By Andrea Di Fabio, CISO, Norfolk State University
Andrea Di Fabio, CISO, Norfolk State University
Medium to large size organizations are increasingly focused on governance, risk, and compliance as key disciplines to further meet their strategic goals and objectives. Recently, these disciplines have attained such interest that the acronym GRC is now widely used amongst information assurance professionals. This is especially true for large organizations that are subjected to federal, state, or other requirements. Smaller organizations, with limited IT and security budgets, often struggle with implementing a GRC program. They may not have dedicated information security professionals, or a formal risk management program, though; they may be subject to the same mandatory security, and privacy requirements of larger organizations. Regardless of the size of an organization, IT professionals are often well aware of the role that GRC, technology, and information security controls play in maintaining a healthy business. Nevertheless, technical security controls are usually the first to be implemented at an organization, sometimes even before the most basic security policies are developed, because they are often perceived as a quick approach to immediately lower exposure and risk.
The Center for Internet Security (CIS) is a great resource to IT professionals looking for best practices in information security controls. Specifically, the CIS Critical Security Controls (CSC) for Effective Cyber Defense is a set of twenty actionable controls developed to reduce the risk of common cyber security attacks. Additionally, security vendors have done a good job developing and selling tools to address these controls. Firewalls, intrusion detection, vulnerability scanning, penetration testing, and other security tools provide detailed vulnerability information and remediation steps to cyber security professionals. These tools often provide integrated reporting dashboards. Added benefit is achieved when feeding each tool’s metrics into separate Security Information and Event Management (SIEM) systems. Often requiring much tweaking; a SIEM can provide colorful visual representations of an organization’s risk posture to cyber security professionals and senior leadership alike. Many, if not all, of the twenty critical security controls are well rooted in the NIST 800-53, ISO 27002, PCI DSS, HIPAA, COBIT, FISMA, and other cyber security frameworks. Aside from CSC 17: “Security Skills Assessment and Appropriate Training to Fill Gaps,” 95 percent of these controls are technical in nature and focus on an organization’s technological infrastructure. These technical controls often intentionally map to the Open System Interconnect (OSI) model, which breaks technology apart into seven ordered layers starting from physical layer 1, followed by the network and logical layers 2 through 6, to the final application layer 7.
"Technical security controls are usually the first to be implemented at an organization, sometimes even before the most basic security policies are developed"
With only 5 percent of the critical security controls centering on employees’ skill assessment and training, are cyber security frameworks and information security professionals not focusing enough on the human layer, which is often referred to as layer 8? The risk from recent high profile data breaches such as the Target, RSA SecurID and many ransomware compromises that are attributed to social engineering and weak business process controls can hardly be reduced by technical controls. There is no amount of preventive or deterrent technical and management controls that an organization can implement to thwart an attack aimed at surreptitiously manipulating a trusted insider, or preventing a disgruntled employee from providing confidential information to a malicious actor. In an attempt to solve this problem, organizations often implement automated security awareness training programs, launch internal phishing campaigns, use social engineering toolkits, or monitor employees’ email link clicks and website access. This arsenal of layer 8 risk management tools is an independent and disconnected set of tools. The challenge cyber security professionals face is rooted in the lack of well established processes, and effective integrated enterprise tools capable of performing a comprehensive threat analysis of employees, customers, business processes, and business partners. Cyber security professionals must be empowered with tools to better manage risk at layer 8.
What organizations need today is a SIEM-like tool to aggregate all of these employees’ actions, score each action based on perceived risk, and provide the same colorful visual representations of layer 8 risk posture, in the same way we have done for IT assets. At the same time, there is a need to correlate all of this information back into a security awareness training tools to provide relevant feedback and tailor training to employees. If this wasn’t already hard enough, the process becomes exponentially more complex when applied to business partners, for which an organization may not have meaningful data points to formulate a risk profile.
I am often asked what keeps me up at night. To that, I usually respond: “What gives me nightmares is a successful social engineering attack materializing because an untrained employee responds to a phishing email or follows a malicious link. Sometimes, in my nightmares a disgruntled trusted insider willingly compromises the confidentiality, integrity, or availability of sensitive information my team worked so hard to protect.” Although I may not be able to end these nightmares, they may occur less frequently, if I were able to better address my organization’s layer 8 risk posture.