Andy Ulrich, Head Of Security for Ericsson North America, spoke on the unprecedented proliferation of security hacks—including some less than a month old—and the increasing demands made on security.
Ulrich began his talk at the 2016 Chief Information Officer Leadership Forum held in Dallas on February 24 with an overview of security trends that illustrate the absolute need for the CISO to stay current on all new methods of attack.
Lest anyone in security feel over-confident, Ulrich reminded us: “If you say something is unhackable, that’s pretty much the last thing you say right before you get thoroughly hacked.”
If you say something is unhackable, that’s pretty much the last thing you say right before you get thoroughly hacked.”
Security is an old problem, but it comes with some new twists, observed Ulrich. “Lockmakers in the nineteenth century worked underground, selling the secrets of how to unlock the very devices they manufactured.” The increasing use of convergence devices creates dozens of new ways to breach systems. A potential phishing scenario illustrates this:
An employee using a company machine on a home wi-fi network falls for a phishing scheme and downloads some ransomware, which is designed to look for a shared drive. Before you know it, the finance department, which has all its data on a shared drive, has been encrypted, and a shadowy figure who might be half a world away is making demands of the company if it wants the decryption key. Ulrich’s takeaway from this horror story? “Ransomware is about a three-year-old problem and it’s growing rapidly. It keeps expanding because it works.”
“Ransomware is about a three-year-old problem and it’s growing rapidly. It keeps expanding because it works.”
CISOs must be able to communicate with everyone from the board to IT engineers, and, especially, auditors. “With the exception of finance, security people talk to auditors more than anyone,” Ulrich pointed out. CISOs must be able to put out a message to the rest of the company that results in a change in behavior.
It’s not a question of if a breach occurs but when, said Ulrich. “CISOs know they can’t create the un-pickable lock, so they want to know when someone’s come through the door so they can throw them out.”
Ulrich emphasized that the CISO should never try to quantify the cost of a breach. Case in point: To this day, Target still hasn’t been able to say how much their infamous breach cost them. There are too many intangibles in the quest to enumerate assets lost, brand damage, and customers and revenue lost. Third-party cleanup of the network is only a small part of the cost of a breach.
A creative CISO will think about who the likely attackers are: nation states, crime rings, and groups politically or otherwise motivated. The Sony hack of late 2014 blurred the lines, since it had signs of more than one attacker, and that might be a trend for the future, observed Ulrich. Creativity with resources probably means that time should be spent customizing what a company already has. “Instead of getting new things, go deeper with what you already have.” And remember: An annual, online training course is probably ineffective for anything other than getting employees not to click on that all-too-common phishing link.
Despite the threats, Ulrich is optimistic. “Given all the threats we’re facing, I still believe that CISOs can be effective.”
“Given all the threats we’re facing, I still believe that CISOs can be effective.”
Visit Argyle Executive Forum's 2019 CISO Leadership Dinner: Build or Buy? Integrating Advanced Capabilities into your Security Program in Boston, MA on Feb 28, 2019