The Hypothetical Life of a CISO
- 21 May, 2019 15:48
A CISO (Chief Information Security Officer) is the pinnacle of successes and the aim for many a security engineer in the industry but many will never achieve this level of success. However, is this really a problem? I am not sure it is, the CISO in today's tumultuous security environment, in my opinion, is probably one of the most stressful jobs you could have so why would anyone want to put themselves into that situation on purpose? It seems madness, doesn't it?
Let’s look at this deeper though and really see what life could be like for a CISO. Let’s look at Jim, he is a CISO for a made-up company called Software house. Software house is a company that developed a medical practice software that is used by thousands of doctor surgeries around Australia (very sensitive and critical information there I would think). It's a very successful business and is expanding its market share on a daily basis. Today however, Jim's day starts at 3 am with a phone call from his on-duty security staff. The company's systems are in meltdown, nothing is working, and they suspect that it may be a security breach. He gets out of bed and gets ready quickly before he makes his way into the office.
On his way, he notifies the rest of the security incident response team and gets them on their way to the office. Today is really not going to be a good day for the security team and maybe not the organisation as a whole. Jim arrives to a chaotic situation in the office with what now looks to be a cryptovirus that has spread through all of the systems on the network. The security team was unable to stop the spread of the infection and every machine on the network is displaying a “you’ve been hacked” message on the screen. We can be certain that this is not a good sign.
The company has no current backups, as there is no network isolation and the encryption has reached all of the backup storage (That’s an oh crap moment if I have ever seen one). There are no external offsite backups due to budget restrictions (the organisation didn't see the benefit and preferred to put the budget into marketing and development). To make it worse all client data is hosted on the organisation's servers and clients don't have local copies of the data as this is a service the organisation sold as no maintenance required, The Software House will handle all that for them (That was a big mistake).
Jim has recommended changes every month at the board meetings but every time the increased budget request to ensure separation and adequate data protection measures were denied. They may have been the saving grace right now if they had been implemented. Jim and his team locate an annual systems backup that was stored in the company safe, but it is now August, so it is 8 months old. That is certainly going to be detrimental to the organisation if they need to restore to that snapshot, but it is looking more and more like it will be the best option.
Jim advises his team to reach out to the malicious actor and obtain a price to get the files unlocked while he goes and wakes up the board to inform them of the situation, this is not going to go well especially at 4 am. As expected it went delightful and I am sure that Jim is not on the Christmas list this year for any of them. Around 5 am the malicious actors come back with a request for $100K to unlock the data which is to be paid in bitcoin. The board has arrived in the office and Jim takes the request to them to decide if they want to pay the ransom or not (Jim strongly suggests they do not pay it – but they decide to pay the money anyway).
The payment is made in bitcoin to the malicious actor as requested but days have gone by now with the systems still being offline and no response from the malicious actors at all. Dead silence once the money was received. It would appear that they have just taken the money and no data will be released. After further discussion, the board decided to restore the data from 8 months ago, but it is already too late the business. Systems may be back up, but 8 months of data is lost for all of their clients. That’s is an epic disaster and that will not go well with clients who have been calling non-stop since the incident occurred. Silence has been the direction of the board against the advice from Jim so when the incident is announced it is sure to be an onslaught.
The Software house will un-doubt ably throw Jim under the bus for this incident as they have already asked for his resignation. No blame is going to flow uphill from this, the board is going to make sure of that but who is really to blame in this situation. The CISO has made constant failed requests to make improvements to ensure that systems are recoverable if an incident occurred, but they were always denied by the board (is that the CISO’s fault for not pushing the urgency or the board for not seeing the need to invest in cyber protections). When the board was advised that they should not pay the ransom they still proceeded to do so and then they asked for the CISO’s (Jim’s) resignation when they didn’t unlock the data (I am not sure that is very fair).
The board needed a scapegoat for the storm that is now going to overwhelm the software house and Jim is that man. So, after that nice little story, do you all still want to be a CISO? Yeah, you probably do and so do I. I act as a virtual CISO in my day job and although it can be painful and a mountain of stress sometimes it feels good to make a difference in this cyber battle we are all waging against the malicious actors.
Hopefully, now you can see what the life of a CISO is really like. 16 hour days, unlimited stress, probably be denied all of your security upgrade requests but when all the S*!T hits the fan you will be the one that they will throw under the proverbial bus. Okay, this may be a little dramatic, but this scenario is becoming more and more common every day and that needs to stop.
Do the right thing with regards to your organisation's security team, not just when things are good but when they are really heading down the rabbit hole, look after each other and don't throw your team under the bus. Stand tall together knowing you have done all you can. If you are the CISO it doesn't mean that you are to blame for all the mess (Yes, you might be but probably not). So work together to make your businesses safe and if your dream of being the CISO someday at least go into it with eyes open and truly understand what it is you may be up for.
I hope I haven’t scared any of you off with this one, oh well. Till next time.
