Infosec pros should be more aggressive in their cybersecurity strategies, an expert told this week’s MapleSEC conference.
That doesn’t mean hacking back or going after the infrastructure of threat actors, said Nick Aleks, senior director of security at fintech Wealthsimple. Instead, he said, CISOs and their equivalents have to stop being reactive to cyber threats.
Aleks was the keynote speaker at the latest MapleSEC conference, which is organized by IT World Canada and continues online today.
Unfortunately, Aleks said, most IT and security leaders have rigid cybersecurity frameworks and test systems irregularly. Taking a proactive approach to building a security program means expecting a breach will happen.”You’ve got to have a mindset of ‘when’ not ‘if'” you’re going to be hit, Aleks emphasized.
“Fighting back in security is a simple set of five core principles you can embed and adopt in your organization,” he said.
These include:
—taking a proactive attitude to cybersecurity. “It’s about thinking what you’re going to do when something bad happens, not trying to prevent something bad from happening. Your controls, your people and your strategy all have to be aligned to that.”
—taking a unified approach to cybersecurity. Too many organizations approach cybersecurity in silos, where information about threats is kept to certain departments. Not only should threat information be shared across business units, Aleks said, it should also be shared with other companies and law enforcement.
All staff must be involved in cybersecurity. Start by building a security champions program from different business units and have them join the security team. They will also be part of your attack response and containment strategy.
Sharing outside your organization is vital as well. “The problems you are facing today in your security program are not novel,” Aleks said. “Everyone outside your space is also facing those same issues.”
“It’s not OK to hoard intelligence,” he added. “Only when we come together can fight threat actors.”
—thinking in terms of Continuous Security Assurance. Don’t just implement new hardware/software/policies after an incident and expect that to fix things. Test your security controls regularly — at least quarterly — and rehearse your response to expected attacks.
You don’t necessarily need to invest in a breach attack simulation tool or hire a penetration testing firm, he added. Just look deeply at your last big cyber incident. Do more than find the root cause and ensure it doesn’t lead to another compromise. A post-mortem should allow you to see how effective you were, ask how your response could have been better. “Only then will we get really good at fighting fires,” he said.
—having a flexible security program. Enforcing security controls from the top down won’t always work. Instead, work with employees before they work against you. Find procedures that are most flexible, easy and simple for employees. Among other things, that will help get around shadow IT (using unapproved personal devices to connect to the corporate network). It will also empower employees and customers to work with security, not against it. Coming up with secure ways of doing something involves a conversation, he said.
—and having a program that stops being the department of ‘No.’ Build trust, not fear, among employees. Report on the benefits to customers of having a strong cybersecurity program.