What began as a technical innovation on the hacker side ends up as a decisive impetus for CISOs to further develop their role in the organisation. Ransomware is forcing CISOs to position themselves more operationally and to dovetail closely with the CIO and their IT infrastructure teams.
You only need enough budget and enough security specialists to protect the company: this mantra has been a strategic cornerstone for many CISOs for decades, who like Dickens’ Oliver Twist have come to budget meetings with their bowl in hand asking “Please Sir can I have some more?”.
With the right tools, the right team and the right processes, a CISO can manage cyber risk to a tolerable level, in fact, that’s the very reason for our existence. Every new tool adds user friction and reduces agility. At a recent DefCon presentation Deloitte said the average enterprise now has over 130 different cyber security tools deployed: just while IT is looking to digital transformation to focus on value, consolidation and the move to the cloud, cyber security teams are rapidly turning into infrastructure management teams rather than the management of cyber risk.
Before the advent of ransomware, the vast majority of cyber risks were related to the exfiltration of the organisation’s data. In data exfiltration attacks the organisation faces reputational damage, regulatory fines and potential litigation, but a copy of the data still exists inside of the organisation and products and services continue to be delivered. Contrast this with a ransomware attack, where the organisation is unable to fulfil its very reason for existence. Ransomware and wiper attacks have very different impacts than a CISO is used to, and unlike data exfiltration attacks where the damage is already done at the point of the attack, in ransomware the bleeding continues until the incident is dealt with.
The old-school CISO who is focused myopically on prevention and detection assures board that with an appropriate increase in their headcount and budget, the business will be protected from attack and even talks of the latest miracle security tool they are deploying will detect all zero-day attacks.
For these CISOs, who are watching organisations with much larger security teams and exponentially higher security budgets suffer significant impacts from ransomware, it is worrying times. It is now difficult to go back to the board of directors and admit, despite all the investment in security, it is likely that they will fall victim to such an attack. After all, they have to admit that despite all the effort, there is a residual risk that could jeopardise the company’s bottom line.
In the World of ransomware, they have to adapt their strategy because adding a 131th tool to the Security Operation’s arsenal will only fractionally move the residual risk needle while adding more noise, more friction and reducing agility even further….and there will still be some element of residual risk.
Investments in cyber resiliency, managing the impact axis of the risk equation by building effective and efficient response and recovery, means the CISO is having a more realistic conversation with the organisation’s leadership and making investments that are far more likely to move the residual risk needle more than more incremental investments in managing likelihood.
It is crucial to focus on the consequences of a successful intrusion and how these can be contained, investigated and eradicate as quickly and efficiently as possible. However, if you want to expand this response part, you will have to interact much more closely with the business and other teams in the company.
Establish an open culture
The problem cannot be solved within your own security team. In the event of a ransomware attack, there is a risk of total IT failure. Preventing this emergency means answering all important questions about availability, recovery and incident analysis with other teams and the entire Executive Board and putting the measures on paper. It is important to regularly run through this emergency in drills and training sessions and to transfer what has been learned to your own security world.
CISOs must have a precise understanding of the consequences for data and the business and be able to explain them to the board. Incidentally, the CIO and the infrastructure team are already quite experienced in this regard, as floods, fires, power failures and the like also threaten data centres in their world. You can learn from this wealth of experience and work out together how services and infrastructure depend on each other and what their failure due to ransomware would mean.
Incidentally, when taking this joint approach, the CISO and CIO should decide to precisely determine the value of their data and assets and decide on a process in which this happens automatically from now on. After all, how can a joint risk analysis work if there is no common understanding of what you actually want to protect?
This close coordination requires a new culture of close collaboration across team boundaries. However, this is essential, as the company will only survive a ransomware attack if the security and infrastructure teams work closely together.
Preparing for the zero hour
The consequences of acute ransomware attacks are so different from malware, spam or data exfiltration. The CISO might not even be able to start their response to an attack: security tooling may have been impacted or evidence encrypted or wiped. Communications with senior management, law enforcement, insurers, the press and regulators may be impacted by lack of email or Voice-over-IP systems. Incident responders might not even be able to get into the building if physical access control systems are down. Looking to pay the ransom? How do you match a decryption key to a MAC address if your CMDB is down? How can you communicate with your legal team to ensure the ransomware gang aren’t sanctioned? A lot of tabletop scenarios organisations run through haven’t been created by someone who has lived through real ransomware incidents and often lack answers to questions like these.
The CISO and their teams need to prepare for this zero hour and build contingency plans and environments in advance. Together with the infrastructure teams, isolated cleanrooms can be established in which an emergency set of tools and system and production data are stored in order to create an emergency operation of the entire IT system. This also contains all the essential tools for the security teams so that they can start the essential incident response process.
From there, the production environment is then restored step by step and in close coordination with the infrastructure teams. To do this, however, the CISO and CIO must once again have a common understanding of the order in which systems and data are restored. They will achieve this level of maturity in their interaction if they and their teams regularly discuss these issues. Control frameworks such as the NIST provide good best practices for structuring and automating these tasks. They also describe other important security best practices such as least privileges, separation of duties or authentication, which both teams should implement together in order to increase the overall security level of IT.
In the end, the CISO will learn from the CIO that a cyber incident is not a failure of the security strategy. Incidents happen just like the fire in the data centre or the ransomware infection. The key is to have the tools and processes in place to mitigate the consequences of the cyber incident. If CISOs can manage this evolution away from pure defence to operational defence, this will have an impact on their investment behaviour.
The security tool will probably be less on their shopping list than joint software projects with the infrastructure teams for clean-rooming, classification and incident response. Because it is certain that the defence structure will fail. It is uncertain how well the CISO and CIO will manage this incident together. But both can start working on this today.
James Blake, EMEA Field CISO at Cohesity