Last Updated on February 23, 2023
Cybersecurity is like the medical profession. It’s not really one discipline, but a wide and overlapping assortment of skill sets related to protecting data, identifying cyber risks and threats, maintaining security controls, and so on.
If your company lacks the technology and in-house expertise of a Fortune 1000 enterprise, how do you even wrap your mind around what “security” means, let alone achieve it? The diversity of potential directions and tools is so huge it can be an impediment. How do you target the sweet spot where you’re provably secure and compliant?
To reframe the problems we should focus on to “protect the nation’s cyberspace” as well as our individual organizations, Ron Gula, President at Gula Tech Adventures and formerly co-founder and CEO of Tenable Network Security, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.
The path to a “trusted ecosystem”
A strong advocate for what he calls a trusted information security ecosystem—“the right people and the right products to appropriately protect the company”—John asks Ron for his view on why so many firms don’t achieve solid security.
“There are really two aspects of that,” replies Ron. “One is the people and the other is the products or technology. From a people point of view, because we talk about cybersecurity like you have to be a brain surgeon, we kind of turn off a lot of people. Minorities… Everybody’s great, we want to invite more people into this—but we’re really not doing a good job of appealing to them. And we’re certainly not doing a good job to appealing to people who want to go join public boards or private boards who can then make the right risk decisions for their companies.”
“Then on the technology side, we’ve not done a good job of defining what does it mean to be secure? observes Ron. “Because of that, you have this amazing array of products out there that solve all sorts of different things. Some of them are solving problems you didn’t know you have, some of them are solving problems cheaper than the products you have and some of them are maybe just somewhere in the middle, 5% better, that sort of thing.”
“And because of that, you have this amazing diverse tapestry of lack of knowledge, over concentration of knowledge, lack of product investment and maybe over investment in some cases. And we have no real common way of talking about these issues,” Ron relates.
What’s the solution?
If there’s no clear picture of what it will take to make an org secure, security investment missteps can be hard to avoid. How do you move from a product focus to a risk-centric approach to security decision-making when you don’t have deep security talent in-house?
Ron advocates getting more of your people involved in “just understanding the basics.”
“If you say to a board, ‘Are you secure?’ you’re going to get charts and stuff like that,” says Ron. “But if you said, ‘Have you protected our data—including the data of our customers and employees?—you might get a little bit different answer.”
“A lot of people just kind of brush off cybersecurity and IT risk issues,” states Ron. “But when you ask them, ‘Do we care about this stuff?’ it kind of changes that. And it makes it a lot easier to get people into this business as well.”
What about proving security?
How do we answer, are we secure?
“When I was the CEO at Tenable, I could answer that 50 different ways,” Ron remarks. “We could measure it by NIST cybersecurity framework. Are you compliant? Are you patching things? Is one organization better than the other? Are you making improvements?”
Ron continues: “But I think what’s emerging now is people realize there are so many attackers attacking companies these days… You have to simulate malware, you have to simulate the nation state stuff and we have to do this internally.”
“It used to be, we’d just hire a red team and do vulnerability scanning and here’s a report,” explains Ron. “But now it’s literally the red team is putting implants in the network, in the cloud, on the home computers, and we’re seeing how long the blue team takes to find it. And that metric of ‘can you find that?’ is another measure of security.”
It’s not about which EDR is better or which SIEM is better.
“Put some freaking implants out there, see if I can exfiltrate data and see if anybody notices,” Ron advises. “If you can notice it, then you’re probably much more secure than other people.”
“If we can create a measure of security, then we can use that measure of security to determine whether or not the people and products we have are effective,” John responds. “And if they’re not effective, we have a more focused guidance [a trusted framework like ISO 27001 or NIST 800-53] that can solve that problem.”
What is the role of frameworks?
Ron acknowledges the power of the trusted framework but asserts that their complexity can overwhelm many SMBs.
“Maybe a better metric is something like what they say at CrowdStrike, where any compromise you have to detect it in 1 minute, verify it in 10 and get rid of it in 60,” Ron considers. “And if you’re not going to maintain those kinds of KPIs, what are you going to maintain?”
Most networks are under constant attack, so constant probing to see if they’re really protected makes sense. But as John adds, choosing the right metrics and getting good data is easier said than done.
We are on the front line
Ron’s view is that if people understood the actual risk they respond like people under attack, with a highly motivated, get-it-done determination.
“People need to realize that they’re on the front line and the government’s doing all it can, but they really have a responsibility to protect their data,” stresses Ron.
To get every word of this provocative conversation with Ron Gula and John Verry, click here.
Is cybersecurity too complicated to really explain? Or can you implement robust security that aligns with your business strategy, step by step? Here’s a briefing from John Verry on the latter option: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant