Ben Johnson on Communicating Security

LIFARS question and answers session with cyber security experts, Where,who,when,how,why,what

Ben Johnson is the co-founder and chief security strategist for Carbon Black. With a number of years working on U.S. national security missions and writing complex calculation engines for the financial sector, Ben has developed a respectable standing in the security industry. LIFARS asked Ben to take some time to give us some insights on how security should be communicated.

LIFARS: What have you found are the best forms of communicating within an organization?

Ben: There’s no right answer, but there are certainly ideas that can help when it comes to communicating security best-practices, policies, and resources internally. It’s a two-pronged approach, with both a figurative air and ground war. First, leadership must communicate that security matters and just as importantly leadership must model the way. If the executives aren’t following policies or are getting lots of exceptions, why would they expect the employee population to just jump right in with open arms when new security procedures are implemented?

Secondly, the ground war is really more communication at the team-level. If you want security buy-in, you must get champions within business units and empower them with not only the what or how security is being implemented, by the why as well.

Finally, as a bonus, I would say make security more of a perk. Everyone, or at least almost everyone, is concerned with security at some level. Whether they are worried about their home PC getting hit with ransomware, or their photos being leaked, or someone accessing their child’s medical records, security can be a personal issue. If you make training and awareness incorporate how your staff can improve their cyber defense posture at home – personal phones, gmail, password managers, securing wifi, etc, then it’s received much more easily than if it feels like it’s yet another corporate training program.

LIFARS: What is the next step in security in relation to human factors and technology?

Security cannot rely solely on technology – we’ve seen how AV doesn’t work. Security also cannot rely on humans who aren’t armed with technology – they need tools to process data, mitigate threats, and eradicate attacks. So it’s all about blending humans and technology – I like to give the analogy that we send in special forces and arm them with sophisticated weapons, communication equipment, and vehicles – cyber defense is similar.

Going forward, there are three avenues I would like to see technology advance in when it comes to humans. First, security tools, platforms, intelligence, all have to make those human cyber defenders more effective. The faster that person can do her job, and the more conclusively she can be when responding to and remediating an attack, the better for the entire organization. It’s about empowering that team. Technology is already trying to do this, but it can always do more and hopefully will.

Secondly, I would like to see more feedback loops at the security program level. Too often the CEO doesn’t know how well his CISO and team are doing – are they stopping more attacks or just getting attacked less? What’s being measured? Is there a way to have a feedback loop to know that where the energy is being spent it is being effective? And on that note, from a budget perspective, can technology help us better understand which products, which threat feeds, or even which people are truly adding to our defenses. Just because something alerts a lot doesn’t mean it is adding a lot of value and conversely, something that doesn’t alert a lot might still be adding value. It’s not easy to measure today so hopefully technology continues to improve in this area.

Finally, I would love to see technology enable the entire organization to improve security posture. Security is a team sport, but most of the “players” aren’t really involved, aren’t coached enough, and really aren’t “in the game”. What I mean here is I would love to see technology have a more micro-level feedback loop. Take endpoint security technology for an example. When that user clicks on that link for phishing, and then gets hit with malware, it would be very beneficial if right away that technology told the user, “This is bad, here’s why, here’s what you did, and here’s what to watch for next time.” It would be instant learning and improving for each attack so that it starts informing user behavior in much more real-time. That would be neat and I hope we as an industry get there soon.

LIFARS: You speak on the phrase, “Unite or Die,” and go into detail in different articles, but if I were to ask you to speak of the core of the idea in a few sentence, what does it mean?

Ben: Nothing in your security program can operate in a silo. We are inundated with too many attacks and have too much risk for systems to try to work on their own. And it’s not just systems, it’s people too. When I say Unite or Die, I really mean you need technology to enable your humans to do more, your humans need to work more closely together, your technology pieces need to work together in a more automated way, and then our teams across organizations need to inform each other through intelligence and best-practice sharing. Sounds easy, doesn’t it? In all seriousness though it’s looking for ways that technology can save humans time, for ways where technology can be integrated to make one plus one equal three, and for ways to share information, tactics, and knowledge with less friction outside of the org. The teams I’ve seen take these concepts are doing incredible things without a lot of headcount.

LIFARS: If you were speaking face-to-face with a CEO of a fortune 500 company on their security structure, how would that conversation go?

Ben: One of the biggest lessons I’ve learned with speaking to over 600 organizations is that the size of the company or the popularity of the brand is not correlated to the size of the security team or how much security is a priority. This really surprised me. Having said that, if you’re in the Fortune 500 it’s likely you are thinking about security, you probably have a CISO, and you likely are already or at least thinking about splitting up security and IT. This is good.

Having said all that, I would ask the CEO how he or she is measuring how the security team is doing. After all, if you don’t measure something you can’t optimize it, so measurement has to come first. The feedback loop we talked about earlier, is this investment in the CISO, the people, and the technology actually making you safer? So I would press there, and I’m guessing I would not get great answers.

From here I would ask two main questions:
1) How are you finding and retaining the cyber defenders on your team?
2) How are you embracing security as part of your corporate culture?

You can tell from my questions that I believe people are really the foundation of the security program, even despite me working for a security product vendor. Technology is worthless without the right people, so the CEO needs to have a good answer for #1. The second question is all about leverage. It’s about incorporating what is occurring in the environment, what knowledge exists on the team, and what the current risk is to the organization and getting everyone to contribute – like I said before, a team sport. I think these days leadership at most organizations, especially large ones, knows that these are some of the most important questions they should also be asking, but it’s still debatable if the answers to these questions are adequate.

LIFARS:To finish up, if you had to cut the budget, what is the top priorities that should remain to maintain a security “backbone?”

Ben: People would remain. And by people I mean good people. Like many technical fields, a great person is worth many good or average people, so I would make sure that a good core team is maintained. More than most fields, security also seems to have a lot of loyalty where if the strong security leader leaves, the entire team follows. So you have to make sure security leadership is strong and happy.

From here I would look at my products and see what’s actually adding value. I’m completely biased toward endpoint, but I would try to focus on the endpoints themselves because wherever a user travels they will have their laptop and therefore need some protection. So I would try to push the defenses as close to the human activity as possible. From here I would try to leverage some open source network monitoring tools, possibly look at open source log analysis systems like ELK, and attempt to pull in as much open source intelligence as possible.

Finally, I would campaign and work on internal diplomacy. If the IT team can create more consistency, less entropy, then it’s better for all of us. By this I mean how close to a gold image can our employees stay – can we remove admin rights, whitelist what domains and sites can be reached, and remove permissions to critical systems from all by the most required users. This is where you really improve security through IT.

One extra item I will add is that I would try to get other departments who request budget to add line items for security. For example, if marketing is trying to subscribe to a new cloud-based analytics system, I would ask that they request some budget for cloud access control or auditing or “something” that will help me do my job.

Contact Ben Johnson on LinkedIn.