Zero trust is not enough. CISOs should abandon trust and focus on verifying everything from third-party tools to their teams’ abilities.
Trust is and always will be a two-way street, and verification is how trust is earned and maintained. The old proverb “trust but verify” drives home the point that one should verify everything before accepting or committing to a course of action.
Every enterprise, regardless of sector, has engagements that require trust, be they with colleagues, employees, suppliers, or vendors. CISOs know this better than most, as they are often bringing tools into their security mix to help protect assets and are trusting that these will work as advertised. Yet, anyone familiar with 30 years of Silicon Valley marketing hype has become very familiar with the term “vaporware” — clearly, trust can never be absolute.
Verify that third-party tools will function as advertised
I am by nature a sceptic, and even my own family has long labelled me a doubting Thomas. I am a big fan of verification and that makes me a big fan of Horizon3 CEO Snehal Antani, whose use of the proverb is front and centre in his company’s marketing efforts but with the words “trust but” crossed out — leaving only “verify.”
In a conversation at RSAC 2023 on the huge merits of red teaming, Antani reiterated his contention that there should be “no trust,” that his advice to CISOs is always “don’t trust,” and that the only secure policy is to go with simply “just verify.”
0 seconds of 30 secondsVolume 0%
More recently, I had the occasion to revisit the discussion and ask Antani to expand on his remarks, specifically for the CISO community. He offered that: “As an industry, we have a security effectiveness problem, in that the many vendor tools and processes within the SOC require significant effort to configure and tune correctly. Attackers know this and are able to attack at the seams of these tools.”
That means that even though a company might spend millions of dollars on the latest security offerings such as SIEM, UDA, EDR, and the like, they shouldn’t simply trust that these tools will successfully fend off attackers — they must verify their effectiveness early and continuously.
“Don’t tell me we’re secure through PowerPoint, show me we can effectively stifle attacks today,” Antani says. “Then show me again tomorrow. Then again next week, because our environment is constantly changing, and the enemy is quickly evolving.”
Verify your team and their abilities
Few would argue with Antani’s observation that the CISO’s adversaries are well-resourced and able to evolve and iterate quickly. They too have personnel who went to the best schools and regularly exhibit they have no shortage of creativity.
While many cybersecurity leaders tend to focus their efforts on verifying the tech stack, technology is only one part of the equation, according to Immersive Labs founder and CEO James Hadley. “Your people are your real differentiator,” Hadley says. “No matter how confident your team feels about their own capabilities, until you have metrics, how do you really know they’re prepared for the next attack? Until you have proof, confidence is meaningless.”
Hadley minces no words in his admonishment to CISOs to “ditch their old mindsets and infrequent check-the-box approach to cybersecurity training and instead regularly battle-test their teams — but more importantly, gain concrete proof, and verification, that they’re equipped to face emerging threats.”
“Let’s face it — today’s approach isn’t working if nearly half of the security leaders say their employees would not know what to do if they received a phishing email, despite years of security awareness training and phishing tests.”
Teams should have regular training and assessment
Hadley is quite correct in his blunt assertion that, like tools, people should also be verified and not simply trusted. Just because a team member has the right credentials, it doesn’t mean they’re always going to have the latest information or tech at their disposal.
“It’s naive to trust that just because there are employees who have a university degree in cybersecurity, got a professional certification, or even worked in the field for a decade, they’re truly cyber resilient,” Hadley says. “There are likely areas that need improvement as your team works together, and those need to be identified and addressed by assessing, exercising, upskilling, and proving capabilities. From techs to execs, everyone should be benchmarked and upskilled to sharpen their skills.”
Steve Benton, vice president of threat research at Anomali, spoke to me at RSA2023 and shared a most useful and entertaining analogy. He spoke to the need for threat intelligence to be considered another factor, likening it to a DJ and his “music in the mix.”
Playlists represented the organization’s policies and procedures. Just as the DJ carefully selects songs to ensure flow, the organization must “carefully select the controls that will be implemented to mitigate cybersecurity risks. Genres of music are as plentiful as the different types of cyber risks. The DJ mixes the genres to ensure a seamless and enjoyable experience, while the CISO needs to ensure their implementation doesn’t disrupt business.”
Then there’s the final step: performance. “The DJ needs to be able to monitor the audience’s reaction to the music and make adjustments as needed,” Benton says. “In the same way, an organization needs to be able to monitor its cybersecurity posture and make adjustments as needed.”
Test, plan, and test some more
In sum, as Antani noted, don’t trust, just verify with respect to tools. Chaim Mazal, chief security officer at Gigamon, notes that focusing on achieving zero trust won’t be enough. One must go beyond the recommendations being proffered by CISA and others.
“Traditional certifications don’t prove cyber resilience,” Hadley says. “To gauge true preparedness for the next attack, CISOs can put their teams through simulations and real-life scenarios.” CISOs can also identify where their team’s strengths and weaknesses exist, which is the point Benton was making when he noted that when it came time to perform, an organization must be ready to adjust.
As one who has worked within many a high-stress environment, all of which included a myriad of different personality types with different levels of experience and education in their background, one really doesn’t know how the team is going to function until the day of reckoning arrives and the rubber hits the road. Testing and more testing are how the team stays between white lines and on the road to success.
Ensure deep observability across your organization
“Cybersecurity leaders are being fed a range of recommendations and guidelines for architecting a zero-trust framework,” Mazal says. “My recommendation to them is to make sure they have deep observability across their organization’s hybrid cloud infrastructure. This will address hybrid cloud security requirements beyond zero trust. Strengthening the capabilities of log-based security tools with real-time, network-derived intelligence and insights will enable them to detect previously unseen threats and better secure their hybrid cloud infrastructure.”
For CISOs to continue to have their voice heard, verification is a must and achievable, but not without steadfast effort. If either technology or personnel are found lacking, the gaps in either technology or personnel will be exacerbated, and things will go south in a hurry.
Therefore, test, and test often, both your personnel and the tools they use to do the job. As Hadley says, “taking a zero-trust approach to workforce cyber resilience and backing it up with regular exercise, proof, and measurable improvement will ultimately lead to stronger cyber postures for organizations, which should be a bottom-line priority for boards and business leaders alike.”
