Earlier today while co-hosting a podcast for the "Briefings Direct" series with Dana Gardner, I had the chance to listen to a CISO of a mid-sized not-for-profit healthcare company. His challenges aren't necessarily unique to his organization, but they echo a lot of the things that are currently happening in the most painful part of information security - the SME/SMB space.
It's interesting to note that this particular organization is "big enough to be a target, but not big enough to have ample InfoSec resources" which is perhaps the biggest trouble spot for Information Security right now. Organizations that make up the small to medium enterprise market (SME) are finding themselves in trouble as they are appearing on a lot of radar screens for attack, yet can't seem to find the resources they need to defend themselves adequately. Lots of challenges present around that point, to start off with.
As we talked through this organization's challenges, the concept of enterprise resilience came up, and we started talking about what that means in this CISOs organization. There are several things centered around enterprise resilience that must be discussed and addressed but here's just the list we started -
- Build vs. Buy (when to do something internally versus partnering or going through a service)
- Risk-classifications in the healthcare space (when life is on the line, potentially)
- Business-centric security (putting organizational needs first, and building security around it)
- Incident response, system continuity (When you're hacked, what must stay up, compartmentalization)
In the next couple of blog posts, I'll cover these topics from that healthcare perspective, while keeping in mind that this organization we're using as an example is a not-for-profit healthcare network... which makes the role of the CISO (Director of information assurance if I recall correctly) that much more crucial and difficult.
A quick word on the whole SME space that's been suffering silently in the background for a while now. A good Information Security program is expensive, and while 'security devices' can be found relatively cheaply (notice I didn't say inexpensively) having more of those, even if cheap, doesn't solve the problem of being pwn3d (owned by an attacker). To be fair, even in the large enterprises there are no guarantees that any amount of spending on 'security' will keep you from being over-run either loudly or quietly by some attacker - but at least in the enterprise you (hope) to have more resources to respond when things go sideways.
One of the key challenges I can't help but notice few are out there exposing with all the SME banter going around in the media is incident response. Sure, SMEs can't afford great security technologies because they can be expensive - but what about response? If you've got a scant 'security team' which is mostly made up of IT generalists who are security amateurs part time (that makes the assumption you've got more than the "IT guys" in the org) incident response is going to suffer. More importantly, knowing when to respond is going to be a non-starter. Incident response isn't just about springing into action, it's about knowing when the right level of alertness has been reached and what to do about it. It doesn't take anyone particularly talented to stare at a dashboard and say "the red lights are blinking, this is bad" - and because automation isn't a good substitute for intelligence you're going to be activating whatever response you have at the wrong times.
When you activate your response at the wrong times (which usually translates to 'too often') you're likely to face fatigue... and then it gets even worse. Tired resources are bad, but tired resources which can't keep up with the amount of alerts they need to act upon is a catastrophic end. (more on this soon as well)
Stay tuned ... this is a very interesting use-case and I'll write up as much as I can of it anonymously, and perhaps have the CISO here on the blog or podcast in the near future...
Cross-posted from Folowing the White Rabbit