Operationalizing Cyber Policy: An Occasional Series

This is the first in what will hopefully be many articles on a topic of profound importance: the operationalizing of cyber policy. Walking the halls of RSA, you can see an embarrassment of cyber security riches. Solutions and innovation abound. However, a couple of sobering realities cut through the excitement flowing from all this potential and entrepreneurial energy.

• Which solutions will actually work for your business?
• Who will implement them?
• How will people (assuming you can find them) actually implement them?
• How will the solutions align with the way your business works?

These are operational challenges. A number of vendors have built their businesses around addressing such challenges of operationalizing cyber security policies. Here are some perspectives that might stimulate thinking on this critical topic.

Bridging the Security-IT Ops Gap

For many of its 20 years in business, 1E had not considered itself to be in the cyber security business, at least not primarily. The company has thrived by offering IT operations tools, mostly for endpoint management. They have an installed base of about 30,000,000 among 1,000 customers. “As security became a more critical issue for our clients, however, we realized that we were, indeed, very much in the security business,” explained Sumir Karayi, CEO of 1E. “There’s a big disconnect between operations and security. Security people are tasked with protecting the business. They detect threats. However, in many cases, the duty of protection is handed over to ops. This can be a big ask in certain organizations.”

Sumir Karayi, CEO of 1E

Karayi cited an astonishing example of how deep the security-ops disconnect can be. A global banking giant working with 1E had a dilemma. Their security team, which was first rate, had detected a number of serious threats and vulnerabilities that created risk exposure for the business. Remediation was not so simple, however. The security team handed the CIO a list of—wait for it—250,000 vulnerabilities to fix.

Wow! Even for a big company, that’s a pretty enormous request. And, who would pay for it? The IT ops group had its own budget and had already committed its resources to previously-assigned tasks. To drop everything and tackle that mammoth list might have taken a year or more.

Ops tries to solve problems identified by the security team, but there are limits on their capacity. Big fixes, like moving from Windows 7 to Windows 10, which can remediate many vulnerabilities at once, take time. “An organization with 40,000 PCs cannot just flip a switch and change its OS,” Karayi said. “Automation is essential if Ops wants to stay out in front of security issues.”

“An organization with 40,000 PCs cannot just flip a switch and change its OS.”

Karayi pointed out that it takes, on average, 30 days for an organization to achieve a 90% patch success rate. At the same time, attackers typically exploit a disclosed vulnerability in less than 8 days. 1E Tachyon, the company’s endpoint manager, can save an organization from this risky gap. It can identify vulnerabilities and patch them all, more or less instantly. Tachyon works to guarantee the state of a machine. “All machines call home,” Karayi explained. “They have a live connection.” The tool can quarantine machine that are out of policy until they are patched. In these ways, 1E lightens the security load confronting IT Ops.

Talking about Risk Rather than Security

CipherTechs approaches the operationalization of security policies by changing the terms of the discussion between business, IT and security stakeholders. For Sandy Bacik, Global Risk Assessment Manager at CipherTechs, making security operational starts by talking about risk rather than security. “Business people understand what security is,” Bacik said. “However, it’s still fairly abstract. Risk, on the other hand, is real. People are a lot more interested in learning how they can keep the company’s money safe—as well as their own salaries, bonuses, stock options and so forth—than in counting things like the number of firewalls they have installed.”

Sandy Bacik, Global Risk Assessment Manager at CipherTechs

The CipherTechs approach involves discovering business goals and finding opportunities for sustainable risk management. “We look at behaviors and beliefs that are important to the client,” Bacik added. “We approach risk mitigation through the lens of a company’s business priorities, factoring in seemingly invisible issues like informal culture and decision making practices.”

From this understanding, which Bacik calls a “charter,” CipherTechs is able to devise a risk management plan that might include any number of solutions and services the company offers. CipherTechs works with clients on operationalizing security policy through audit, professional services, pen testing, team augmentation, user awareness training and compliance programs for regulations like PCI. They often employ a Six Sigma approach in the process. “We like to go deep,” Bacik said. “That’s really the only way to do this right.”

“We approach risk mitigation through the lens of a company’s business priorities, factoring in seemingly invisible issues like informal culture and decision making practices.”

Finding People Who Can Do the Work

Technology-driven as it might seem, the realization of cyber policies is an inherently human process. And, as we all know, trained cyber security people are in short supply. One solution is to make existing employees more aware of their role in enforcing security policies. That’s what a company called Global Learning Systems does. They raise awareness of security issues and train people to become part of what they call a Human Firewall.

Another solution is to help the educational system produce more people who can do cyber security work. This is one of the focus areas for Ireland’s Industrial Development Authority (IDA). IDA Ireland has the goal of attracting foreign investment into Ireland. According to Aidan McCauley, VP of Technology Investments at IDA Ireland, tech and cyber security are attractive categories for foreign companies that want to build facilities in Ireland. What’s needed, though, are people.

“We are trying to take the initiative now to have the people we will need in five years.”

McCauley has focused on establishing an ecosystem, one that comprises university, private businesses and government-funded research foundations, to produce people trained for tech careers. “We are trying to take the initiative now to have the people we will need in five years,” explained McCauley. “It won’t work to wait five years and then figure out who we need to train.” IDA Ireland is succeeding in expanding the ranks of Ireland’s cyber security professionals. Though the intent is to attract investment, the process also results in having more people available to work in industry executing cyber security policies.

Making Frameworks Part of the Operationalizing Process

Richard P. Tracy, Senior Vice President, Chief Security Officer of Telos, has come to a different conclusion. After decades in cybersecurity, during which he has worked on some of the most sensitive national security projects, he believes automation is the way to operationalize policy. In particular, he sees automation as the best path to implementing the various frameworks that dominate security practices.

Richard P. Tracy, Senior Vice President, Chief Security Officer of Telos

Tracy points to the popular Risk Management Framework (RMF) as an example. “People get numb to RMF,” he said. “What is RMF, really? It’s a dozen or more documents, a foot of printouts. From that, you have to figure out how to make it work as a program. A lot of security managers think, ‘no thanks,’ but they have no choice in the matter. That’s not a good formula for success.”

Instead, Telos clients use its Xacta solution to automate RMF compliance. “It’s a bit like TurboTax, but for cybersecurity,” Tracy added. “You use wizards and preset workloads to set up your digital assets into RMF. From there, you can establish that your controls are in place and monitor them continuously.” Xacta also works with Fedramp and NIST frameworks like 800-171.

 

“What is RMF, really? It’s a dozen or more documents, a foot of printouts.”

Operationalizing security policy is undoubtedly one of the industry’s great challenges today. Yet, as challenge emerge in the field, so do solutions. As these companies demonstrate, innovation and common sense can make a difference when it comes to realizing cyber policies in operational terms.

Photo Credit: OIST (Okinawa Institute of Science and Technology) Flickr via Compfight cc