intent: What do I want you to do? Until you define that, you can’t figure out if you need a product or not. And you can’t figure out how to implement the product,” John states.
Mindset #2: Too framework focused
Another bias that leads to inconsistent security coverage is a narrow focus on whatever framework defines your cyber compliance requirements.
As John puts it, “You could be framework-focused in either of two ways. The positive framework focus is, ‘Hey, we’re going to align our security program with [for example] the NIST 800-171 framework, or the ISO 27001 framework.” Which is really just well-vetted, well-documented guidance to ensure that you’ve got a comprehensive approach to information security—and an answer to any question that you have. A framework gives you all that good guidance to know that this is how you architect a program. So that’s the positive side of a framework focus.”
“I think the negative side of a framework focus is where organizations say, ‘Hey, I have to comply with New York State DFS 500.’ Or, ‘I have to comply with HIPAA.’ And they look at that as being the sum total of implementation: ‘We’re a medical organization, so we implemented HIPAA.’ But HIPAA only cares about PHI [personal health information]. You have credit card data in your environment, and that HIPAA validation has nothing to do with your credit card data. So I think that’s where the negative side of being framework-focused would be,” relates John.
“We all come across people who think that just buying the tools gets you where you need to be,” says Eric. “But it’s amazing the gaps in coverage that get created with every new tool you bring in, to the extent you’re not implementing it.”
“You have to make sure your tools are working together,” adds Eric. And if they’re not, you have a false sense of security. Because every single integration, if it’s not done correctly, could itself pose a security issue.”
To hear this episode of The Encrypted Economy podcast with special guest John Verry and host Eric Hess in its entirety, click here.