A Case for Collaboration

In my many years of working in cybersecurity, I’ve found the only thing that can truly secure an organization is collaboration. The most important part of “people, process, technology” is the people. No one in their right mind would tell you it’s possible to prevent 100% of breaches — but, through powerful internal and external partnerships an organization can achieve useful security by collaborating to identify and address all cybersecurity risks. Understanding risks can significantly mitigate the likelihood and severity of a breach.¹ My intention is not to quote statistics or provide predictions, but inspire those ultimately responsible and accountable for their organization’s cybersecurity risk to become agents of positive change.²

It is imperative to build and nurture cross-functional relationships within an organization. Over the past few years cybersecurity’s focus has, rightly, shifted from technical problems to business risk. At ShmooCon 2017 Bruce Potter pointed out, “Cybersecurity has turned into a societal problem.”³ As a societal problem cybersecurity is now a concern for every facet of business. These risks now must be managed as any other, such as impending government regulations or market instability.

Security practitioners must partner with, not dictate to, business. We need to move away from antiquated doctrines, such as mandating password complexity requirements or other such criteria. Such lines of thinking do not consider people and end-user experience. We need to recognize that we are providing a service, and the business is the customer. We should be looking for ways to make our services more valuable, and when clients complain or circumvent those services, we must focus on improvement — not on blaming the customer.

Achieving such a partnership is challenging regardless of an organization’s size. A start-up with ten employees may not be aware of the presence of cybersecurity risks, much less possess the experience to address them. A 250,000 employee multinational company may have a cadre of cybersecurity experts who lack the ability to act as change agents. Both of these challenges have the same solution: collaboration.

A start-up’s flexible work environment can allow for great agility. To paraphrase Stephen Covey, keep the main thing the main thing, but keep risks in check.⁴ Every business has financial needs, but they don’t all need a CFO. The same principle goes for cybersecurity: organizations are scrambling to hire a CISO, but often fail to empower the position with the necessary support or authority. With the demand for skilled cybersecurity experts, businesses have little leverage over the job market. Regardless of whether you hire a full-time employee or partner with a cybersecurity consulting firm, that person must be a collaborator.

The Problem

In the multinational example, the organization may have the requisite talent and skill but lack effective execution of the cybersecurity vision. Often, CISOs and engineers blame executives for inadequate resourcing, rejection of budgetary requests or failing to make the right hires. Regardless of the complaint, the real issue is likely lack of collaboration between the cybersecurity team and the business (i.e. the customer).

Ensuring that patches are up to date and that passwords are changed regularly is a significant undertaking with respect to a large organization. Let’s look at Yahoo’s breaches that came to light in 2016. Many folks in the cybersecurity industry immediately took to social media, blaming Yahoo for failing to prevent the breach from occurring. Many pointed the finger at likely failures including inadequate patching, poor passwords, insufficient training against phishing, etc. What the avalanche of tweets did not explore was the possibility and impact of limited collaboration.

Using LinkedIn as an investigative tool reveals that, at the time of the breach, Yahoo had some of the best cybersecurity talent in the world on staff. Additionally, Yahoo likely had a vision, roadmap and plan in place and had probably identified and accounted for many internal cybersecurity risks related to breaches. However, it is just as possible that key business decision makers did not fully understand those risks. If there was such a lack of shared understanding, it would indicate that the level of collaboration between business decision makers and cybersecurity experts was wanting.

Saying that a system must be patched or that passwords must be changed may sound trivial, but when scaled to an organization with tens or hundreds of thousands of employees, it is not. Moreover, telling a system owner to patch a system is as useful as a mechanic telling a customer to overhaul a transmission. At all levels security experts must be collaborators and partner with teams across the business to manage risk. Business leadership must be convinced to buy what security is selling. The level of structure doesn’t impact the need for collaboration: whether the organization has an Information Technology Infrastructure Library (ITIL) change management program or uses ad hoc change requests, all stakeholders must have a comprehensive understanding of cybersecurity risk.

Often, when businesses resist cybersecurity requirements, it’s a failure of communication and perception management on the cybersecurity team’s part. In the face of such resistance, the cybersecurity stakeholders should ask themselves:

• Did we “start with why” to motivate buy-in of the cybersecurity vision?⁵
• Did we explain the risk and mitigation correctly?
• Was the risk communicated in a meaningful way?
• Did we really collaborate?

Focus on “We”

Internal collaboration is the biggest challenge. Cybersecurity relies on business stakeholders to execute the cybersecurity vision. Many organizations continually strive to remove silos within the business, and cybersecurity should be no exception. Creating cross-functional relationships is imperative to addressing cybersecurity risks as they are discovered. Team building and cross-functional team success principles are no different when it comes to cybersecurity. The “we” is the most important part in a successful cybersecurity defense.

Focus on “Us”

Security professionals often display an “us vs them” mindset with respect to other business functions. Effective cybersecurity practitioners change the “us” to encompass all legitimate participants in an industry sector and “them” to malicious actors. Few organizations are collaborating externally within their industry vertical. Great value can come from such collaboration. Take the automotive industry for example. It is massive, complex, and multinational, with millions of employees worldwide. Its stakeholders face common cybersecurity risks, vulnerabilities and threats. These are powerful drivers fostering a will to learn from each other and to help others improve cybersecurity defenses.

A variety of threats face individual organizations. Some may be industry agnostic, like ransomware. Others, like nation-state Advanced Persistent Threats (APT), are targeted, intending to steal intellectual property to give a competitive advantage to national industry. By acting collaboratively, sharing knowledge and partnering on specific and strategic investments, a defense greater than the sum of its parts can be built.

Cybersecurity should not be a field where organizations in the same industry vertical seek competitive advantage. Instead, collaboration within the vertical should encourage robust cybersecurity for all.

The “we” is the most important part in a successful cybersecurity defense.

Where We Could Be

If every automobile maker invested in penetration testing focused on Industrial Control System (ICS) telematics specific to their type of manufacturing, vulnerabilities would be more rapidly identified than they are today. This would support rapid threat intelligence sharing in the community, and enable deeper analysis. Suppose Company A invested six months attacking a specific die machine used for making body panels. Companies B to Z may not all own that same machine — however, those that do can now focus those resources on other risks. Similarly, Company A might benefit from Company B’s testing.

What if those same companies invested in the same type of next-generation firewall? The entire industry would actively benefit from intelligence gained from every attack, improving the collective detection and defense capability. Such collaboration would stop attacks more rapidly and limit the scope of successful breaches by providing a shared awareness of vulnerabilities, threats, risks and mitigation strategies across the breadth of an affected vertical. There are also economy of scale benefits that may be realized with respect to pricing. More companies may now be priced into advanced cybersecurity technologies, and thus realize similar benefits as larger organizations.

Where do we start? If the organization has a roadmap in place, its planning should focus on building relationships based on the initiatives prioritized in that document. The vision should enfranchise every stakeholder. It is critical to get the C-suite and board members to buy in. Taking time to build those relationships and explain the cybersecurity risks and requirements in ways that are easily understood by the executive audience is imperative. The message should clearly demonstrate the risks and benefits to the business, and most importantly it should resonate with the business audience.

Once an organization’s internal cross-functional team has been galvanized to action, it’s time to focus externally. When exploring new products or services, always ask the vendor for references. When possible, these should come from the same industry vertical, but always from an organization that has used the service or product for some time. These are great relationships to foster, and can be a basis for future collaboration. Reaching out to counterparts and putting an NDA in place will allow for a free flow of mutually beneficial information and knowledge.

Conducting industry related cybersecurity roundtables, even remotely, and at all levels, from CISO to engineer, can share best practices and align cybersecurity processes. When all organizations act as a collective sensor grid and communicate, all benefit from early warnings of threats. The goal is an entire industry collaborating to defend itself in whole, not in part.

We must move beyond traditional ISAC’s (Information Sharing and Analysis Centers) to something more comprehensive along the lines of Credit Union Service Organizations (CUSO).^6,7 There is an endless supply of cybersecurity products in the market claiming to solve what has already been solved. Collaboration between cybersecurity teams and the business, between businesses and industry, is the change needed now. More tools and policies will not solve what is essentially a people problem.

Sources

1. Meyer, A. (n.d.). NetworkWorld. Retrieved from IDG: http://www.networkworld.com/article/2867313/network-security/lessons-from-the-sony-breach-in-risk-management-and-business-resiliency.html
2. (Williams, 2015) Leadership for a Fractured World: How to Cross Boundaries, Build Bridges, and Lead Change
3. Potter, B. (n.d.). ShmoonCon 2017 Opening Remarks, Rumblings, Ruminations, and Rants. Retrieved from Archive.org: https://archive.org/details/ShmooCon2017
4. (Covey, 2004) The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change
5. Sinek, S. (n.d.). How great leaders inspire action. Retrieved from TED: https://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action
6. https://www.ncua.gov/Legal/Regulation%20History/712F-64fr33187.pdf
7. https://www.nacuso.org/