Defense in Depth: What Should We Stop Doing in Cybersecurity?

Security professionals are drowning in activities. Not all of them can be valuable. What should security professionals stop doing to get back some time?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jim Rutt, CISO, Dana Foundation.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Thinkst Canary


Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this.
Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.

Full transcript

David Spark

Security professionals are drowning in activities. Not all of those activities can be valuable. What should security professionals stop doing to get back some time?

Voiceover

You are listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO series and joining me for this very episode is Steve Zalewski. Steve, could we hear the sound of your voice.

Steve Zalewski

Hello audience, looking forward to another Defense in Depth episode.

David Spark

Our sponsor for today’s episode is Thinkst. Do you know that Thinkst was one of our very first sponsors of the CISO series? Great to have them back again. You may know Thinkst because they do those Canary deception devices. So know when it matters! Which probably is early on. Anyways you’re going to hear more about Thinkst and their deception technology later in the show. But Steve, I actually posted this question on Twitter and we were talking about it in an old episode and we said ‘oh this would be a great episode all on its own.’ And what tool or process should we stop doing to get back time? In essence, what is the most, as you said, ineffective, inefficient, obsolete time waster you would get rid of if given the chance? And the thing I thought was interesting you said ‘if we had a magic wand.’ Thinking that that’s the only way we’re going to get rid of this is if we had a magic wand. So I’ve collected the best responses and I’m eager to get you and our guests response on this. What was your first take?

Steve Zalewski

So, when I posed the question like you said, I did the magic wand because my objective here was we’ve got to get outside the box, right? Everything we do in security adds some value. It’s all insurance policies and so kind of my visualization was I’m now sitting here looking at a hundred different insurance policies I’ve taken and I’m spending an awful lot of money and time on it. And at some point you have to just say I can’t do that anymore because I need to do new things. So, how do I make the magic wand? What do I want to go away? In order to be able to realize this is not an easy question but it’s a brutal question that we really have to start to answer right and be honest with ourselves.

David Spark

Excellent point Steve and I’m thrilled that you suggested our guest for today’s episode to discuss this and it is Jim Rutt who is the CISO over at the Dana Foundation. Jim, thank you so much for joining us.

Jim Rutt

Thank you David, pleasure to be here.

Does anyone have a better solution?

00:02:38:19

David Spark

Yaron Levi, CISO over at Dolby said “any tool that I can move to the cloud and consume it as SaaS or PaaS will be a candidate. I’d rather not spend security resources on doing system administration of boxes. And Jerich Beason, CISO of Epiq, he also echoes that feeling “hardware and OS maintenance of servers and appliances hosting security tools if it can safely and securely be done using a cloud based solution, I will go that route any time.” And Carlos Rodriquez adds “anything homegrown that needs a lot of resources to maintain.” So very much adding to what Yaron and Jerich said but there’s more to Carlos’s comment as well. Steve, your take on this?

Steve Zalewski

So what I really liked about these answers was I always think about it as people, process and technology. And what you saw here was a really nice blend of ‘is there a way that I can simplify the operations of my infrastructure that will potentially save me money? It will save me time, it will potentially save me people.’ So I thought a very practical way for everybody to just take a sweep through your organization and make sure there isn’t some low hanging fruit here that you can take advantage of.

David Spark

And Jim, this seems like just really the reason the cloud has taken off for simplification and taking things off of my plate, yes?

Jim Rutt

I totally agree with what Steve had mentioned but I think the first statement really encapsulates a lot of the core savings from a cost perspective. But also with the added benefit from a security mindset would be the reduction in attack surface for your organization because it implies that you have much less artifacts and much less items to have to defend against. And the second point that I’d like to add there as well is it simplifies the discussion of your attack surface, your infrastructure etc with peers that may not be as technically savvy and it makes it much easier to discuss, you know, your risk posture in a more story like fashion rather than trying to go through a bunch of techno babble.

Steve Zalewski

Excellent point. Damn, I’m glad I had you on Jim.

How do we go about measuring the risk?

00:04:59:04

David Spark

Yaron Levi again, CISO over at Dolby said “those security rating tools that scan third parties from the outside and assign a score with no context. Dealing with the aftermath of those is a huge waste of time that continues to grow unfortunately.'” And Jonathan Waldrop over at Insight Global said “third party risk reviews. They are “necessary” from a due diligence stand point but they’re not really that helpful in preventing or predicting a breach or incident.” And David Elfering over at ReSource Pro said “Due diligence questionnaires.” So there’s been a lot of back lash against third party risk management scores but at the same time we need to know about third party risk, yes Jim?

Jim Rutt

I totally concur with the statements here especially with the services that are well known in the market place. I think there are limitations obviously when you’re trying to measure risk from the outside in as well as relying or over reliance on the typical risk frameworks that are currently very popular out there. I think one of the things that I’ve been trying to promulgate or try to promote more and more is to enhance these purely quantitative risk frameworks with a more qualitative story base enhancement or enrichment because they make a lot more sense in terms of inputing context to the board. You know, as we all know the board and the executive suite are the ultimate arbiters of what acceptable risk is for our organizations respectively. We always have to look in terms of measuring our risks, be it a register or otherwise, to align to what they want and they are not going to be able to give us a proper read on what risk is acceptable unless we’re very good at communicating it with them in a very easy manner.

David Spark

So Steve, there is this back lash against the rating numbers but at the same time if we’re going to ‘drop this’ we need to still worry about third party risks. So if we’re removing what are we going to do that is going to be as simple as just looking at a number to see who secure, not secure someone is?

Steve Zalewski

So I’m going to take the question a slightly different way because the way you said it is a legitimate question and what Jim said is true as well. But this topic is about ‘how do you simplify? What do you stop doing in order to do something else?’ And I think the point her is we’re required now to measure more and more third party and imputed fourth party risk as you’re becoming cloud centric or cloud neutral or cloud enabled. And everybody is saying it’s hard. Well, what good is a due diligence questionnaire because we all know that the answers don’t mean anything, takes a lot of time and we chase everybody. And yet the tooling that’s out there to do third party risk is immature. That’s what I mean, hard question. Stop doing the questionnaires. Leverage the immaturity of the tooling that’s out there to be able to at least have the conversation that while I’m responsible for the third party and fourth party risk I have very little visibility and very little ability at this point to manage it as a result of digital transformation. That’s okay and that’s allowing you to stop wasting time on something that everybody knows really doesn’t work but that we all feel obligated to provide some evidence that we follow due diligence. It’s a hard conversation to have but it’s an example of where I’d say if you are really up against the wall that’s an interesting conversation you can have with yourself and your team.

David Spark

I agree whole heartedly here but going back to the original theme of today’s discussion is we’re trying to make things easier and I don’t think if things would be easier here. I think it would be a hell of a lot more complicated, yes Steve, Jim? I’ll get both of your quick comments on this.

Jim Rutt

Well I would totally agree but I think it goes in line with the common thinking that automating any kind of aspect of any kind of these conversations or measurements is the only way to get an accurate source of that truth so to speak. It might turn out that by automating a lot of these things we’re actually making it a lot more difficult because we really can’t rely on the efficacy or the, the fidelity of these measurements. And I think yes there is a perfect place for automation in most organizations. I think where it is over utilized is in the most, I would say the soft center of all our organizations when it comes to risk management which is the human factor. I think it’s very important to understand that business alignment is certainly one very important item for any CISO to make sure that whatever they’re doing within their programs within the risk management to be perfectly aligned. But I think you have to move from business alignment to more of a business intimacy posture where you really have to understand, like Steve said, the people and the process of that triad of people process technology. Because all these different elements of attack surface or internal or inside threat a lot of that stems from the lack of understanding, not only what our internal users do but why they do it and they have interact with each other. And we can’t sit in the hot house anymore and just rely on automated tools like automated fishing tools is one of the biggest things that come to me. It’s great to measure these things, it’s great to use them but to make those the sole arbiter of risk posture management as to how we are educating our end users in this area is more than that.

Haroon Meer

I think most CISO’s already know that part of the problem is everyone thinks security is a hot area. Every technology company now wants to be a security company because it is hot.

Sponsor – Thinkst

00:10:58:06

Steve Prentice

This is Haroon Meer, founder of Thinkst. His company is famous for the Canary, a unique technology that runs in the background everywhere waiting for intruders and detecting them before they dig in. His concern is that CISO’s today have a hard time separating truly great security products from noise.

Haroon Meer

In a market that already had too much of noise you now get more noise and it becomes really hard for practitioners to tell the difference. One of those that I feel particularly strongly about, and I think CISO’s can help do something about, is the number of products that subscribe to fake awards. If you know your vendor will be dishonest to make a sale like why would you choose them as your vendor? We’ve accepted stuff like that for a really long time and I think CISO’s need to push back on that stuff. Most of the people who got into security got in with some piece of idealism where you kind of want to make the world a better place. And this is one of those places where I think CISO’s can correct things with their money. They can nudge that back to normal.

Steve Prentice

For more information about Thinkst and Canary visit Thinkst.com. That’s Thinkst.com.

What aspects haven’t been considered?

00:12:25:21

David Spark

Jonathan Waldrop of Insight Global again said “The sales cycle. There’s so much time spent on the song-and-dance.” That one I think we all whole heartedly can agree on. I think he might have the winner right there. Abhishek Singh of Araali Networks said “Could we all agree to retire passwords and the policies around them?” I know there’s a lot of passion around that. And Devin Ertel, CISO over at Menlo Security said “compliance “check the box” activities that do not actually reduce risk.” So these are three random ones. Steve, your take on these and by the way are there other random ones that we have not discussed that you would suggest?

Steve Zalewski

So what I liked about this was it wasn’t to simplify, right? The challenge was wave your magic wand to do less so that you can figure out where to focus on the most important insurance policies that you have to take to protect your company. And I think these three are great ‘out of the box’ ways to really understand what we were driving at with the question. Every one of those nobody will argue is an insurance policy but it is low value and so this is where I would say you sit down with your team and you say ‘what are we going to do about sales and marketing and all this stuff coming in? Are we going to sinkhole a lot of this stuff automatically? What are we going to do for the overall organization to reduce that time sink?’ I think it’s great about compliance and check the box. My goodness think about the manual processes many people have to do their annual assessments where you can just realize it’s not worth it but you can accept the risk because you have compensating controls. And you can save ten or 20 or 100 or 200 man hours to be able to focus on something else. So I think what I liked about this was here were three great ways to start that ‘out of the box’ thinking with your teams to be able to figure out how you do less.

David Spark

Jim, your take on these.

Jim Rutt

I would totally concur with what Steve said especially with these rather rogue automated processes around paperwork and check boxes that rarely, if any, are scrutinized to any level of detail. I think it’s just a matter of being in this certain habit of just collecting the data, thinking by the mere collection of it they impute some kind of level of risk management or risk mitigation. And I think it’s certainly time once again that I don’t like to be the dead horse but to make it more conversational between parties and counter parties about the real risks that are perceived and known in these relationships. Make it quick, make it short, have the proper metrics where needed but make them relevant.

Steve Zalewski

Here, here.

This problem doesn’t end here.

00:15:27:06

David Spark

Mark Wojtasiak of Code42 said “stop blocking legitimate work and stop blaming how users work.” By the way many people echoed this last one like Andrew Lockhart of Efani “stop blaming end users.” And Mike Katz-Lacabe said “stop chastising users when our controls fail to protect them.” And lastly, Abhishek Singh again from Afaali Network said “Tough question though!” Which is essentially our initial question of what to do stop doing because “no wonder security is so hard it’s difficult to retire anything.” And I think that is the theme and why you had to use the word ‘magic wand’ Steve isn’t it?

Steve Zalewski

Yes. And what…

David Spark

But may I ask you this, before we go on, have you successfully retired anything?

Steve Zalewski

Yes but not for the reason that you would think.

David Spark

Okay.

Steve Zalewski

So, we didn’t retire something because it no longer became useful. What we were able to do is we would retire some products because we replaced them with super set products as our posture changed. And therefore we were very conscious of understanding when we were purchasing a product that we might only be using it for a year or 18 months. But that gets you into a lot of trouble potentially with Capex Opex in how you spend and that gets to the conversation of efficiency versus effectiveness. So yes we did multiple times but it wasn’t without us first understanding the arguments that we were going to take to be able to show how we were effectively protecting the company not just trying to secure our company.

David Spark

Jim, I’m throwing this to you.

Jim Rutt

So to follow on Steve’s lead there and he laid it out so ably I think we get to a point where we use these tools and the data or whatever perceived value that come out of them certainly gets limited to a point where we start to question why we even pay the maintenance on these tools much less the fees for them. But in terms of looking at some of the items here in terms of blaming end users and chastising end users I think it’s a long time that we start forming ally-ships with our end users rather than segregating ourselves in our own little hot house. And realizing that our end users, at least this is my perception, is that they are hungry to get involved in these things based on the types of stories that they read just in the mainstream news about all these different security events. They just don’t know how. And with not a lot of effort but a lot of commitment from our perspectives as practitioners we can enable them to become great allies and great effective controls in and of themselves in this crazy world that we find ourselves in. We don’t do that enough.

David Spark

Do you think it has actually become easier this past year? Because one of the things I have noticed, especially in 2021, I mean we definitely saw it in the previous year, but this year the about of cyber news in the mainstream was explosive in 2021. As a result I’m sure end users have seen it all and read a lot of it, has this conversation become easier as a result, Steve?

Steve Zalewski

No, it’s become more common but we’re not good yet at taking the opportunity to have these conversations and focus them as effectively as we can to wave the magic wand. Now what I would say is every time the conversation starts with ‘are we secure?’ or ‘are we safe?’ which is most of the conversations that is not the one that you can answer. Are you prepared to be able to say ‘well, here’s what I can do to protect the company, here’s the investments, here’s my insurance policies, here’s what I’m stopping doing’ because it is just not effective enough compared to something else I could do. Treat security like a business that’s supposed to enable the business not just secure the business. And really be a business partner where you think about your profit protection or loss prevention as opposed to audit and compliance reporting.

David Spark

Jim, going back to my original question to Steve, I mean you can echo or comment on what Steve said but I want to know if all this news has helped the conversation or hurt the conversation?

Jim Rutt

I think it has helped at least from the perspective of the mainstream media is doing half the work for us. They’re at least bringing these issues to the forefront, to the every man, to our end users where they typically would not know about these things or haven’t known about them say ten, 15 years ago. But I would totally agree…

David Spark

By the way I would say two years ago even.

Jim Rutt

I concur. But I would concur with Steve as well as that, we’re not taking the ball and running with it from that perspective towards the goal line which is to get them more either educated or more ready to be able to close that gap because this is still the largest gap that, in my personal opinion, there’s no tool or automation that’s going to fill it in and of itself. It requires work, dedication, community building and understanding the power of relationships and educations to help stop this madness.

Closing

David Spark

Agreed. Well let’s wrap up the show at this point and this is where I ask both of you what your favorite quote was and why? And I’m going to start with you Jim. Do you have a favorite quote and why?

Jim Rutt

I like Yaron’s quote about using tools that could be moved to the cloud. We were a very early cloud adopter. We had started about eight or nine years ago believe it or not and finished our journey about six or seven years ago. And I totally agree it makes life so much easier for the reasons that I talked about previously but as well as the fact that it’s just easier to run in any kind of business interruption situation of which I think we just had a minor one for the past couple of years. But in the New York area where we are this is actually the fifth major one in the past 22 years. So it’s nothing new and I’m glad this paradigm is finally coming to light, people are leveraging it. I certainly am proponent.

David Spark

Steve?

Steve Zalewski

So I’m going to go with Devin Ertel, CISO at Menlo Security, great guy. And “compliance ‘check the box’ activities that do not reduce risk.” That is a sacred cow in many companies. It’s where the money comes from for security but it’s also a great place where there’s inefficiencies as a result. And if you as a CISO are trying to protect your company go ahead and take a look there. And I’m going to bring in Log4j. It was a while back but how many people are still fighting it at this point because they’re trying to determine how they’re going to manage their legal and regulatory compliance and that’s a whole lot of ‘check the box’ process that they need to figure out enough is enough. And so I say this is a great opportunity to realize to dig in somewhere that’s gonna have a lot of potential opportunity to wave your magic wand.

David Spark

Excellent. Thank you very much Steve, thank you very much Jim. I want to thank our sponsor Thinkst. They are the makers of the Canary tools, we love those.

Jim Rutt

They’re awesome.

David Spark

And we love Thinkst as well. I believe their canary.tools is how you can actually get to them. But I’m going to let you Jim have the final word. Steve, any last thoughts?

Steve Zalewski

I just want to think Jim, great topic right? Wave the wand I thought some great ‘out of the box’ thinking. I really appreciate Jim, you taking the opportunity to join us and provide some feedback.

Jim Rutt

Steve, it’s an honor to follow you in any way shape or form especially on all of these round tables. As a final thought, once again I’m just going to harp on the fact that us as security practitioners, we definitely need to understand that we have to be more integrated, more intimate with our business operations and to foster a more whole sense of community when we’re discussing these very, very important issues. And they are going to keep coming and we have to be readier and we have to be on top of this stop and I think the best way to do it is as an army not as a solo.

Steve Zalewski

Well said.

David Spark

We’re behind you on that one. By the way, are you hiring over at the Dana foundation, Jim?

Jim Rutt

No yet but you never know. Come 2022 yes.

David Spark

Okay. Well thank you very much Jim Rutt who is the CISO over at the Dana Foundation and my co-host Steve Zalewski. And I also want to thank all our listeners for supporting the CISO series and our show. So thanks as always for your contributions and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.