There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused.  In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.

Read Part One

Read Part Two

Read Part Three

Part Four – The Board’s Role in Preventing Level-One Response

As I mentioned in article one of this four-part series, the typical response to a security threat, incident or breach is the Four D’s: Denial, Damage Control, Defend and Deflect.

I contend that executives/board members are not immune to this response and may in fact be operating at a Level One response (reptilian response mode) when the company encounters a crisis situation. In this final article, I will explore the impact of a breach on Executives/Board members and offer recommendations for CISOs/CIOs who communicate with them.

In the current environment of cyber threats and corresponding breaches, a common response at the executive-level is a knee-jerk reaction to terminate the highest-ranking executive anointed to “take the fall.” With any high-profile breach, tension lurks while anticipating when the CISO/CIO or another executive is going to “quietly disappear.”

Sometimes it is not such a quiet exit, as in the cases of Sony and Target. “In a Feb. 12, 2015 article from the Huffington Post, Amy Pascal, former CEO of Sony, openly admitted that she was fired as a direct result of the December 2014 breach.”  (http://www.csoonline.com/article/3040982/security/data-breaches-often-result-in-ceo-firing.html?page=2)

While dismissing an executive is possibly warranted, I don’t believe enough consideration is given to the grave impact this can have on an organization and the trauma it introduces. Employees now have the stress of responding to a security incident as well as worrying about their own job security.

Additionally, the aftermath promotes a heightened fear of making mistakes, which leads to stifled innovation and over-reliance on doing things the way they have always been done. This quite possibly is the perfect formula for another breach.

Another reactive response is to hastily throw money at technology in order to solve perceived problems. But looking at technology in a vacuum without first addressing people and process issues is fiscally irresponsible. Instead, new security tools should be the very last action taken, and should be thoroughly vetted prior to purchase.

Furthermore, when it comes to security tools, organizations tend to transfer blame to the vendors and the perceived failure of their tools. In my experience, failure occurs with how the tools are implemented, rather than with the tools themselves.

I believe Executives and Board members should have training to understand how their own responses to security incidents and breaches systemically affect the organization. These are opportunities for leaders to truly promote a calm response that promotes organizational learning and resilience.  With a more proactive approach, the Executive team and Board can govern risks more effectively.

As noted in a Forbes article: “Many times CEOs and their C-level reports are frustrated because of the lack of appropriate training for them to determine, at the executive level, what the real risk to their company is. They don’t want to get into the technical details of what the Heartbleed bug does, for example, but they do want to be able to quantify in their mind what their risk is.”

One of the most critical things leaders can do when a security incident or breach occurs is to promote organizational learning and continuous improvement. In the case of the TalkTalk breach, the CEO was clearly expressing a desire to learn from the incident.

“Harding (TalkTalk CEO) noted: “In some ways I would love to say this is just a TalkTalk issue, I’d love to believe this is just us – but it isn’t. Do I wish I’d done more? Of course, I do. But would that have made a difference? If I’m honest, I don’t know.”

In my opinion, after the incident is contained and properly communicated, the next critical step is to conduct a “lessons learned” exercise at the board level with all key leadership. The exercise should focus on the organizational process and communication improvements that must be implemented moving forward.

At a minimum, the exercise should cover:

• Risk management process and the reporting around that process – were the security risks properly communicated to the executives and the board?
• Vulnerability management process – did the organization support the timely resolution of critical vulnerabilities, and were they effectively communicated to the organization?
• SDLC process – was security properly addressed in the development process?
• Incident response process – did the organization respond in a manner that minimized the impact to the organization?
• Third party supplier management process – did the organization understand the data residing with their suppliers and how it was protected?
• Communication plan – did the organization follow a clear communication plan and were there opportunities for improvement?
• Security technology strategy – what gaps in the tool set contributed to the breach, what is the tools rationalization process, and are existing vendors delivering as committed?

From this board-level “lessons learned” exercise, leadership can create a program to make improvements across the organization. I would argue that the leadership team best positioned to implement this program is the one that was at the helm when the incident/breach occurred. Accountable people become completely invested in bringing about successful resolution when they realize they were on point when the incident occurred.

Therefore, I believe that terminating leadership because of a breach is an ineffective and counterproductive response, often contributing to an organization operating long term at the first level of reptilian response.

What organizations need most are passionate and accountable people who understand the environment and can lead the effort of organizational learning and improvements, especially in times of a crisis.

In conclusion of the 4 part series:

• Automation is needed to move our security teams out of level 1 response
• Integration and ongoing practice of the incident response process are critical to creating the organizational muscle memory needed for efficient incident response
• A clear and predefined communication plan enables the effective execution of process
• The Board and Executive management should lead the way toward a culture of resilience and organizational learning

The post The Human Element of Incident Response – Part Four appeared first on Security Current.

There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused.  In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.

Read Part One

Read Part Two

Part Three – Preventing Level One Trauma During Incident Response

In my previous article, I discussed the human response to dangerous and life threatening situations.  As a part of researching this topic, I have read numerous books and articles related to human trauma and how humans respond to trauma, authoring a paper published in sans.org entitled, “Lessons Learned from the Treatment of Trauma in Individuals and Organizations Under Repeated Cyber Attacks.”

A key take away from my research is that without an effective escape from the dangerous situation, symptoms of level 1 trauma (reptilian brain response, i.e. fight, flight or freeze) may cause long-term negative impacts. I contend that organizations experience similar effects when facing persistent cyberattacks or a serious breach. Understanding that it is not possible to prevent all potential attacks, what can security leaders do to minimize the impact of trauma for their staff so that they are performing at the optimal level?

The key is to enable your teams to move out of level 1 response into the higher value areas of brain functioning, which include modes such as interaction, thinking, planning and relationship.  Automation is a key enabler to helping teams move and stay out of a level 1 response.

At a high level, the steps to incident response based on NIST 800-61 rev 2 include: 1) preparation; 2) detection and analysis; 3) containment, eradication and recovery; and 4) post-incident activity. Automation is key to steps two and three.

The security industry is quickly coalescing around the criticality for automation as well as embracing new, emerging categories, such as security orchestration and automated incident response. It is a natural evolution in this space, as many teams struggle with increasing volume and complexity of cyber events and a shortage of qualified incident responders.

As security tools and APIs have matured, there is more opportunity to integrate external threat intelligence (IOCs, hash values, IPs) with internal information (logs, netflow data, malware samples) to provide better automation. The realities of the threats are driving solutions being developed by startups to address these complexities, fueled by venture capital money. But having proper automation in place will allow humans to focus on the higher level processing and stay out of the reptilian response mode, thus preventing any long-term impacts of trauma.

Next, CISOs should focus on developing capabilities around process and communication related to incident response. CISOs should look at alignment with the incident process of the larger organization, to ensure understanding and training around the process as well as having a strong communication plan in place at all levels of the organization.

Typically, most organizations have an incident response process for functions outside of security, whether in their production operations or within corporate IT. These processes must be integrated as much as possible when developing the security incident response process.  Integration includes the severity rating nomenclature, the SLAs for resolution, and the escalation process and procedures.

Relative to communication, having a predefined approach is important. The communication plan should be well understood, with employees at all levels of the organization trained.

During the incident, the predefined communication vehicles (emails, company website, employee intranet, etc..) must be updated regularly, and employees should be aware of how they will be informed and what they should do with the information. Regular communication to the organization will build trust of the employees/executives and reduce the chance for longer term traumatic effects to the organization.

If a bridge line is utilized for communication during an incident, a best practice is to establish  two different lines – one for the core incident team addressing the issue, and a separate bridge line for executives. Having two different lines will help the core team perform their duties without the potential involvement of executives that may prove distracting.

Finally, consider the resilience and learning of the organization. Because of the potential magnitude of this trauma, it is important to approach resilience and learning in a comprehensive and holistic manner involving all critical parts of the organization.

The incident response team should extend beyond technical teams, with representation from Customer Care, Marketing, HR, Legal, Public Relations, C-level Executives and the Board. Not every incident will involve every function, but all functions should be trained and ready to respond if needed.

The most effective way to train these groups is to conduct incident response exercises, ideally on a quarterly basis at a minimum. But simply conducting the exercise is not enough –  the lessons learned and associated action items must be incorporated in order to promote organizational learning. Following up on action items is critical to making real change in the process and the organizational approach to incident response.

In my final piece of this 4-part series, I will discuss the role of executive management and the Board relative to this topic.  I will also make some recommendations for improvement by these key organizational leaders.

The post The Human Element of Incident Response – Part Three appeared first on Security Current.

There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused.  In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.

Read Part One

Part Two – Recognizing Level One Trauma Within Your Organization

In my previous article, I discussed the need to focus more on the people-related aspects of incident response.  In this piece, I will focus on how the human body responds to dangerous situations and the impacts of long term trauma.

The human body is an incredible incident response system organized to achieve one very critical goal: survival.   The brain is the orchestrator of this survival system and is composed of three key parts.

The most basic level of response occurs at the brain stem level and is known as the reptilian brain.  The reptilian brain is responsible for sensation, arousal regulation, and initiation of movement impulses.  I will refer to this as the level 1 response. The next level, the level 2 response, is the mammalian or limbic level of the brain, which involves feelings, motivation, interaction and relationship. The final level of the brain, level 3, is the neocortex, responsible for thinking, conscious memory, symbols, planning and inhibition of impulses.

In the level 1 response, the sensory input from our eyes, ears, nose, and touch provide information to the thalamus, which passes the information to the amygdala to interpret the criticality of the input.  If the amygdala determines that a bodily threat exists, it sends information to the hypothalamus to secrete stress hormones and initiate the physical response to the threat.

The level 1 response happens in the fastest amount of time and involves the least amount of brain processing, compared with all other response levels. The level 1 response consists of reactions such as immobility, arousal and running.

In cybersecurity, we would like our teams to operate at the optimal level when dealing with an incident. But we must recognize that the incident may actually invoke a level 1 response in some of our team members. So, we must ensure that the long term impacts of the event do not set in for the individuals and that we have, in effect, blunted the automatic and natural level 1 response.

If we do not help manage that experience, some long term impacts of trauma cited by the National Center for PSTD include: reliving the event, avoiding situations that remind you of the event, negative changes in beliefs and feelings, and feeling keyed up (hyper arousal).

Research by Peter Levine has shown that long term trauma sets in when the victim is not allowed to successfully escape from the situation (feels trapped) and experiences fear and helplessness.  In cybersecurity, ransomware is a great example of criminals playing on the level 1 response of individuals and organizations. Malware infects a user’s computer and prevents escape by encrypting the user’s data and holding it hostage unless the user meet the demands of the attacker.

And as criminals realize the effectiveness of this attack, the technical sophistication of crypto ransomware makes the victim response more visceral. Criminals invoke the next level of trauma through forms of ransomware like Jigsaw crypto-ransomware, which is engineered to prevent escape and penalizes the victim for not reacting faster in the manner desired by the criminal. The ransomware accelerates the number of file deletions as time elapses until payment is made. This significantly increases fear and helplessness by escalating the consequence.

It is incumbent upon security leaders to recognize when our teams are operating at a level 1 response. Some of the signs include: inaction and not knowing what to do; overreacting and inability to think through the situation; poor communication around actions taken; and inability to develop options to address the problem.  If our teams are operating at a level 1 response mode, they cannot shift to operate at levels 2 and 3, which is where we need them to be in order to deal with the complexity and challenge of today’s attacks.

In the next article, I will discuss some critical elements that must be in place for your incident response programs, as well as preparing your team for these cyber-attacks and incidents.

The post The Human Element of Incident Response – Part Two appeared first on Security Current.

There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused.  In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.

Part One – Introducing Trauma as a Security Concept

It seems the weekly breach announcement has become as common, yet far less interesting than the latest episode of your favorite Netflix or HBO series.  Breaches are no longer exciting news and individuals seem resigned to the fact that they will be getting a new credit card issued to them due to a security issue at least once or twice a year.

I recently began to consider why we seem to accept a level of numbness around this seemingly intractable problem.  I was concurrently doing research on trauma and how it impacts humans as well as the techniques to help people recover from their trauma.  Numbness happens to be an effect of trauma, which led me to connect two very different worlds: the world of trauma and the impacts of cyberattacks on organizations.

As I began to explore this further, I was amazed at the high level of correlation between what people experience in trauma and what organizations and their employees experience with a cyberattack.  The similarities aren’t surprising, though. In the midst of identifying and stopping an attack, we tend to focus on technical remediation, but there can be a real impact to employees as well.

The surprising element of the research was the response of the organization under cyber-attack or in a breach scenario and the behaviors “the organization” exhibited.  I uncovered two characteristics of organizational responses:  avoidance and reaction. These are both common responses when an individual experiences trauma.  When defining how organizations avoid and react to the cyberthreat and breach reality, I propose we consider the 4 D’s: Denial, Damage Control, Defend and Deflect.

Denial manifests itself in various forms, like embracing the “it won’t happen to us” belief or refusing to listen to those employees that warn about impending doom (aka the security team).  These types of organizations look negatively upon those who highlight the bad things that could happen. It’s human nature – we don’t like to think about bad things because it invokes fear and anxiety, the entry points of trauma.

Once the bad event actually happens, organizations move to the next phase: damage control.  This often involves controlling communications, suppressing information that might further damage the organization, and beginning the process of finding a way out. We often see messages and behaviors that ensure everyone knows it wasn’t their fault (Defend) and suggest someone else to blame (Deflect).

These both damage the organizational response to the situation. Defending often results in individuals or teams refusing to take any accountability and minimizing their role in the situation.  Defending can also be very passive, taking the approach of innocent victim in hopes of evoking sympathy.  While deflecting, the organization will begin to blame others, involved including suppliers and vendors.  The organization may also deflect to poor processes or the wrong organization structure.

At this point, the organization will typically announce the “fall guy.”  In the case of a breach or a cyberattack, this is often the CISO or CIO.  This reaction is causing more stress and anxiety to security leadership, as they realize they will become a casualty of a broader issue that no one role or leader can solve.   In addition to blaming “the person,” the organization may also deflect to poor processes or the wrong organization structure.

There are also real effects to the employees themselves including: numbness, helplessness, burn out, isolation, paranoia, “black and white” approach to decision making, rehashing the event over and over, and obsession with attribution.

When I think about how our industry is dealing with the incident response challenges, I hear a lot about technology and how it will solve our problems.  There is no doubt that technology plays a key role in the solution and I will be discussing that in future articles; however, there is an overlooked element here – people.

All of these behaviors and reactions can be explained as we come to better understand how trauma impacts humans. I will cover several topics in future articles including our current approach to incident response and the ways to improve it based on trauma research. In my next article, I intend to introduce the basics of trauma research and impacts to people which is foundational to future articles.

The post The Human Element of Incident Response – Part One appeared first on Security Current.

I have been in information security for 14 years and my career has progressed wonderfully.  With more than 20 years of experience managing and leading people, I have identified some key areas of interest, including leadership and organizational development, and how to build outstanding teams.

As women are underrepresented in information security, I often get asked for guidance from those women seeking to grow in the field. When women ask me, “How can I be successful in information security,” I view it as a leadership development opportunity.

Women face different challenges than their male counterparts when it comes to leadership development, and therefore require a different approach for success.

There are strengths that women more naturally exhibit, including:

• Collaboration and communication
• Ability to multi task and manage very diverse issues
• Tendency to connect with and develop others on the team

An example of an area in enterprises where these skills are evident and women tend to gravitate to is Governance, Risk, and Compliance. These are great qualities and necessary attributes needed in all departments, and specifically in information security.

But for women starting out their careers in information security and who aspire to climb the corporate ladder, I would not recommend looking to jobs that emphasize the aforementioned skills from the outset.

Instead of focusing on those areas for your first jobs in information security, I would recommend you seek roles that build your technical skills, as this will provide the foundation and credibility you will need later as a Chief Information Security Officer.

CISOs must have baseline technical skills to be effective. They must be able to explain to the Board and C-Suite complex topics such as advanced malware, DDoS, and software vulnerabilities within a business context. The only effective way to discuss these topics is to truly understand them and communicate them using the language of business.

In terms of my own career progression, having an engineering degree has helped me tremendously achieve my goals. I knew very early on that I did not want to be an engineer, but that I wanted to manage teams of engineers.

I did so for 12 years before transitioning to information security. In order to effectively manage engineers, I needed to speak their language to build a foundation of trust and respect.  The same is true for your Board and C-Suite executives – though the language is different.  Recognizing this early on, I went back to school to get my MBA. Doing so enabled me to speak their language and positioned me to be a better, well rounded executive.

So for women starting out in the information security space, I have the following recommendations:

• Get your CISSP or a technical SANS certification; these will provide a broad baseline knowledge
• Decide where you want to develop your technical expertise within the security field
• Find a job that allows you to gain real experience in that area, even if it is a lower level job than you believe you should take, and stay in that job 1-2 years and excel
• Publish an article or speak on the topic in which you have chosen to specialize
• After 1-2 years of success with the technical experience under your belt, start looking for your next role where you can command greater responsibility and subsequently higher compensation. If your current employer doesn’t afford you that opportunity for career growth, leverage the relationships you’ve built in industry associations and with other companies and organizations to find your next role. This is about you managing your career not your company managing your career.
• Rinse and repeat this job cycle for a few more jobs, gaining technical experience and business acumen along the way so that you are ready to put it all together as a seasoned female executive.

Remember, you don’t have to stay in a technical role for your entire career, but it is important to gain those foundational skills early on and build on them while adding business and management skills throughout your career to become an effective and successful CISO.

The post A Roadmap for Women to Becoming a CISO appeared first on Security Current.