Former Federal CISO on the Importance of Following Through

By Greg Touhill, CISSP, CISM, former federal chief information security officer, and guest author for the (ISC)² U.S. Government Advisory Council Executive Writers Bureau.

This is the first column in a two-part series. Read the second column here. 

Congressional Medal of Honor recipient Eddie Rickenbacker reportedly said: “There’s a six-word formula for success: Think things through, then follow through.” I can’t think of any better advice than Rickenbacker’s when discussing how to improve an organization’s cybersecurity program. Sadly, I contend the vast majority of cyber incidents and data breaches are attributable to lack of “follow through” on plans, policies and procedures and thus are avoidable.

In this series of articles, I present examples of things you should include in your follow-through checklist that can help you improve your risk posture while protecting you, your brand and your reputation.

So Many Tools, So Little Joy

Given the great investment in cybersecurity and the availability of such a wide array of products, one would think the state of cybersecurity would be much better. I believe it should be.

Many organizations purchase too many tools they don’t need or properly use, draining resources from higher-priority tasks. Many products are exceptional and, when properly configured and operated, can meet mission objectives. Unfortunately, the reality is too many organizations purchase worthy products and services, yet don’t fully leverage those capabilities by properly planning how to integrate them into their operations and environment and/or executing those plans well. They don’t follow through.

Perhaps you, like many others, purchased a fleet of tools, countermeasures and services, yet find yourself frustrated by apparent lack of return on investment or poor results. Chances are pretty good you are task-saturated; have a network environment that is a mish-mash of technologies and software; carry the burden of not having sufficient resources to meet all desired tasks; are taking heavy sniper fire from better-resourced shadow IT organizations; have management breathing down your neck with calls to “keep us out of the newspaper” or “show me the return on investment”; and are swimming in data, yet don’t feel you have the necessary visibility into all your cyber risk. Perhaps you are not following through. If so, don’t panic. You aren’t alone, and help is available.  

Bold-face Tips for Following Through

Next time you see images of fighter pilots getting into their aircraft, I suggest you take note of the notepads strapped to their thighs. They commonly are called knee boards. These notepads contain information often called bold-face items, which are can’t-fail procedures that must be executed immediately and correctly to avoid catastrophe while flying. They are so important, they are written in bold face so the pilot can quickly refer to them in time of emergency.

The following are some bold face tips to help you as you follow through and manage a successful cybersecurity program (although don’t feel obliged to strap them to your thigh):

Read the Instruction Book, Aka RTFM

Following through is a lot easier when you read the instruction book. Too many people buy a host of expensive cybersecurity and information technology tools, yet fail to properly configure, integrate, operate and maintain them. One of my favorite television shows was “Home Improvement,” whose main character, Tim “The Tool Man” Taylor, considered reading instruction manuals to be a sign of weakness.

As a result, the incompetent Tim would create such havoc and dangerous situations his sidekick, Al Borland (who did read the instruction books), would step in and save the day by making things right. When it comes to buying down my cyber risk, I’m putting on my plaid shirt like Al Borland, reading the instruction book and following through. I hope you and your co-workers do, too.

Know Your Information  

Information security professionals should not become fixated solely on protecting networks. Rather, they should focus deeper on the protection of the information accessible on those networks. Not all information is equal.  

Understanding the classification and sensitivity of information and protecting proportionately to the value of the information is essential. The Office of Personnel Management possessed a vast amount of unclassified information, yet many did not recognize the great strategic value of that information until it was stolen.

Make sure you know your information; formally identify the information owner, have them acknowledge that ownership and define their required access controls; know where the information is stored; clean out cruft and information you no longer need; and protect your information proportionate to its value and sensitivity.

Build Quality In  

Those of us credentialed by (ISC)2 know the importance of due care and due diligence. Documenting the right policies and procedures and following through to ensure they are properly executed are essential elements of any corporate governance process.

Clearly spell out your strategy, plans, policies and procedures in writing; train your workforce to implement them well; and conduct independent audits to make sure you follow through. Manage your cybersecurity program to identify and eliminate defects in process and execution, and you’ll have 99 percent of your problems under control.

Use Strong Access Controls and Authentication

Sixty-three percent of data breaches involve leveraging weak, default, or stolen passwords, according to the 2016 Verizon Data Breach Investigations Report. Weak passwords, password reuse and inadequate password management continue to plague organizations everywhere. Username and password was the identity and access control best practice of the 1980s. Why should you be relying on 1980s capabilities increasingly susceptible to exploitation?  

One of my professional frustrations has been the lack of follow through by the U.S. government on the implementation of multifactor authentication as part of its identity and access control program. Homeland Security Presidential Directive 12, signed by President George W. Bush on Aug. 27, 2004, directed the implementation of a common identification standard.

Despite numerous write-ups by the Government Accountability Office and directives such as OMB Memorandum 11-11, NIST FIPS 201 and NIST Special Publication 800-16, government follow through on Identity, Credential, and Access Management is disappointing.

MFA is a best practice to thwart common criminals and many nation-state actors. Following through on strong access controls and authentication needs to be a high priority for you and your organization.