ZenGRC Team

Infosec Compliance Awareness Saves Lives from Wannacrys

ZenGRC Team · May 18, 2017 ·

On Friday, May 12, the WannaCry ransomware attack proved the importance of infosec compliance awareness. The weaponization of the Microsoft software’s vulnerabilities shut down the UK’s National Healthcare System proving infosec compliance awareness is not just to computers but to people’s lives. WannaCry taught us that those updates can be a matter of life and death. In this case, an entire country’s healthcare system closed except for emergency services. Arguing fault, be it NSA, Microsoft, or the organizations affected by the attack, matters little when the health and safety of an entire nation rest on cybersecurity.

Government, and indeed some corporate, systems are notoriously outdated. Refitting an organization that includes thousands of employees costs money. With older computers and older operating systems, updates slow down productivity by taking a long time to install and restart. It’s easy to think, “no one will die if I don’t install this update.” The information security community needs to better promote infosec compliance awareness as integral to people’s health and well-being.

Infosec Compliance Awareness is More Than Financial Well-Being

The importance of infosec compliance awareness often filters through organizations as discussions of return on investment. Big business C-suite executives look to their CISOs and CIOs to manage risks for the least amount of money. These risks are calculated by the impact on reputation leading to lost profit or in terms of dollars lost due to a breach arising out of noncompliance. Richard Clarke at ABC News explains,

CEOs and board members do not like to get into the weeds of their networks’ management, but they need to understand issues like “patch” policy. They need to know when their systems are at risk and for how long.

Whoever sent WannaCry into cyberspace may not have done it for the money. Thus far, they have collected relatively little money, far less than they have cost companies and governments…. Do you think we will learn those lessons this time? Past experience suggests we will not.

With this in mind, the infosec community needs to use this as a call to action for protecting not just information but people. If businesses will not or cannot take the necessary steps to upgrade and update their IT environments, then the information security community needs to come together to ensure the protection of these assets. Updating software to incorporate patches may seem like a hassle or a monumental task. However, these updates are part of the information security compliance landscape. An organization with a strong culture of infosec compliance awareness will have incorporated potential zero-day flaws into their risk assessment and risk treatment/management.

Increased Ransomware Attacks Highlight the Importance of Infosec Compliance Awareness

Ransomware infections have increased exponentially in the last few years. The Department of Justice released a report stating,

Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. There are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.

These increased attacks mean that instead of simply stealing information, cybercriminals recognize the critical value information holds in our society. Organizations with strong compliance programs will be ahead of the attackers by proactively recognizing risks, incorporating protections and updates in advance of attacks, and being less likely to have exploitable areas.

The Internet of Things Drives Infosec Compliance Awareness Needs

As an industry, we know better. As the Internet of Things increases people’s connectedness, it also makes them more vulnerable. It makes them vulnerable in ways they cannot or choose not to understand. With this in mind, the information security industry has started the process of creating audit procedures to promote safety within the realm of business needs. At the end of 2016, Compliance Week noted that IoT internal audits were becoming more important to businesses and provided organizations a list of questions to help promote infosec compliance awareness in the IoT landscape.

The following are key questions to consider in developing audit plans and considering their role for the IoT:

How is the IoT deployed in our organization today? Who owns the IoT or the respective components of it?
Consideration of the risks associated with the IoT presence? How have those risks been quantified and controlled?
Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy, and security implications?
Do we have contingency plans for Internet-connected “things” that are hijacked or modified for unintended purposes?
To what extent are third parties utilizing the IoT acting on our behalf? Do we have appropriate process and agreements in place to appropriately monitor those third parties?
What role does the IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to full potential?

The majority of these questions focused on data and organizational use. These fall into the traditional C-suite concerns regarding information security. Creating a strong security profile means ensuring compliance proactively not reactively. However, one of the above questions has a greater implication that can affect not just business bottom lines but the health and well being of society as well.

Do we have contingency plans for Internet-connected “things” that are hijacked or modified for unintended purposes?

Protecting IoT Ecosystems Through Effective Infosec Compliance Awareness

The newest ransomware threats will be to the IoT ecosystems. Many experts believe that WannaCry may be a test run for something larger. What could be larger than paralyzing the information systems of more than 200,000 computers in 150 countries? Controlling systems outside of the digital space. A TechCrunch article from October 2016 quotes Neil Cawse, CEO at Geotab, stating,

While traditional ransomware affects your computer and locks your files, IoT ransomware has the opportunity to control systems in the real world, beyond just the computer….In fact, due to the many practical applications of IoT technology, its ransomware can shut down vehicles, turn off power, or even stop production lines. This potential to cause far more damage means that the potential for hackers can charge much more, ultimately making it an appealing market for them to explore.

The ability to control physical systems remotely using ransomware is the type of threat that does not register to the average Amazon Alexa user. IoT compliance means looking at the implications of ransomware attacks and ensuring that the information security community takes the lead on protecting users from themselves and the outside threats. As a peer-driven industry, the information security industry stands at the forefront. With great knowledge comes great responsibility. Now is the time for the industry to further promote infosec compliance awareness as more than a financial bottom line but as a social good.

The Medical Internet of Things Makes Infosec Compliance Awareness a Matter of Life and Death

More importantly, the Medical Internet of Things is also at risk. Incorporating IoT devices into healthcare makes hospitals more efficient and patients healthier. Providers can remotely monitor patient data without needing to bring people in for visits. Sensors on medications can monitor whether people are following the appropriate regimens. Innovation Enterprise recently shared,

At Boston Medical Center, IoT is everyday life. Newborn babies are given wristbands, allowing a wireless network to locate them at any time. They have installed wireless sensors in refrigerators, freezers and laboratories to ensure that blood samples, medications, and other materials are kept at the proper temperatures. The hospital also has more than 600 infusion pumps which are IoT-enabled. BMC staff members can now dispense and change medications automatically through the wireless network, rather than having to physically touch each pump to load it up or make changes.

A ransomware attack targeting these IoT devices can cause blood samples to go bad or stop infusion pumps. The best way to stop these kinds of events is to take precautions to help ensure that they do not occur. Zero day flaws are constant sources of risk. This is where infosec compliance awareness can save lives. Being compliant means incorporating risks into the organization’s profile. This means thinking ahead. Compliance is more than just a business bottom line in many cases. Compliance becomes a social good enacted by those who have the knowledge to help protect people.

Automation Can Promote Infosec Compliance Awareness

Compliance products like ZenGRC do not save lives. They do, however, make the life-saving compliance more manageable. Efficiently sharing multiple compliance programs in a single location allows for more efficient communication between C-suite members, audit, and the Board of Directors. Generally, compliance automation seeks to reduce redundancy and create agile solutions to information security problems. However, all compliance is based on risk. In the case of a zero day flaw, the impact of the flaw being exploited, such as with the UK’s NHS, may create a justifiable reason to incorporate completely redundant systems or processes. Automated tools like ZenGRC create transparency in the information security compliance space that allow organizations to make safer determinations.

WannaCry is the warning bell that ransomware is here to stay. Information security professionals need to lead the way to protect the health and well being not just of information but of people. Not installing those updates may kill someone, someday. Infosec compliance awareness may end up being, literally, life and death.

Where do you see non-financial value in information security compliance awareness? Tell us in the comments!

Artificial Intelligence in Security is Not The Terminator

ZenGRC Team · May 11, 2017 ·

Artificial intelligence in security strikes fear into the heart of the average person. The term alone seems to indicate something straight out of a science fiction movie complete with Arnold Schwarzenegger’s voice growling grittily, “I’ll be baaack.” In the information security space, experts agree that artificial intelligence and its much-less-interesting-sounding-cousin machine learning will shape the future of the industry.

Artificial Intelligence in Security to Take on Hackers

Artificial Intelligence: Not The Terminator

People who grew up in the 1980’s assume that artificial intelligence automatically means robots coming to life to destroy the human population. While the idea of the singularity continues to haunt people, the current day reality is really much more boring. Artificial intelligence means nothing more than finding ways to engage machines in tasks otherwise done by people. These can be applied or general. Traditionally, applied means things that are automated while general would be any task available (think Roomba.) Machine learning is the more narrowed pursuit of training computers to think like humans when analyzing large amounts of data. This occurs through the use of neural networks. Neural networks use probability of compiled data to make decisions and categorize information. In doing so, they can act similarly to humans. Despite machine learning being a subset of artificial intelligence, the infosec space often uses the two terms interchangeably.

Artificial Intelligence in Security Assists CISOs

With the ability to analyze large amounts of data in a short time, artificial intelligence can be a major asset to CISOs. Unlike the science fictionalized concept of independently acting AI, artificial intelligence in security incorporates human interaction with the data to better predict suspicious activity. AI currently helps CISOs not remove humans from the mix. Doug Drinkwater at CSOOnline talked to author Martin Ford who noted, “…AI will be increasingly critical in detecting threats and defending systems. Unfortunately, a lot of organizations still depend on a manual process — this will have to change if systems are going to remain secure in the future.”

Some CISOs, though, are preparing to do just that.

“It is a game changer,” Intertek CISO Dane Warren said. “Through enhanced automation, orchestration, robotics, and intelligent agents, the industry will see greater advancement in both the offensive and defensive capabilities.”

Warren adds that improvements could include responding quicker to security events, better data analysis and “using statistical models to better predict or anticipate behaviors.”

Thinking from the statistical point of view, the larger number of data points, the greater the accuracy of the predictions. The goal of artificial intelligence in security, like the use of an automated GRC tool, is to streamline the process to obtain better results.

MIT’s Artificial Intelligence in Security

One of the most noteworthy updates to the use of artificial intelligence in security has come from the Massachusetts Institute of Technology (“MIT”). MIT’s new methodology utilizes active learning in which the computer logs data, sends it to a person who determines whether the data is good or not. It then incorporates feedback, which allows it to use a new model and that updates the algorithms.

According to the MIT website, their new AI methodology incorporates some heft learning that makes it more effective than any other strategies on the market.
AI2’s secret weapon is that it fuses together three different unsupervised-learning methods, and then shows the top events to analysts for them to label. It then builds a supervised model that it can constantly refine through what the team calls a “continuous active learning system.” Specifically, on day one of its training, AI2 picks the 200 most abnormal events and gives them to the expert. As it improves over time, it identifies more and more of the events as actual attacks, meaning that in a matter of days the analyst may only be looking at 30 or 40 events a day. “This paper brings together the strengths of analyst intuition and machine learning, and ultimately drives down both false positives and false negatives,” says Nitesh Chawla, the Frank M. Freimann Professor of Computer Science at the University of Notre Dame.

AI2’s strength lies in being able to work with analysts, not replace them. Thinking in terms of science fiction, AI2 acts as the security version of the Jetsons’ Rosie. Rosie needs to learn how to make the sandwich and takes feedback on taste from the Jetsons, then renegotiates the information to make the sandwich better the next time. MIT’s AI2 does the same thing for information security. In the end–the way that the Jetsons might need to adjust the mustard on their sandwiches instead of building the whole thing from scratch–the artificial intelligence in security allows the analyst to focus on smaller details to determine whether the red flags are warranted.

MIT is not the only university working towards big data artificial intelligence in security solutions. At the University of Arizona, ongoing research intends to help support e-commerce security solutions which may be of interest to those who need to be PCI-DSS compliant. According to the University of Arizona website,

For cyber security, we conduct advanced research in autonomic intrusion detection, botnets and malware analysis, and cyber terrorism research. For e-commerce security, we are performing advanced research of relevance to fake e-commerce site detection, customer-based fraud detection, botnet related e-commerce transaction analysis, and social media analytics based e-commerce opinion mining.

***

KDD (Knowledge Discovery from Databases) techniques promise easy, convenient, and practical exploration of very large collections of data for organizations and users, and have been applied in marketing, finance, manufacturing, biology, and many other domains. Many of the KDD technologies could be applied in ISI studies (Chen 2006). Keeping in mind the special characteristics of crimes and security-related data, we categorize existing ISI technologies into six classes: information sharing and collaboration, crime association mining, crime classification and clustering, intelligence text mining, spatial and temporal crime pattern mining, and criminal network analysis.

PCI-DSS requirements protect customer information in the e-commerce space. Using data mining for large numbers of transactions can more easily show when customer behaviors seem abnormal. Being able to use artificial intelligence in security processes can help reduce the cost of PCI-DSS compliance while also adding value to the programs through better detection.

Artificial Intelligence in Security Needs to Be More Robust

Despite the advances in artificial intelligence and machine learning, the technology still has a long way to go before it can be relied on completely. Looking at the Google video searching AI, researchers at the Paul G. Allen School of Computer Science & Engineering at University of Washington noted how easily it can be deceived.

Machine learning systems are generally designed to yield the best performance in benign settings. But in real-world applications, these systems are susceptible to intelligent subversion or attacks,” said senior author Radha Poovendran, chair of the UW electrical engineering department and director of the Network Security Lab. “Designing systems that are robust and resilient to adversaries is critical as we move forward in adopting the AI products in everyday applications.”

“Such vulnerability of the video annotation system seriously undermines its usability in real-world applications,” said lead author and UW electrical engineering doctoral student Hossein Hosseini. “It’s important to design the system such that it works equally well in adversarial scenarios.”

“Our Network Security Lab research typically works on the foundations and science of cybersecurity,” said Poovendran, the lead principal investigator of a recently awarded MURI grant, where adversarial machine learning is a significant component. “But our focus also includes developing robust and resilient systems for machine learning and reasoning systems that need to operate in adversarial environments for a wide range of applications.”

While there may not seem to be a clear link between fooling Google’s video search AI and the use of artificial intelligence in security, infosec professionals recognize that while the capabilities exist the holes are easily exploitable at this point. Hacking a video search has no real security implications. This means that while that kind of machine learning may be fun, it does not need to be complete because it doesn’t cause monetary or reputational risk. Therefore, it may not seem like a one to one comparison with artificial intelligence in security. The important takeaway lesson, however, is that while machine learning can help fortify an organization’s security profile, it cannot do so without the help of human staff to steer it in the correct direction.

Machine learning and artificial intelligence in security promote the next wave of protection for companies and their customers. While information security professionals need to understand the ongoing research to be ahead of the curve, they also need to remember that the advancements intend to help, not replace.

Has your organization instituted machine learning to help with security concerns? How do you foresee the future of artificial intelligence in security? Tell us in the comments!

How to Become a Successful CISO

ZenGRC Team · May 9, 2017 ·

How to Become a Successful CISO

Being a successful Chief Information Security Officer (CISO) means understanding the changes to regulatory and privacy landscapes over the past several years. In the past, the CISO role meant organizing assets. However, increasingly the high level security professional needs to manage risks in order to successfully protect the companies for which they work. Risk management, once the sole responsibility of the internal auditor, now crosses all areas of the organization. The changes in the security landscape mean that a successful CISO needs to think differently about their role.

How to Be A Successful CISO

9. Manage Risk

In the old days, CISOs managed the implementation of and management of security assets. However, Andrew Wild argues during an interview on Information Security Today:

The role has evolved from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc.) to a consultative, business process aware, risk management professional. The CISO’s role change from IT security technology solutions expert to enterprise risk management executive requires a risk-based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security.

Although security controls remain one way to approach information security, the successful CISO recognizes that the controls respond to risk.

8. Build Coalitions

As the CISO’s job requires a greater focus on advising people of risk, so the job requires increased coalition building skills. The shift in the CISO’s role within an organization means that people are the key focus, not software deployment and maintenance. Becoming a successful CISO means building relationships with all departments, not just within the IT sector. An article on Cyber Toa, a cybersecurity professional website, reminds readers,

A CISO is responsible for promoting and encouraging security habits within the organisation to maintain appropriate standards for the information being handled. They can ensure employees receive awareness training, and understand the risks and consequences of their actions, both online and when handling physical copies of information.

A successful CISO builds the culture of information security compliance by creating relationships. When the CISO treats employees as partners in information security, people are more likely to comply with requests.
Building coalitions doesn’t stop with the employee base. Working with your CIO means understanding the changing roles they face. Kelly Sheridan notes at Dark Reading,

Every company views risk management differently, he continues. Some businesses have their CISO report to the general counsel, head of compliance, COO, or CEO. In addition, the CISO and CIO are becoming more empowered to veto key strategic decisions.

“The CISO has a seat at the boardroom table,” says Dawn-Marie Hutchinson, executive director for Optiv’s Office of the CISO. “They’re saying, ‘Let’s talk about what the business is doing strategically and how we can enable that functionality.'”

This used to be the CIO’s conversation, she says, but reporting structure is changing to prioritize security issues and projects. Businesses want to know how they can maintain the privacy of information systems, and the attention is giving CISOs more face time with board members and execs.

As the roles shift, the relationships need to be built. The successful CISO works with the CIO to create a unified IT structure that promotes information security.

7. Communicate Effectively

Effectively communicating may be a part of building coalitions, but it goes much further than that. Communicating with the organization means sharing your vision in ways that everyone else can understand. While this may lead to people agreeing with your insights, it does not stop with their agreement. When interviewed by CSO Online about keys to being a successful CISO, Kim Jones explained the communication problems his nonlinear thinking caused:

The problem is, though, that I tended to (accurately) leap to the conclusion about an issue without laying out the steps, thinking that everyone could see the same thing I did. This really hampered my ability to communicate to non-security/non-IT folks early in my career. I spent a long time (with the help of good mentors) learning how to communicate and lay out the steps so that others could reach the conclusions I was leaping to.

CISOs will often present their ideas to nontechnical people like the Board of Directors. This means that being able to break down the ideas into understandable pieces for the lay person can be the defining skill of a successful CISO.

6. Learn the Business

With technology becoming more integral to businesses daily, CISOs need to fully invest themselves into the organization’s business goals. A successful CISO understands not just the technological and personal side of security, but also the way information security integrates into the overall business plan. Avtar Sehmbi, in a 2010 article about employable CISOs, listed six key principles upon which to base a CISO career. Three of them included understanding the overall business plan.

Engage with the business. CISOs need to demonstrate an ability to navigate their way within the organization by developing relationships with key stakeholders. An aptitude to discretely understand the organisation’s politics, expectations, and concerns is essential. Finally, they need to display a competence in qualifying the level of investment that is appropriate for any security initiatives, whilst ensuring the proposal is relative to the organization’s needs. You can’t, and shouldn’t, make changes without fully understanding the impact they will have, determine whether the investment is necessary, and can justify the expense or identify the impact to revenue streams.
Focus initiatives on what is learnt. A CISO needs to understand not only their own area, but also that of the business and where they fit within the organization. Spend time engaging the business before producing security strategies. The engagement process will enable you to define the strategy’s core work streams. This will ensure the strategy has complete buy-in and sponsorship from the business and is in line with objectives.
Align, target and time initiatives. Convey an understanding of the business strategies aligned with the challenges facing IT – mergers and acquisitions, regulatory pressures, financial pressures and competing initiatives. Using this understanding, map out the next 12-, 24- or 36-month period in comparison to what the business is trying to achieve strategically and tactically. Doing this will also provide you with the agility to propose any unplanned changes that may emerge throughout this period.

The successful CISO will focus on information security as it relates to the overall business model to ensure the symbiotic relationship between security and profitability.

5. Have a Vision

Many people would assume this to be the first step to being a successful CISO. The reality is that until you understand the risks inherent in your particular business, can build coalitions that work with you, and can explain yourself in ways that create ongoing compliance with your vision, that vision is meaningless. Without vision, however, a CISO becomes just another employee. ZRG Partners, a recruiting firm, researched top skill sets for CISOs and determined,

An organization also needs a Chief Information Security Officer (CISO) who has certain visionary and leadership characteristics. These include a torchbearer who has an intellectual curiosity; someone who is an independent thinker and analytical; a person who has a strong understanding of the organization’s operations and processes.

In the world of information security, having a vision means being able to see threats before they occur. The successful CISO sees the future of threats and finds ways to incorporate those protections into the organization before they become a reality.

4. Stay Educated

Technology changes daily, and thus threats change daily. To be a successful CISO, you need to be willing to learn and adapt to these changes. Paul Calatayud of Surescripts notes,

A CISO needs to adapt easily to change. Technology is constantly evolving and a successful CISO understands that. Big data is just one example. And as new technology and trends like big data emerge, we as CISOs need to figure out how they fit into our security landscape.

In the CISO role, always being a student and learning is a must. You can’t just learn a skill once, apply it and be done. There is always a need to refine and adapt. In other fields, you must have certain skill sets and a specific background, but once you acquire those, you are able to apply your experience in a fairly standard manner.

With security, it’s constantly changing, and a CISO needs to be continuously learning and adapting. You always have to account for the privacy impact, address challenges and opportunities – and now, to understand this, CISOs essentially need to become data scientists as well. It’s par for the course.

Being educated may mean ongoing trainings or simply reading industry reports regularly. Successful CISOs recognize not just the changes in the information security landscape but also the upcoming trends.

3. Be Decisive

A successful CISO makes important decisions to protect themselves and their organization. Showing that they are capable of these decisions means getting more respect and more control over the information landscape. According to a Tech Republic article,

[A 2014] report also indicates that executives have a preconceived notion that the CISO is often a “scapegoat,” following security breaches. That opinion is backed by an astounding 44% of C-level executives, which believe that CISOs should be held accountable for “any organizational data breaches,” while 54 percent said that CISOs shouldn’t be responsible for cyber security purchasing decisions.

In order for CISOs to be able to do their jobs effectively, they have to be put in positions where they can make decisions, and they will often need to prove that ability. Peak 10 notes that CISOs need to,

Accept risk and disruptions. Risk and disruption are inherent parts of a CISO’s job. This, however, does not mean it is okay to sit idly by waiting for disaster to strike. CISOs must establish upfront processes that handle emergencies as seamlessly as possible. An emergency response plan that reflects the company’s risk tolerance and strategy will eliminate the imminent panic factor and substitute it with a pre-designed set of instructions for a quick, strategic response.

Getting ahead of the attacks and being willing to accept the risk inherent in the outcome of a weak decision shows leadership and confidence, which can lead to being given more responsibility and decision-making power. For a successful CISO, being indecisive can be more damaging than being incorrect.

2. Understand Contract Implications

Increased reliance on technology means increased reliance on vendors. Bringing in vendors can diminish the CISO’s control over internal systems. The successful CISO needs to have a better grasp of the security implications in vendor contracts. John Linkous writes in an RSA conference article:

Another key skill, particularly with the adoption of outsourced services (think cloud) is the ability to understand the security impacts of contracts. A good CISO should be a trusted adviser not only for IT contracts, but for every other contract the organization signs, as well. For many organizations, business partner agreements rely on an exchange of proprietary data; the CISO must have visibility into these contracts during negotiations—not after the ink is dry—and must be able to identify potential risks and threats. Good language comprehension skills, coupled with a good relationship with the legal department, is critical.

Just as business skills are becoming more important for the CISO, so are language and interpretation skills. While the CISO does not need to have a law degree, understanding the potential risks that come with contract partnerships means providing insights. The questions or concerns the CISO brings to the negotiation can help frame the vendor relationship before security concerns occur.

1. Promote Ethical Practices

While being ethical seems obvious, the definition of ethics in security has changed with the technology. As laws have evolved, so has the definition of malicious hacking. The gray areas are no longer gray and answers can color how CISOs approach their responsibilities. Richard Starnes notes in a Computer Weekly article,

Take two potential candidates. The first says: “In the early 1980s when I was a teenager, I hacked a few sites for fun but never did any damage.” At that time, there were few, if any, laws against hacking or programs teaching young people the ethics of using information systems.

The second says: “In the late-80s when I was a teenager, I hacked a few sites for fun but never did any damage.” By the late 1980s, Scotland Yard’s Computer Crime Unit was fully formed, the Morris worm had hit, the US Congress had passed the Computer Fraud and Abuse Act and parliament was well on its way to passing the Computer Misuse Act. Same actions, but different time frame. Would you hire this person based on either scenario?

A final example: the CISO makes important strategic corporate purchasing and product marketing decisions based on close personal ties with suppliers, not the needs of the company or on sound product testing. Is that acceptable? One would hope that a CISO wouldn’t put their employer in that position, but some do. How strong are their ethics?

As successful CISOs are given greater decision-making power, their ethical responsibilities increase.

As technology evolves so does the role of the CISO. To be a successful CISO means adaption through continuous skill and relationship building.
How have you seen the CISO’s role change? Are there any other skills not listed here you think are necessary for success?

Wednesday’s Women in Infosec: Georgia Weidman

ZenGRC Team · May 3, 2017 ·

Wednesday’s Women in Infosec, our monthly profile, changes focus for May by moving to the technical side of security. Georgia Weidman, founder and CTO of Shevirah, brings with her the varied experience of pen tester, security research, author, and speaker. Her book Penetration Testing: A Hands-On Introduction to Hacking is rated as one of the top training books. Ms. Weidman presented at Black Hat 2016, one of the most well-known hacking conferences. Ms. Weidman’s intelligence and savvy make her one of the leaders in information security.

If you had to choose one event that led you to work in information security, what would it be and why?
I did Cyberwatch’s Mid-Atlantic Collegiate Cyber Defense Competition in graduate school. In the competition, we played the recently hired security staff of an organization under attack. The attackers were a red team made up of industry professionals tasked with wreaking havoc on our systems. By the end of the competition, I knew I wanted to be on the red team.

Why do you like working in the information security environment?
Throughout my career, I’ve watched an endless cycle of black hat hackers and penetration testers finding holes with security practitioners and white hat hackers fixing them. I thrive on trying to discover holes before the bad guys or, at the very least, educating people on how to recognize their risks so they can mitigate them before the bad guys get there. I break things to ultimately help fix them.

If a n00b to the infosec world asked you for a piece of advice, what would it be?
Don’t let anybody tell you can’t. There’s a lot of personalities in the industry who like to use the whole “GTFO n00b” mentality and act like you don’t deserve to breathe the same air as them unless you are a narcissistic vulnerability pimp. But that’s ridiculous. There was a time when everyone, no matter how proficient they are now, was struggling with the basics. Another thing new people tend to do is discount the skills that they have. It takes a lot of skillsets other than reverse engineering and exploit development to build a mature security program. You may be coming into infosec with a lot you can offer the industry already before you even start studying.

What is the most important issue facing consumers in the information security landscape today? Why?
Security is stuck in an old paradigm of the enterprise: people don’t sit at desks in offices working on corporate owned workstations behind a corporate owned firewall. They use phones, tablets, smart watches, even connected cars and Internet of Things devices to do their work. Hackers have moved from the enterprise to ransomware and now, increasingly, to mobile. Security practitioners need to move to mobile as well. Until they do, consumers need to be better informed about the risks surrounding mobile. For example, phishing isn’t just about email, but SMS, iMessage, even Facebook Messenger and WhatsApp.

What are your three “guilty pleasures” that have nothing to do with information security?
I have a horse, Tempo, who I show in hunter/jumper. I have a hard time categorizing him as a guilty pleasure though. I more consider horse showing the one non-work thing I do to stay sane. Also, since most of your time as a startup founder is spent being told “No” or at least “Not yet” in raising money or getting marquee customers, it is nice to be able to have the short term achievable goals that horse showing allows. I also like to do tourism things like going to museums and visiting natural wonders when I travel for work. Just recently after nine previous trips to The Netherlands during the wrong time of the year, I finally got to see the world-famous tulips at Keukenhof Gardens. But in general I just work on my startup all the time.

Audit Mindset: Technology Drives Shift in Audit Values

ZenGRC Team · May 2, 2017 ·

Changing Technology, Changing the Audit Mindset

Technology is changing the audit mindset in much the same way that it has changed everything else in society. As auditors have more access to more data, they need to approach their audits with this in mind. In the past, companies used internal audit to check all processes and all policies. Using detailed testing, auditors checked off boxes while filtering through pages of documentation. As organizations have become more complex, internal auditors and the c-suite need to change their audit mindset to match the substantial increase in information.

Traditional Audit Mindset, Traditional Audit Values

Reading into the history of internal audit, the process initially started during the Industrial Revolution to help companies report and control costs. This created a backward looking, reactive process. Due to the nature of technology, audit became focused on reviewing current processes, finding problems, then telling companies to fix them.

These traditional audit values were outlined by Almutaz Bakry Sidahmed in 2015,

Traditional Audit focus on audit cycle (time duration, when last audit occurred), focus on deficiencies in controls, and cases of non-compliance with policies and procedure manual which may be outdated sometimes…. traditional auditing an understanding of Business Unit operations is built through time consuming process mapping exercises and might rely on outdated P&P manuals and audit staff spread all over the company trying to cover the audit universe which sometimes extend to more than one year

In the traditional audit mindset, auditors intended to review the company processes as a whole. The goal of this would be to send in someone unaffiliated with the company to determine whether managers engaged in the most efficient and legal processes. This approach positions the auditor as an enemy by creating a divisive relationship of critique.

Managers manually collected all information for audit, spending hours seeking out the testing materials and aggregating records not integral to the business. As companies grew in size, analyzing policies and procedures between large organizations and small ones became untenable. The backward looking process fell out of favor with forward thinking regulators and trade associations over the last thirty years.

Transition to Risk-based Audit Mindset

Automation began making the traditional audit mindset and process inefficient. However, companies continued to use traditional audit methodologies due to early systems while retaining some of the original audit perspectives. In 2012, the AICPA noted the need to change audit mindset in a white paper,

[A]uditors collect and analyze audit evidence and form opinions pertaining to internal controls as well as reliability of the information provided by management. At the engagement conclusion, auditors present a formal report expressing their opinion. In fact, this approach reflects the twentieth century methodology whereby there are high costs and significant time delays associated with information collection, processing, and reporting. … [B]asic CAATS (Computer-aided Audit Tools) contain capabilities to enhance audit effectiveness and efficiency. However, they do not operate on a 24/7 basis and therefore fail to construct a truly continuous auditing environment whereby exceptions and anomalies may be identified as they occur. Alternatively stated, they do not work with real-time or close to real-time data streams and, thus, are not able to address questionable events such as potential fraud or irregularities in an optimized fashion….With this in mind, one could argue that the traditional manual and retrospective audit is becoming an untenable position.

This risk-based focus then intended to streamline the process to focus on those business areas most prone to causing the company reputational, legal, or financial risk. Since the new systems began to address events in real time allowing for faster responses by companies thus further mitigating risks, the risk-based approach became more popular. The risk-based approach transitions the auditor from being an enemy to being a partner in business success. GRC automation makes this partnership easier and the risks more transparent. Be eliminating unnecessary reviews, organizations save time. Being about to map risks across multiple frameworks in a GRC tool offers the added benefit of times savings that correlates directly to money saved.

The COSO Framework

When discussing risk management audit models, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the COSO ERM – Integrated Framework historically act as benchmarks. In 2013, COSO released an updated Internal Control -Integrated Framework. In the Executive Summary, they noted

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.

With the implementation of this framework, COSO solidified risk as within the purview of both internal audit and the c-suite. Warren Stippich of Grant Thornton, LLC noted,

In adopting the new guidance for risk assessment and other Framework components, internal audit will ordinarily be responsible for the facilitation of the mapping of controls to principles. Implementing controls and remediating control weaknesses, however, will generally be the work of the CFO, the controller’s function and general counsel, and others such as internal audit. Boards and audit committees also have an important role to play in ensuring that any deficiencies in internal control noted by those charged with monitoring and reporting, including external bodies, are corrected. Overall responsibility, however, falls to management: It is their responsibility to ensure that the checks and balances in the organization exist for a sound system of internal control.

While the transition to COSO 2013 may take a great effort for some companies, the new guidance around risk assessment presents an opportunity to achieve important operational objectives. When implemented, the Framework can be more than just a compliance exercise — the requirements can help improve operational efficiencies and increase productivity.

Under this framework, management bears the responsibility for ensuring the ongoing strength of the organization’s controls. For many long time industry professionals, this new approach required some effort and buy in. Under this framework, management and the audit team need to work together to ensure productivity. Using an automated tool creates ease of collaboration. Lowering the time spent communicating means lowering the cost of compliance.

The Risk-Based Audit Mindset and Profit

Profitability creates buy in for the Board and c-suite. Risk-based audit models save time which increases profitability. By focusing on those areas whose noncompliance could cause the most damage to the company, risk-based audits lead to more focused results. Keeping in mind that audit originally intended to streamline business practices, the greater efficiency of risk-based audit makes historical sense. According to Jason Mefford, the writer of Risk Based Internal Auditing and writer of Risk Based Internal Audit Training,

Risk based auditing is about focusing on those areas that stop an organization from meeting its key objectives instead of just looking at controls. Too often auditors are focused on testing low impact processes and controls, while ignoring a focus on key objectives. When auditors take a risk based approach, focusing on those forces and events most likely to impact an organization meeting its key objectives, that is when the provide the most value to their organizations, helping increase profitability.

Information technology audits under the risk-based audit mindset can provide the same types of corporate savings. Greater risk in the IT realm means loss of money or reputation due to a breach. Those costs are the same types of savings as a manufacturer identifying time saving processes in its labor stream.

Viewing the risk-based approach as a profitable exercise fosters a greater corporate culture of compliance. In addition, this transitions the audit mindset from conflict to camaraderie. When all audit parties view one another as financial assets, they cooperate more fully. GRC tools help audit parties collaborate which in turn adds financial value to your organization’s compliance stance.

Automating the risk-based Audit

Since audits no longer seek to test the entire organization, automating the compliance space when using the risk-based audit model makes the process even more efficient and profitable. By integrating risk control information with the the internal audit goals, the organization can stream line the execution of risk and compliance work. Further, by coordinating documentation in one shared space, critical evaluations and risk assessments will make creating the audit scope smoother. When the audit goes more smoothly, the profits increase. With this ease of access to information and documentation, the application of the risk-based audit approach becomes more appealing.

Shifting a mindset takes time and energy. People find change difficult and frustrating leading them to rely on old habits. However, automation can make the company’s audit mindset transition easier.

If you want more information on how to use automation to help change your organization’s audit mindset, contact one of ZenGRC’s GRC specialists today.