The Wire caught up with to Randy Gross, CISO of IT association CompTIA, to get an update on the state of cybersecurity. How well are computer networks protected today – and tomorrow?

randy gross comptia

Randy Gross, CISO CompTIA

Randy, let’s talk about the obvious first. There were more than 21,000 new security vulnerabilities published by the National Vulnerability Database in 2021. There are estimates that more than nine out of ten organizational networks could be seriously compromised in a cyberattack. How do you sleep at night?

Understanding the classification of your data as a part of your overall security strategy is really the only way you can. Since the whole notion of the hard perimeter and soft middle is gone, you must systematically go through all the assets and risks that your business has. Most likely, there are a few things that you care a whole lot about, and there are a lot of other things that you care much less about. The way you sleep is that you do everything you can to make sure that your network and data are secured from as many variables as you’ve got. Because we have been living in a zero-trust mode of connectivity for some time now, you really must understand your data even more than you had to in the past to see where the real threats are and how you can protect yourself against those particular threats. If you’re able to do that, that’s how you sleep at night.

 

Do you think that COVID-19 has impacted the way organizations think about their cybersecurity? Are we more or less secure than before the pandemic?

Depending on the vertical you’re in, I would say the risk isn’t necessarily greater, but a little different. Keep in mind that the attitude toward cybersecurity has changed substantially over the past decade. I am not aware of a person who has said anything other than it’s a question of when versus if. It’s a cliché because people say it so much, but it’s true. What you don’t want to happen is that when a breach occurs, it’s a death blow that you cannot recover from.

 

Let me stay here for a moment. COVID-19 has forced many organizations to take more of their business operations online, probably much faster than they had anticipated. One of those concerns could be substantially more remote working and remote access to company networks. We could suspect that this changing environment may have created a much less secure environment for companies and their employees and, as a result, for their business.

For an average SMB that is dealing with customer lists and invoicing, I don’t think it is terribly riskier than it was, provided that there has been some basic protection in place already. For example, multifactor authentication and managing access privileges to assets have been far and away some of the best defenses. In regulated industries, we are aware of varying degrees of changes and challenges. For example, in certain places, people still are not allowed to have access to data through their phones — and while some of that is security theater, some of it does matter in terms of the data you’re sending around versus the data you’re not sending. Every industry must evaluate this scenario a little differently. But overall, I believe that the risks are similar; they are just in different places. I am not aware of a massive change in security risks as a result of people being at home.

 

So, would it be accurate to describe the period we’re living in as an environment of more theoretical threats but not many that have materialized as a result of the organizational changes that were accelerated by COVID-19?

Yes. For example, there is the notion of whaling, a tactic to specifically target senior executives through emails, as well as spear phishing that targets specific individuals or departments within an organization in an attempt to steal information. Sure, these are threats, and attackers may go after people on home networks, but there are easier and more common ways to attack a network and obtain a high reward.

“The way you think about supply chain attacks is to think about what is invisible to you that you take for granted. Those are the vulnerabilities that get attacked. “

Randy Gross

Chief Information Security Officer, CompTIA

But to contain this risk, it means that you need to focus on keeping your staff trained and alert. It’s not a secret that a trained employee is your first and often most effective line of defense. With this ever-changing landscape and increased focus on security, would it be reasonable to assume that there is a risk that training may become too much a routine and that security fatigue will develop?

Training your employees every year is important. We’ve learned that people only feel fatigue in training when they feel manipulated. You must respect people’s intelligence and allow them to make mistakes and learn from them. Training should never be punitive or make people afraid of making the wrong decision. It’s much more effective for an organization to teach skepticism than instill a fear that someone could lose their job.

 

Let’s talk about a threat category that has been gaining a lot of attention lately: supply chain attacks, in which an attacker would gain access to a company network through a vendor. Do you share this concern that supply chain threats will create more than just headaches for security professionals that protect company networks?

Absolutely. The attacks on Kaseya and SolarWinds come to mind. The impact across the entire industry was substantial: You don’t realize how much you trust others until something happens to you — and you really must take inventory of whom you trust with what. When you consider supply chain attacks, you automatically must consider your cloud environment as well and what data could be exposed. As with so many things in your security landscape, cloud can be more secure, but it also comes with different levels of risk. The way you think about supply chain attacks is to think about what is invisible to you that you take for granted. Those are the vulnerabilities that get attacked. And this is how we think about everything we do in our organization.

 

Even if you identify the invisible, are you always able to reach it and control it? What is your leverage if you can’t reach and secure those vulnerabilities?

You must look deep into your supply chain to find out who among your suppliers may have an issue. What was surprising to us with the Log4j attack was that some organizations sent out statements within a day declaring that they were clear. There’s no way that we can do that today, considering the way we’re interconnected. Realize that we may never be able to issue a clean bill of health simply because of the downstream impacts. That said, your approach should always be to keep looking for new solutions and new vendors who are more forward-facing than what you have in place today. For us, the turnover in our tech stack is surprisingly high. We may have had something that worked well three years ago, but the threat landscape has changed, and there’s now someone who makes something else. There is this notion of nonstop curiosity and an approach to keep looking for things as you’re moving forward. And: you never put your crown jewels in places you can’t reasonably defend.

 

When we hear about catastrophic cybersecurity attacks, we typically hear about those that involve prominent organizations, massive numbers of accounts being compromised and/or massive financial rewards. As an organization, do you or can you communicate with an attacker that you’re not worth being attacked or that it would take a huge effort to gain access? Similar to a security sign that you put in your front yard to deter burglars?

For our company specifically, I would not know how someone would judge us. However, the way you decrease interest is to reduce your attack surface. You make it a little harder to get in than it is with the next guy. Realistically, your security is always inferior to what attackers can do. The cost of an attack is always asymmetric to the cost of protection. Sure, you can spend an unlimited amount of money on your security, but it’s more important that you make the right bets. Strategically thinking, remove yourself from the level of absolute bare-bones protection or no protection at all. Secure the most commonly attacked vectors, and you are off to a good start. That helps you get to a point where there is a reasonably solid security approach. When your staff is a risk factor, invest in training and understand how many calls or emails it takes to get into your network and aim for your staff performing better than anyone else.

 

What are the three things that you as CISO look at first to assess an organization’s cybersecurity readiness?

The very first thing you do is to understand the business and the associated risk: What is the business trying to accomplish? What risks do I need to avoid, minimize or eliminate? Where are the crown jewels of the business? Second, you need to understand the response processes in the case of an intrusion, such as business continuity and disaster recovery. What are the major systems and processes that need to be restored and recovered? Third, you need adequate protection for the things that matter the most, which would include, for example, backup processes to protect you from ransomware. What are you backing up; what is your attack surface; who has access to what? This knowledge is key to your capability to defend yourself. You know exactly what it is that keeps your organization running, and you know that you can restore critical infrastructure when you need to. You’ve tested it, you know that it works, and you know who is doing what.

 

Would you consider such an approach to be only needed for the most targeted organizations, or would you consider it as minimum standard of cybersecurity protection for any company network today?

It is what we expect to be in place today. The whole idea of business impact analysis, business continuity planning and procedures, disaster recovery planning and procedures, policies around cybersecurity for staff and contractors, systems diagrams and data mapping is incredibly important. The point of all of this is the exercise of going through it with the right stakeholders. This looks different for every business. Your documentation doesn’t have to be thousands of pages. The exercise alone will give you an idea of where the business value is and how the IT department can protect and respond to what’s important.

Wolfgang Gruener is Editor of The Wire and Director of Content Strategy for Guidewire. Randy Gross is CISO of CompTIA. Connect with him on LinkedIn.