adam121 - Fotolia
Editor's note: This is part three of a series on CISO challenges. Part one looks at some of the common issues and threats enterprises face and how CISOs identify and address them, and part two examines some of the cybersecurity blind spots that security teams often miss.
Technical blind spots certainly present major information security challenges to CISOs and their teams, as the complexities of monitoring encrypted traffic and updating SAP software and other legacy applications can be daunting tasks. But there are other cybersecurity blind spots that involve more amorphous and less technical concepts such as enterprise risks. Several cybersecurity experts and CISOs offered insight into some of the hidden risks and vulnerabilities they've discovered, as well as some of the more persistent and growing threats to enterprise security.
Cybersecurity blind spots: Vulnerabilities and risks
How should companies deal with vulnerabilities? It may depend on the specific vertical industry an organization is in, according to Pavel Slavin, technical director of medical device cybersecurity at healthcare firm Baxter International. "We can't just take a Microsoft patch on Tuesday and apply it -- medical devices can't be patched before the patch is validated as it could kill the patient," he said. "We need to be able to adapt how we respond to vulnerabilities that could cause more harm than good."
"Detection and protection technologies are often too narrow in scope," added John Dasher, vice president of marketing at security analytics firm Niara. "I wouldn't suggest discontinuing the use of the technologies companies have employed, but know that individually they will expectedly fail when looking for anything other than deterministic attacks that are already known and understood. New, unknown attacks can usually sail right through."
"Malware that drops and then spreads around in a stealthy way keeps CISOs up at night," warned Giovanni Vigna, professor at UC Santa Barbara and CTO at Lastline, during an interview following RSA Conference 2016. "Malware is a spectrum: Things that are malicious have vast differences and not all solutions are able to address all types of malware. Furthermore, many attacks use multicomponent objects to avert detection, such as RTFs hidden in DOCs."
There are also cybersecurity blind spots that are based in risk and therefore harder to quantify and pin down than specific technical vulnerabilities. For example, what kind of access and privileges do third-party business partners have to your IT environments.
"Embrace risk-based programs and be cautious and careful in how you take advantage of the automation that's out there," recommended Tom Baltis, vice president and CISO for Blue Cross Blue Shield of Michigan during an RSA panel discussion on CISOs and real world lessons they've learned. "You need tools to help build trust with third parties -- the business relationships evolve and the trust needs to evolve with it."
Randy Marchany, CISO for Virginia Tech, offered some advice on how to identify and address potential risks around new software. "We have a procurement questionnaire, and if a department wants to buy software, the vendor has to fill out the questionnaire," he said. "I won't tell a business process owner that they can't use the software if it is the only one [requesting it], but we will need to employ additional controls to plug the holes."
Marchany also said it's important for CISOs to focus on what's ultimately most important -- the data. Marchany, for example, reports to the CIO, who in turn reports to the president and gets called up to the board three to four times a year for a state of the union; and arguably, that's not enough. Regardless of the recommended frequency, "the board wants to know what we blocked successfully and the near misses," he said. "I may point out that yes, some got in, but they didn't get any data. It's important to hone up to our failures as well as our successes."
During the RSA conference panel on using the National Institute of Standards and Technology's (NIST) Privacy Risk Management Framework, Logan O'Shaughnessy, lead for privacy incident management and response at the U.S. Department of Health and Human Services, said organizations "ask the question … does this data need to be collected in order to fulfill a business need? Say you don't need to store a user's information. If data is collected, even with consent, as soon as you store the data, it exposes you to a privacy risk."
Added O'Shaughnessy: "Our incident response team currently uses a central repository for security and privacy incidents to help close them out. However, when a security incident is remediated, it doesn't mean a related privacy incident is also remediated -- it could result in additional reporting requirements for the Office for Civil Rights. NIST is a springboard to drive discussions across both teams to help connect security and privacy processes."
Dasher said staying on top of privacy risks can help organizations address one of the bigger cybersecurity blind spots in today's world. "Having continuously updated risk profiles for users, hosts, IPs, applications and such allow the security team to prioritize their efforts and get in front of issues before they fully erupt." Dasher said. "Having systems that can reliably provide comprehensive visibility is of paramount importance."
Vigna said specific departments and lines of business are especially vulnerable to data breaches and should be identified and addressed by risk assessments.
"Payroll, tax preparers and the legal department can be the soft underbelly of a company," he said. "These services are often outsourced, poorly protected and can provide incredibly complete personal information to attackers."
For CISOs now wondering what they might be missing, experts suggest focusing on the fact that the CEO and board of directors will want to know where and how the company is positioned in comparison to leading standards, such as NIST or ISO, and what the company's level of security maturity is. They will also want to see that CISOs have developed a roadmap to address any security gaps uncovered.
As companies try to identify and close this gap, most find they lack comprehensive visibility beyond their core security logs. "Having a correlated picture across all relevant security data sources, along with an appropriate layer of behavior analytics can be a lifesaver," Dasher said.
As things become more complex, distributed and mobile, it's unlikely CISOs will be able to manage all things cybersecurity solely through internal means. Enterprises will likely need to outsource at least some of the effort to a firm that specializes in information security.
"Don't focus only on convenience at the risk of a compromise," said George Gerchow, director of security and compliance product management at cloud security vendor Sumo Logic.
Rather, CISOs and their supporting information security teams should focus on taking advantage of these tips and seek external support as a means to eliminate cybersecurity blind spots.
Read more on how cybersecurity insurance fits into enterprise security strategies
Find out what CISOs should include in security reports
Learn why a federal CISO could improve cybersecurity for the U.S. government