How CISOs are adapting after the biggest IT outage

Cyber security Cloud computing blue abstract digital binary code background. Innovative technology and Artificial intelligence concept. New futuristic system technology symbol. Vector illustration.
(Image credit: Shutterstock / MiniStocker)

As the dust begins to settle on the outage that affected approximately eight million computers running the CrowdStrike Falcon software for Windows, one of the long-lasting effects will be a new level of scrutiny on the risks any piece of software brings to an organization’s operations. Together, IT and security leaders are tasked with helping leadership understand how risk management is a business priority, and the CrowdStrike outage has put a huge spotlight on just how impactful this area can be.

As we look at the role CISOs will play in this, it will be in reviewing how cybersecurity fits into their business continuity plans and demonstrating to their boards and executives what plans are in place for their own organization should something like this happen again. CISOs can help guide these conversations by focusing on the key areas that are likely to come up with leadership: availability, consolidation and automatic updates.

Ken Deitz

CISO, Secureworks.

Availability is Still Fundamental to Cybersecurity

Many CISOs will remember learning about the old (by cybersecurity terms) initialism CIA — confidentiality, integrity, and availability. While some dismiss it as an antiquated standard in today’s complex environments, it is evident from recent events that availability is still a fundamental aspect of your strategic plan.

Availability on a day-to-day basis is typically a focus of an organization’s IT team, but it is the CISO’s job to bring the risk lens to it and help the organization manage those risks. This encompasses not just managing availability of data for your organization, but also managing the availability of services you subscribe to from the various vendors and software that is provided. In essence, CISOs must balance the focus on availability with the broader context of the organization's risk profile.

While availability is not a new risk area, the CrowdStrike incident has upleveled key questions such as “how available do we need these services? How much risk do we want to assume here? What are our plans should a major vendor or provider in the supply chain have an event like this?” The CISOs role is to think systematically through the risk tradeoffs that an organization is willing to make, and then work with the operations team to understand those risks and tradeoffs so that they can response effectively if a disruption occurs. The CISO needs to work with the risk team, executive management, the board, and business leaders to understand those risks and create a unified response.

A recommended first step is to review your business continuity plan and ensure you have a disaster recovery plan for a major availability outage or other such Black Swan type of an event. These plans should include "boots on the ground" responses for critical systems, as remote access may not always be guaranteed. The plan must answer questions such as how would you deal with having to manually address each device in your organization to provide a fix? Which ones would you do first, second, third? Do you have sufficient staff to fix the issue or budget (and authority) to hire people to help expedite the process? How would you communicate the plan when everything is offline? CISOs need to be going over this plan with senior leadership and the Board to help everyone understand the plan and their role during and after an event.

Weighing the Pros and Cons of Consolidation

Vendor consolidation has been a hot topic, and there are many good reasons for it, but it doesn’t come without risk. Remember that risk management involves carefully balancing necessity, efficiency, and cost without over-concentrating resources into a single area. When CISOs look at their key technology providers, they must think through how much risk is acceptable both from a design and implementation perspective? 

That is why a lot of energy is put into the design portion of architectures, as CISOs must think through the risk and response plan if a major software provider in their supply chain could cause an outage. Is that risk more manageable in a Linux environment, for example? Organizations may be constrained by budget, expertise, and historical investments around what technologies are able to be deployed and operated. CISOs should be familiar with these constraints and communicating and managing the risks that come with them.

In the case of redundancy and reducing single points of failure, CISOs may opt to use more than one vendor for the same service. Others may seek to deploy multiple layers of defense or diversify their solution portfolio through a more open, integrated architecture.

When an organization’s revenue is tied to availability and cost isn't a hurdle, then it may make sense to have a certain level of redundancy in vendor solutions. But for many organizations there will be secondary costs and concerns to contend with. Diversifying isn’t just about one piece of software, it’s about how one change affects everything in your technology stack. The risk tradeoff for the added complexity may not be worth it for many organizations, not to mention the costs involved with having two sets of software providing the same service — that’s two different licenses, two sets of developers, and two systems to manage. Are decisions like doubling one’s infrastructure costs as a risk strategy something that most companies can take?

Review Automatic Updates

How organizations choose to handle automatic updates may possibly be one of the biggest debates that we see moving forward. Vulnerabilities are still a primary attack vector for cybercriminals, and organizations still need to keep their software up to date. We can expect to see a variety of strategies for how an organization implements software updates based on their risk profile. This could include phased rollouts, delayed rollouts or some combination based on the software and risks.

Like all major events, it will take time for the lessons learned to emerge, but CISOs can expect the topics of availability, consolidation and automatic update policies to take center stage in the immediate future. It’s important to remember that even during unprecedented events, the fundamentals of risk management don’t change. Take this moment to help leadership understand how cybersecurity relates to overall business risk and the need to align efforts to elevate the organization’s overall risk management posture.

We've listed the best network monitoring tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

Ken Deitz, CISO, Secureworks.