Protecting against and mitigating threats to the attack surface involves lots of complexity. Knowing who has a role to play in the entire cybersecurity process is vital.
The question of ownership and responsibility came into focus again with the news that the Securities and Exchange Commission (SEC) is targeting certain SolarWinds current and former executive officers and employees for violating federal securities laws during a 2020 high-profile cyberattack. The potential civil enforcement actions are related to the SEC’s investigation about violations related to cybersecurity disclosures and public statements. The SEC was also looking into SolarWinds’ internal controls, as well as its disclosure controls and procedures.
To better understand who’s truly responsible for cybersecurity, what’s the role of CISOs in the process, and more, I sat down with Axonius CISO Lenny Zeltser. Snippets from our conversation are included below.
Kathleen Ohlson: At a recent roundtable I attended, there was a discussion around who owns security. Does it go beyond cybersecurity professionals? Who has a part in ownership?
Lenny Zeltser: So the first question is what does it mean to “own” something? I think that's important because the answer to the question will ultimately depend on your opinion of what it means to “own”. And perhaps what I would say if this were a panel discussion is that the word “own” is not the right word.
Ohlson: So what is the right word?
Zeltser: I think a more nuanced way of phrasing it is who has which responsibilities for security? At an organization, security responsibilities are spread across multiple stakeholders. That is because you have more executives and leaders with security in their titles. You might say that's what it means to own security. You’re the person, the executive of the company, who spends most of their time thinking about security, but owning something isn’t the same thing as thinking about something.
Ohlson: Needless to say, CISOs fall into that category. How would you describe their role? How do their responsibilities fit within an organization?
Zeltser: We're concerned about security because we don't want security breaches. We don't want the data to be stolen, modified, or abused in some way. Under what circumstances might these incidents occur as a result of poor decision-making or failure to take action that created a gap that allowed somebody to do the bad thing? And most of the time, those gaps are not made by anyone with security in their title. They are made by people who do the work — whether consciously or unconsciously.
That's why the CISO in most cases is not the party that owns security. Again, if I rephrase the question, who has what responsibilities? Clearly, the CISO has some responsibilities. Otherwise, we can just wash our hands and say nothing is our fault. We're just there to point out problems.
But what are our responsibilities? The responsibility of a CISO is typically to create a security program.
And manage the security program and, in most cases, continuously improve it.
Ohlson: What goes into a security program?
Zeltser: A security program is a set of processes that involve technology and people that allow the organization to ensure it's handling data properly. It also helps ensure the right risks are recognized and accounted for. People understand what their responsibilities are in the security program. They know when to ask for help and whom to ask. And it’s the existence of this framework program, in my mind, that allows the company to make the right decisions and reach its business objectives while thinking about security.
So if people make a risky choice – let's say they decide to share a file with a third party and it winds up on a public web server where anyone can find the file – is that the CISO's fault? I’d say only if there wasn’t a program that allowed the organization to educate people about how to safely transfer data.
But the day-to-day decisions, the risks that people take, how they decide, what risk is acceptable or not, that's not for the security leader to control. But it is the responsibility of the security leader to create a program within which those decisions are made.
Ohlson: You just mentioned the security process. I was thinking about managing SaaS applications. Employees are relying on more and more SaaS applications every day. But sometimes, they may use a SaaS app without approval. Their intentions may be well-meaning for business reasons, but it can open a Pandora’s box when it comes to security issues. What about a situation like that?
Zeltser: The thing is, sometimes you can look at a decision and decide it was a reasonable decision. Ultimately, when you second guess or revisit a decision after an incident, people look at that and say, “Look, people need to take risks to live and to work.”
And so there are many aspects to creating a security program that educates people to make reasonable decisions. But also perhaps there are ways in which their risky actions can be minimized.
For example, with Zero Trust, it involves narrowing the scope of trust. So when something bad happens, you contain the scope of the resulting incident. If an employee can log into the server environment and have access to everything, every single server — that’s risky.
But if you configure the network so that they only get access to a single server that they need, then even when they make a risky decision to install untrusted software on their laptop, that decision is theirs.
But the decision not to contain which systems are accessible once the person is logged into the network? That's somebody else's decision. That was probably a decision by whoever is managing the network.
So again, we're not thinking in terms of blame. We're thinking in terms of lessons learned from an incident and what we can do better next time.
Ohlson: This is really helpful. I think there’s a misperception that one person is responsible for security.
Zeltser: Yes, I believe so. People are adjusting their understanding of what the security leader can do.
Because if you place unrealistic expectations on the security leader, you're bound to be disappointed. The security leader cannot tell others outside of his or her department what to do. It's as simple as that.
And so they have an incentive to remind people and nag them to give them metrics to educate them, to give them feedback. Ultimately, it's the business stakeholders that make decisions. Hopefully, they’ve listened to input from security experts. It is those that make the decisions that should be accountable for the positive or negative effects of their decisions on the business.
So again, it's the idea behind a security program that allows for the right decisions to be made, the responsibilities to be communicated, and clarifies who does what. We need to understand what responsibilities security has, but also what responsibilities everybody else has.