Aug 05 2020

Black Hat 2020: CISO Summit Advisory Board Members Reflect on the State of Security

Learn how industry leaders are navigating a perfect storm of cybersecurity challenges.

Cybersecurity is always evolving, and that evolution has rapidly accelerated as much of the world has shifted to widespread remote work. As part of Black Hat USA 2020, BizTech spoke with advisory board members of the event’s CISO Summit about the state of the industry. Wendy Nather, head of advisory CISOs at Cisco’s Duo Security; Trey Ford, vice president of trust and strategy at Salesforce; and Justine Bone, CEO of MedSec, discussed current security trends, the evolving role of the CISO and what they believe businesses should be preparing for.

BIZTECH: What would you consider the biggest cybersecurity challenge facing organizations today?

NATHER: Even in periods of stability, it’s a challenge for organizations to keep up, and right now many of our assumptions and priorities are being turned upside down. Remote access, supply chain problems, businesses losses and lack of physical and cross-border access are front and center for most CISOs.

FORD: As cloud migrations pick up steam, I’m specifically concerned about how critical-path control sets (e.g., monitoring and logging) are being shared and managed. While third-party specialty service providers are generally a good thing, it creates new dependencies, failure modes and obstacles for recovering from unplanned outages.

For example, companies typically have different teams building infrastructure as code in the public cloud than the ones responsible for building apps on top. The systems and services in use out in the public cloud often have a lot more surface area in terms of third-party and open-source libraries, as well as public API endpoints you no longer control.

BONE: Upgraded technology stacks, when chosen carefully, will typically raise security standards, with fundamentals such as strong encryption and authentication built in. However, when adoption and deployment happen in a hurry, the resulting complexity and a lack of cohesive management introduces new layers of exposure, much of which remain misunderstood until some kind of incident occurs.

The rapid selection of technology vendors and solutions, without normal due diligence, can result in shadow IT at best and insecure/low quality platforms or backdoored infrastructure at worst. Already vulnerable companies pressured to respond quickly to the pandemic have inadvertently further exposed themselves in a rush to enable business continuity.

BIZTECH: How has the pandemic impacted how organizations have to think about security?

NATHER: Many security models assume a certain amount of physical proximity — for example, being able to verify a staff member who calls the help desk because they’re calling from an internal PBX [private branch exchange] line or walking over. Or they assume that a new employee being onboarded can go to the security department, have a picture taken and receive an ID badge.

Even something as simple as shipping and receiving won’t work now if nobody’s at the building. And I doubt that anybody thought about the idea that shared fingerprint readers would be dangerously unsanitary. So, organizations have to face these outdated assumptions, work around them (like setting up a virtual onboarding process) and be prepared to adapt again in the future, because nobody’s sure how the current state will play out.

FORD: There’s nothing more important than nailing the basics by practicing good cyberhygiene and diligently managing your assets as part of remote systems and work environments. Improving identity controls and improving quorum-based protections for sensitive systems and processes has never been more critical. The security and privacy considerations of every human interaction between employees, at the water cooler or elsewhere, have escalated to the extreme: Literally everything is “on the record” as more and more business exchanges happen on video calls, chat and other corporate systems.

BONE: Companies have rushed to enable a remote workforce and deliver solutions to remote customers, and in our haste, we have introduced new exposures. Systems that may have been considered secure or safe to operate within controlled environments are now operating in homes, beyond the control of the company CISO.

But if security had to temporarily take a back seat, there is a silver lining. This is an opportunity for CISOs to contribute to the business at large — not just modernizing infrastructure but understanding major company initiatives in general. This is a CISO’s chance for a leg up, if you will.

MORE FROM BIZTECH: Why business leaders and IT need to be on the same page for security spending.

BIZTECH: How has the role of the CISO evolved? Have CISOs been integrated more into executive leadership?

NATHER: Because of increased cloud use and outsourcing, CISOs today have to be skilled at security management by contract. They have to negotiate terms and conditions right alongside the legal and procurement teams. They have to assess and monitor the service providers’ security. They have to deal with breaches that ripple through the supply chain even if their own organization isn’t directly involved.

They can’t just solve a security issue by walking into the data center and logging in to the console. In some cases, CISOs now enjoy a better seat at the boardroom table, but in other cases they are still struggling to be heard over the business imperatives.

FORD: The CISO is any organization’s most visible customer-facing advocate for privacy, diligence and honoring customer trust. CISOs are leading the charge when it comes to making hard conversations around security safe and transparent — communicating both success and failures.

Internally, the best CISOs are partnering and engaging deeply with their engineering teams working on public cloud infrastructure by creating collaborative guardrails and user-friendly security services for identity, logging, monitoring, alerting and incident command partnerships with the business. CISOs are also helping audit committees address more nuanced issues as part a renewed commitment to transparency.

BONE: The role of the CISO was once considered a technical leadership role — sitting alongside the heads of engineering or product management for example, reporting to the CIO. In much of corporate America, this structure still exists and needs evolution. Under this structure, even if a CISO has access to executive leadership, it will most likely be for incident management purposes and will be a one-way briefing scenario.

We have learned in recent years that this is not a sufficient approach for tackling companywide cybersecurity risks, which requires a holistic and strategic approach. In companies that recognize this, the CISO’s role has evolved to require a range of abilities, including communication skills and business acumen. These CISOs are not only reporting directly to the CEO or the board but are key members of the executive team, actively involved in company business, the development of company assets, understanding and navigating risks — and, perhaps most important, helping drive culture.

MORE FROM BIZTECH: Want to make sure your video meetings are secure? Here's advice from an expert.

BIZTECH: What is the next big threat that organizations should be looking to defend against?

NATHER: Attackers will find it easier to take advantage of diminished social cohesion in a workforce that never meets in person anymore. It will be more straightforward to scam people by calling them at home and claiming to be from the IT department; gaining credentialed access to systems will be more likely to go unchallenged when people don’t see each other every day and new employees are added but only seen when they’re invited to videoconferences.

Visibility gaps can grow when the workforce is distributed, there’s more BYOD due to supply chain problems and local ISPs sit between the corporate security team and the workers at home. Next-level intrusion and impersonation are the threats to watch out for.

FORD: In my opinion — and the examples are many — we should all be wary of “god mode” control planes built for in-house power users. “Do and check” audits won’t work; we need to think about pairing-required power user modes, or “double do” scenarios, where two folks compare their proposal for action. Customers will eventually, and justifiably, demand insight into what was done to and for their accounts.

BONE: Beyond targeting weak infrastructure and systems, threat trends typically follow technology trends. Artificial intelligence is a good example. As AI and machine learning become embedded in all sorts of systems, so too do our areas of exposure. AI can be used to build security solutions, but it can also be circumvented, tricked, retrained and compromised. AI/ML systems are relatively immature, and with that will come vulnerabilities that we are only beginning to understand.

M-A-U/Getty Images