If you are like any of the security leaders with whom I typically speak, you face (at least) the following burning problems:
- A security compromise cannot happen on my watch!
- If I invest resources in a particular security approach – whether it be people, products, process, or a combination of all three – how do I know that it will pay off to actually deliver on my goals?
Does this sound like you? If so, I’m here to help!
Extrapolating key learnings from more than 14 years of security research, including hacking everything from cars to medical devices to Internet of Things, my upcoming session at next month's CSX North America conference will transform you into a more empowered sentinel, capable of implementing a robust and capable security mission. To deliver this transformation, I will outline a three-phase action plan, complete with concretely actionable steps to help you accomplish your mission.
Phase I: GRASP
Most leaders think security is about activity, when actually it is about integrity. Many organizations approach security by just beginning to take action, chopping down the many tangible milestones that need to be addressed in order to arrive at a secure posture. While many of these activities are indeed important, before appropriate action can be taken, an organization must first understand what it needs to accomplish and why. Far too often, organizations want to jump right into the doing, without first performing the planning. As the Cheshire Cat so wisely stated in Alice in Wonderland: “If you don’t know where you are going, any road will take you there.” The purpose of the GRASP phase of the action plan is to define exactly where you are going, why that direction is important, and how you will approach pursuing it. During my address at CSX North America, I’ll elaborate on this concept, exploring the key facets of this action plan, including:
- Define Your Goal
- Understand the Business Context
- Implement Threat Model
Phase II: ASSESS
Most leaders think security is about process, when actually it is about dedication. Many organizations stumble into what I refer to as “the compliance trap,” wherein the organization seeks to outline a prescribed list of controls and then certify how compliant they are with this framework. However, such checklist-oriented security models are inherently flawed because they do not account for the nuances and other characteristics unique to that organization; thus, even a “compliant” system will have gaps in its security posture. Instead, organizations should focus not on process-based compliance, but rather should focus on dedication. This requires an organization to truly understand the reality of how their system might be attacked, identify exploitable vulnerabilities, and determine how to remedy those flaws. During my address, we will examine key actions to this phase, including:
- Break Security Features
- Chain Vulnerabilities
- Strategize Mitigations
Phase III: ADAPT
Most leaders think that security is about achieving a “clean bill of health,” when actually it is about education. Organizations commonly have a desire to obtain a record that states their system to be free from security flaws, which they can then use for marketing and sales enablement purposes. However, this thinking assumes security to be static, when in fact security is dynamic. Attackers evolve, attack methods are innovated, market conditions change, and technology iterates. All of these evolutions fundamentally change the threat model and attack landscape, requiring an organization to adapt accordingly. To be effective, organizations need to be constantly educating themselves, learning, and evolving. During my address, we explore the core facets to this phase, including:
- Reassess System
- Study Attack Evolution
- Update Security Models
Author’s note: If you believe that it is important for you to acquire tangible guidance that will enable you to make a meaningful impact on your security mission, then I hope you’ll join my session, “Flatlines For Show, Exploits ‘Oh’ No!,” at CSX North America on 15 October. My purpose is to empower others to make such an impact. I’ll be telling stories, showing attack demo videos, and equipping you to be successful!