If you need a true security expert, hire somebody who has seen a breach first hand.
In a world of ever more frequent and sophisticated cyber attacks, attitudes towards who ‘allowed’ a breach to occur are changing and historic blame culture is dissipating; the next generation of cyber security must feature Breach Response Specialists, and nobody comes with more expert knowledge than those who have been involved in – and resolved – an attack.
February 2005: Columbus, Ohio – Major US fashion chain DSW Shoe Warehouse’s database is hacked; thieves obtain 1.4 million credit card numbers and associated customer names. This was the beginning of data breaches as we know them today, taking place over four months, 108 stores and 25 states. The first breach globally to affect over 1 million consumers, the response amongst IT professionals was an inevitable scrambling to up their security focus and attempt to stem the tide of cyber-criminal activity, learning as they went.
July 2019: London, UK – British Airways face a record £183m fine from the ICO for a breach of GDPR after hackers redirected online traffic to a fraudulent site and subsequently harvested the personal data of 500,000 customers. An entirely more sophisticated attack than that on DSW Shoe Warehouse, this breach took place over just seven days and is highly reflective of the current cyber-attack response; despite less customers being affected, and the breach being identified significantly faster than DSW, BA were heavily penalised.
The airline is not alone: 2019 has seen a significant number of devastating attacks across both public and private sectors, from data breaches to ransomware; incidents made even more grave to a company’s fate with the ICO’s new penalty of fines up to 4% of the breached business’ turnover.
The British Airways fine made global headlines, understandably sparking fresh conversations around the gaps in many companies’ security postures, but how is a fourteen-year-old attack relevant in today’s discourse on security breaches?
The stark contrast between DSW and BA’s attacks – including the speed and volume of personal data - highlights how significantly hacking techniques have changed; there is little correlation between how hackers work today and how they worked a decade ago. Data security methodologies, in contrast, have evolved iteratively, responding and patching as specialists learn what works (and, unfortunately, what doesn’t) as they go along. Essentially, a lot of security today is based on variations of what we knew in 2005, whilst the approach of hackers bears little resemblance.
Whilst this highlights a huge gap in knowledge and approach, it doesn’t mean that data security is a million miles from where it needs to be; experts have undoubtedly been on a steep learning curve since 2005, with lessons taken and processes adapted to contest each new hacking methodology identified. In fact, there has recently been a positive shift towards ‘security’ being baked into a lot of pre-existing functions: we now have Chief Information Security Officers (CISOs) where formerly we saw Chief Information Officers (CIOs); there is an evolution of DevSecOps (formerly DevOps); we are even seeing an awareness of security creeping gradually into the boardroom. But is continuing to iterate and build on these initial tentative ideologies enough to combat ever more sophisticated attacks, or do we need an entirely new approach altogether?
Data breaches are inevitable. What was once a shocking and rare event is now the norm, with savvy businesses treating it as a when not if scenario.
Where once companies could put in place cursory measures for data security and cross their fingers that they wouldn’t be targeted, every single business, regardless of size, must now be prepared for the inevitability of a cyber attack.
Historically, those who held perceived responsibility for preventing such a breach (primarily Heads of Security or Chief Information (Security) Officers in the rare instances where businesses have chosen to acknowledge data privacy as a C-suite priority) would take the brunt of the fall out, often very publicly losing their jobs and held up as examples of what bad looks like.
As the inevitability of a breach is becoming ever more apparent, the tide is finally starting to turn. Logically, is it not the case that these security experts did everything they could to prevent a breach, and that the hackers were simply using advanced techniques that they couldn’t anticipate? Does it not follow that these same experts now understand more about modern hacking methods and vulnerabilities than their counterparts who have not been in the same situation?
The same security professionals who would have formerly lost their jobs are beginning to be viewed in a different light as realisation dawns that these professionals were certainly doing everything that their counterparts were doing, but now have the unique knowledge of what and why it wasn’t quite good enough.
Enter a new age of the Breach Response Specialist, a function which is so evidently lacking from existing security postures. It may seem obvious that this specialism is the missing puzzle piece, yet there is still a reluctance among boards to court those with this specialised knowledge.
With so much at stake in the wake of a breach, would you hire somebody who has seen a breach first hand?
In the current climate, we must begin to view those with first-hand experience as ‘experts’ rather than ‘embarrassments’, says Dean Thomas, CISO.
“As an interim CISO, whenever I am in a position to create or restructure an information/cyber security team, candidates who have experienced a breach really stand out, regardless of whether that’s a CISO or Security Analyst. It’s not just their knowledge which strikes me, but the amount of hard work they put in to rectify the breach shows a real strength of character in a candidate.”
In particular, Dean thinks that hiring managers should be including the following in the “highly desirable” section of their Job Descriptions:
- Experienced in the end-to-end response and investigation process;
- Proven ability in recovering and remediating incidents;
- Proven commitment and dedication to tasks;
- Demonstrable understanding and experience in what was successful and what was not;
- Ability and knowledge to recognise equivalent vulnerabilities;
- Demonstrate an innate knowledge of what good looks like.
Dean equates this to the general consensus that the safest airline is the one which had the most recent crash. At a minimum, they will be doing everything in their power to avoid another, and they will absolutely understand where they went wrong.
The introduction of a Breach Specialist seems like the logical progression for cyber security, but it does carry a whole host of complications, including the job title itself: “a reference to ‘breach’ implies that they expect one!” explains Dean. “It seems more likely that they would bundle it in with disaster recovery from a PR, outward looking perspective, but certainly the role needs to be implemented in one form another!”
It may be an identifiable gap in security teams, but will we see ‘Breach Specialist’ emerge as a job title imminently?
Beyond the ‘scary’ job title, there is another issue in the sheer complexity of the role. David Froud, Principal Security Trainer & Advisory Board Member, disputes the idea of a breach response specialist in the same way he finds a ‘CISO’ problematic as a role.
“All of these things are functions, and that is what people are missing. A CISO is a multi-faceted, multi-disciplined role, and a breach response specialist would be even more so.” David has gone as far as to break down the three defined roles he believes would actually make a successful breach specialist function, which he believes would be delivered by three different people:
“Like most roles in security, it’s not one person who should manage all of this as it’s very unlikely that they are good at them all. Not good enough anyway. Just as the CISO function has three distinct but overlapping aspects, the Breach Response Specialist (BRS) will have strengths and weaknesses, but unlike CISOs, the role of BRS is extraordinarily unforgiving.
Sticking to the principle of 3, there are 3 types of BRS:
- The Planner: – The p-BRS comes in at the beginning of an engagement and tells the organisation what it needs. Their job is to design and document a breach response program that does the only thing it’s supposed to; support / enable the business. The p-BRS will organise the first drafts of the Incident Response Procedure(s), the Disaster Recovery Procedure(s), and the Business Continuity Plan, get the CEO to approve/sign them, then implement an employee training program. They must try to think of every detail or the processes will be ineffective.
Of the 3 types, this is the most creative, which often makes them unsuitable to actually run the program. S/he’s Debbie/Danny Ocean in the Ocean’s ‘n’ movies;
- The Executor: e-BRSs put out the fires. They will come at the first sign of trouble, probably with a forensics team to determine exactly what happened, while at the same time plug themselves into the incident response process(es). The output from the e-BRS’s efforts feed directly to the disaster recovery (get back ‘online’), legal (external notifications), and PR (reputational damage control) teams to enact their respective processes. The e-BRS phase ends when the fire is out.
This type is a true people and process orchestrator able to work under extreme pressure and deadlines while maintain a calming influence over panicking clients. S/he’s Winston Wolf out of Pulp Fiction.
- The Finisher: f-BRSs cleans up the mess. A breach will uncover many things that the p-BRS could not possibly have forecast, and the e-BRS, lawyers, and PR people had to implement / patch together on the fly. It is also very likely that the business’s priorities will have changed depending on the outcome of the supervisory authority’s findings, both short and long-term. The f-BRS has the skill-set to:
- take to supervisory authority’s findings and translate them into the action items required to resolve them, both technical and documentary;
- take all of the lessons learned from the e-BRS, lawyers, and PR and feed them back into the entire security program. Again, both technical and documentary (especially the BCP); and
- provide the highest level of leadership what they need to reassure key stakeholders everything has returned to a ‘better normal’.
These highly experienced practitioners actually have the hardest job of the three. While all BRSs must have significant experience in both cybersecurity and privacy – which is a rare commodity in and of itself – the f-BRS has to understand in much greater detail how the entire business functions. There’s no movie equivalent for this. It’s just not sexy enough”
The world of cyber attacks has fundamentally changed beyond all recognition since that first attack back in 2005; in an entirely different landscape, perhaps we need to start afresh rather than adapting and iterating processes which are evidently no longer sufficient to protect businesses from data breaches.
Simply put, is it time to tear our security approach down and rebuild it from scratch?
In a world where a breach should be anticipated as a ‘sure thing’, security leaders should consider:
- Is the current security posture ready to be breached? Rather than just trying to keep people out, how are you going to minimise damage and recover rapidly if/when they get in? The entire approach towards reducing security risks now needs to focus on a holistic view of prevention and repair, rather than the outmoded concept of simply blocking cyber criminals.
- Where does the responsibility for cyber security reside? It is widely acknowledged that cyber security is (or should be) a necessary board level agenda, but there are many businesses of all sizes in which this is still not the case. For companies serious about security which supports business integrity and underpins financial growth, now is the time to ensure business-wide buy in.
- Don’t be afraid of hiring contractors or specialists. David and Dean both make compelling arguments for significant change in how we see traditional security roles. Using multiple contractors to fill initial skills gaps and complement your long-term strategy can see both short term successes and long term stability.
- People who have seen a breach first hand are the experts. Studying theory and best practice is all well and good, but nothing can teach you as much as being involved in a breach and having to respond rapidly to mitigate risk. The best Breach Response Specialists will undoubtedly be found in those same people who were so recently pariahs.