Supporting National Security, Working with CISA, and Having a Conversation with Your CISO

Cybersecurity is a shared responsibility. This tool will help board members understand their role in supporting national security and the role of the Cybersecurity and Infrastructure Security Agency (CISA) in supporting industry. In addition, the tool includes questions to guide a conversation with your chief information security officer (CISO) that can help your organization to go a level deeper and shed additional light on the company’s security program.

NATIONAL SECURITY IS A SHARED RESPONSIBILITY

Now, more than ever, cyber risk extends beyond the boundaries of an enterprise to affect other companies and the functions of society. As highlighted by Principle 6 in NACD's Director's Handbook on Cyber-Risk Oversight, it’s critical for businesses to embrace corporate cyber responsibility as a matter of good governance and to collaborate closely and continuously with the government and industry partners to address cyber risks, particularly those with national security and societal implications. 

WORKING WITH CISA

As the nation’s cyber defense agency, CISA provides an array of services to help companies address cyber risks:

• Stay aware of national-level developments and threat activity. CISA offers alerts regarding nation-state threat activity¹ and vulnerabilities that threat actors are currently exploiting.² Sign up to stay aware of imminent risks.
• Ensure best practices to drive down cyber risk. CISA’s Cybersecurity Performance Goals (CPGs) help organizations understand what security practices will be most impactful and address aggregate risk for the nation.³ These CPGs can be particularly useful to help your company assess the security of small and medium companies in your supply chain.
• Collaborate for the national defense. Collaborating on cyber defense operations ensures that we are taking a team approach to countering threats. As part of its Joint Cyber Defense Collaborative, CISA offers an operational collaboration partnership to exchange cyber defense information and participate in cyber defense planning and exercises. Consider joining CISA’s program⁴ or an industry-led Information Sharing and Analysis Center (ISAC).⁵ These partnerships enable organizations to share visibility on threat activity, vulnerabilities, analysis of risks and mitigations, as well as to jointly plan defensive actions and risk mitigations.
• Report incidents to help protect others. Let CISA know if your company has experienced a cyber incident, so that we can issue a technical alert to help others defend themselves from similar threats.⁶ In some nationally significant cases, CISA may provide incident response services. Additionally, anyone who has experienced a cybercrime can report it to the FBI online or contact a local FBI field office.⁷
• Build connections with the federal government. Your company can maintain a person-to-person relationship with CISA through our regional offices⁸ located across the nation. These advisors can connect your company with CISA’s services and resources, as well as provide a direct point of contact in times of emergency.

DESIGNING AND DEPLOYING TECHNOLOGY SECURELY

Today, almost all companies are technology companies, since they offer some sort of networked product or service such as online shopping, smart devices for home and enterprises, online business-to-business solutions, health-care services and devices, smartphone apps, and other online services. As such, the products and services they develop or use for their customers are woven into the fabric of the economy and therefore have an outsized impact on national security. Technology products and services can create both benefits and risks. We need to better balance the shared responsibility between providers and customers. In particular, technology vendors should take ownership of the security outcomes of their customers. Customers of technologies must also play an active role by demanding product safety. Products that prioritize customer safety will have features such as these:

• Multifactor authentication (MFA). The lack of MFA is a common attack vector, but many customers don’t enable it. For customers using these products, especially enterprise customers, MFA should be the default (if not using a Single Sign-On provider), not an option they have to hunt for. Systems should firmly nudge users toward enrolling in MFA, like your car nudges you if you don’t buckle up. That’s doubly true for system administrators who are high-value targets.
• Use and write secure software. Most security vulnerabilities stem from a type of coding error related to “memory safety.” Every vendor writing software should establish policies for writing new software in a memory-safe language and publish a “memory safe road map”. They should also publish Software Bills of Materials.
• Prioritize secure default configurations. Technology companies should offer important security features at no extra charge, especially MFA and Single Sign-On (SSO) integration. Rather than publishing a “hardening” guide that customers must implement at their own expense to make the products less dangerous, tech companies should ship products with secure defaults. Boards can ask their IT and Security teams for information about how much time and money they spend hardening products.

HAVING A CONVERSATION WITH YOUR CISO

Even as more board members recognize that cyber risk is indeed a business risk and a matter of good governance, they can still find the subject matter intimidating and opaque. It’s important that board members foster a close working relationship with their chief information security officer to both help them become more cyber literate as well as to understand how to best empower the CISO team. To that end, the following questions can be used to spark a deeper conversation with the CISO to help directors learn more about the effectiveness of a firm’s security programs. These questions are meant to be asked in a spirit of genuine inquiry and learning. Should any of these questions reveal gaps in the security program, the overall team can help to understand why and plot a new path forward.

1. Questions to ask about your organization’s email system

a. What percentage of users do not need to use multifactor authentication (MFA) when logging in?

b. How many system administrators are there?

c. How many administrators do not need to use MFA when logging in?

d. Which executives do not need to use MFA to log in?

Why is it important? Many compromises involve credential phishing at some point in the attack chain. Yet many organizations have not yet deployed MFA to 100 percent of staff and 100 percent of system administrators, even for critical systems like email. This disconnect often has roots ranging from employee or executive resistance, to lack of MFA support in legacy systems, or in prioritization.

Helpful answer: Given today’s threat landscape, enterprises should have already made MFA the default for all staff and privileged users, especially system administrators. At a minimum, the security team should be able to provide the percentages and a list of exempted users without much effort.

The ideal answer is that all systems are behind a central login portal, and that portal requires MFA for all users.

Answers that require more investigation: For a variety of reasons, there may be user accounts that are permanently exempted from the MFA policy and that is often unmanaged risk. The team should evaluate the resultant risk as part of the overall risk program.

2. Questions to ask about your identity system:

a. What are our greatest weaknesses?

b. What systems are not yet protected by being behind our identity system?

Why is it important? The identity and access management (IAM) system is part of the foundation of a security program. You can’t secure your assets if you don’t know who is on the network. A compromise of the identity system would have catastrophic implications for all other company systems, like email, file storage, HR systems, financial systems, and so on.

Helpful answer: Because IAM systems are so critical, the security team should be able to talk about a range of topics, starting with configuration management. Many products, including IAM products, are delivered to the customer with surprisingly unsafe defaults. The team may talk about that fact, and possibly their experience with the vendor’s hardening guide.

Security staff may talk about the challenge of working with HR to ensure staff are properly offboarded when they leave and discuss minor incidents or near misses when that didn’t happen. They may talk about how they monitor for unauthorized logins and about the limits of those approaches.

The team will generally have a punch list of products that are not behind the IAM system and a road map for migrating them to that central service.

Answers that require more investigation: IAM systems are hard to build and maintain securely and require good partnerships with teams like HR (for employee onboarding/offboarding) and Procurement (which often handles vendor accounts—another gap worthy of discussion). If the CISO doesn’t mention some of these struggles, they may need to do some additional research.

3. Questions about changes your CISO would like to see

a. If the board and management could eliminate (or at least take ownership for) employee pushback, what two changes (across people, processes, technologies) would you make to dramatically improve our security posture?

b. How would those changes raise the cost of attack?

Why is it important? There is a general tendency for security teams to try to secure existing products and workflows, usually by adding security tools. The goal is to secure the organization without disrupting users and workflows. While this approach can work, it has its limits. To achieve higher levels of security, organizations may need to consider radically refactoring their workflows and tools. To use a car analogy, it may not be possible to add airbags, collapsible steering columns, and crumple zones to a car from 1960. A redesign is what gives you those safety measures.

The board can generate conversations and interest in ideas that might encounter employee resistance but could dramatically improve the security posture. A security team might not be empowered to work against company culture, but a CEO might be able to manage it.

One minor example: security keys can eliminate credential phishing (even MFA-bypass attacks) but may cost money, require employee training, and server reconfigurations. It may be challenging for the CISO to drive the cultural change alone, and they may not have raised the issue. Discussing these “big bet” ideas should be a natural part of board conversations.

If you were building the company from scratch, would you build it the way it currently exists? Would you secure it in the same way? The answer is probably no. Discussing the delta between those two models can be illuminating.

Helpful answer: Some CISOs have their big-bet ideas already documented. Most should be able to create such a deck in conjunction with other teams.

Answers that require more investigation: Company culture and technical debt limit how much an organization can refactor at any given point in time. Yet security and partners in CIO and CTO organizations generally understand those limits. Dig deeper if the answers you get indicate comfort with the status quo and current trajectory for improving the organization’s security posture.

4. Questions about the security posture

a. Knowing everything you know about our security posture and the broad spectrum of attackers in play, how do you think someone could break in to steal data from the company?

b. If our adversaries had a budget of one million dollars to hire a crew with specific talents, who would they hire and for what tasks?

Why is it important? We frequently hear the phrase “think like a hacker,” but even security professionals can find it hard to constantly adopt that mindset. How might someone chain together seemingly unrelated and minor vulnerabilities into a major intrusion?

Helpful answer: If the CISO can refer to previous information they’ve presented and connect the dots, you have a successful answer.

Possible answers:

“As I mentioned before, our call-center network is connected to our production network, so a compromise of any one system there gives an attacker access to networks containing our customer data. It’s not uncommon for criminals to bribe call center employees, or to have an accomplice get a job in a call center for just this purpose. They very well might start there.”

“We just acquired that small company and haven’t imposed our security controls on them yet. Their network is separate, but they have privileged access in our development environment. Not only might we not be able to prevent the attack, but we also probably couldn’t detect it. That might be a good attack path for an attacker.”

Answers that require more investigation: Every security professional should have several ideas on how such an attack might happen. If the CISO doesn’t have any ideas or is overly confident in the security posture of the company, it may be because they are overly focused on building defenses and need to spend time thinking from the opponent’s perspective. Conducting a tabletop exercise can generate creativity and deeper insights, as one example of a way to view the security program from the perspective of a hacker.

The proposed attacks should be relatively simple and not rely on advanced attacks using multiple zero-day vulnerabilities. When they are compromised, most organizations are not attacked by intelligence agencies spending millions of dollars. Far too many organizations are compromised because they ran unpatched software, didn’t segment their networks, did not implement MFA, and allowed users to run arbitrary software on their laptops.

The Cybersecurity and Infrastructure Security Agency (CISA) is the newest agency in the federal government, established in 2018 to be America’s Cyber Defense Agency. We serve as the National Coordinator for critical infrastructure security and resilience, leading the effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. As the majority of our nation’s critical infrastructure is owned and operated by the private sector, operational collaboration is foundational to our efforts. We work with a wide array of partners across the globe—from every industry, to federal, state, local, tribal, territorial and international governments, to non-profits, academia, and the research community—connecting them together and to the resources, tools, and information that will help them fortify their security and resilience against current and emerging threats.

ENDNOTES 

¹ See the “Cybersecurity Alerts & Advisories” web page posted on cisa.gov. (https://www.cisa.gov/uscert/ncas/alerts) 

² For more information, see the “Known Exploited Vulnerabilities Catalog” web page posted on cisa.gov. (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) 

³ Please see CISA’s “Cross-Sector Cybersecurity Performance Goals” web page. (https://www.cisa.gov/cross-sector-cybersecurity-performance-goals) 

⁴ To learn more about the program, visit CISA’s “Cyber Information Sharing and Collaboration Program (CISCP)” web page. (https://www.cisa.gov/resources-tools/programs/cyber-information-sharing-and-collaboration-program-ciscp) 

⁵ To learn more about the program or to join your sector’s ISAC, visit CISA’s “National Council of ISACs” web page. (https://www.nationalisacs.org/) 

⁶ To report an incident, visit the “Report to CISA” web page. (https://www.cisa.gov/report) 

⁷ Report a cyber crime to the FBI by filing a complaint via the “Internet Crime Complaint Center (IC3)” web page. (https://www.ic3.gov/) 

⁸ For a list of CISA’s regional offices, visit CISA’s “CISA Regions” web page. (https://www.cisa.gov/about/regions)

ADDITIONAL TOOLS