The City of San Diego seems to have all the building blocks in place to make the smart city an exceptionally safe one when it comes to cyber attacks. Deputy director and CISO Gary Hayslip has built out the city’s security operations center, he’s partnering with innovative security vendors and startups, and conferring with law enforcement to keep up with the latest threats. He has the backing of the mayor and city executives, with plenty of funding, and he’s hiring more staff.
Yet when asked how he would grade his organization’s ability to detect and mitigate cyber threats, he offered a sobering assessment.
“I would probably say about a C+,” Hayslip says. “I’m realistic. There’s a lot of risk out there. We’re dealing with about a million attacks a day on our networks. I’ve got 40 departments, 24 networks and 40,000 endpoints” to protect. As the smart city adds more IoT devices connecting streetlights, stoplights and HVAC systems to the network, the threat surface will only grow.
“We’re definitely going to get destructive-type attacks. I think it’s going to go beyond DDoS, and they’ll try to destroy infrastructure,” Hayslip says.
Many security professionals feel less than certain about their own cyber defenses. Research firm CyberEdge Group and Tenable Network Security asked 700 security practitioners in nine countries and across seven industry verticals about their overall confidence that the world’s cyber defenses are meeting expectations.
According to this year’s data, global cybersecurity confidence fell six points over 2016 to earn an overall score of 70 percent — a “C-” on the report card.
The overall decline in confidence is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 components of the enterprise IT landscape.
“Based on these numbers, people aren’t very good at finding out what their vulnerabilities are, but when they do find them, they’re really good at patching them,” says Cris Thomas, strategist at Tenable.
For the second year, practitioners cited the “overwhelming cyber threat environment” as the single biggest challenge facing IT security professionals today, followed closely by “low security awareness among employees” and “lack of network visibility” due to BYOD and shadow IT.
No doubt, the dangers are real. Just last week Yahoo disclosed that over a billion user accounts had been stolen – back in 2013. Quest Diagnostics says that the hack of an internet application on its network exposed the personal health information of about 34,000 people.
Venafi CISO Tammy Moskites doesn’t like assigning scores, but she does acknowledge that she’s constantly challenged with “making sure that we’re doing the right things right.”
“We’re going to be more challenged with making sure that we’re able to be quick and agile when and if an attacks occurs,” Moskites says. “With all the craziness going on in the world, it’s making all of us have to stay on our toes.”
Despite all of the collective knowledge, the law enforcement intelligence and all the technology available, are security teams destined to remain slightly below average when it comes to detecting breaches before they happen or stopping them before they cause more damage?
“For the record, you can stop these guys,” says Tony Robinson, CISO at Pioneer Technology. While serving as CISO for a government contractor, he successfully stopped attacks by Chinese hackers. “It can be done against the best of them, but it takes a team, training and experience” in addition to tools, he says.
Build your cybersecurity confidence
No cybersecurity program can thrive without adequate funding and support from top executives. “It doesn’t have to be outrageous funding, but enough so that you can field a team and be able to train your team so you can build out and manage a security suite that can do continuous monitoring, scanning and remediation -- whether in the cloud, on connected devices or on premise,” Hayslip says. “Your perimeter now is everywhere – tablets, smartphones, PCs and laptops, and it moves with your staff and your people.”
Beyond those basics, CISOs and cybersecurity pros share how they’ve improved cybersecurity confidence.
Know what you're protecting
Though BYOD and shadow IT are a challenge, having an inventory of everything that you’re protecting will increase cybersecurity confidence, Moskites says. “I’m significantly more optimistic than I was a year ago now that we have a grasp on our baseline,” she says. “We have an inventory of all of our assets -- our server environment, our desktops and laptops and everything that’s accessing our network. I know what we’re securing and protecting in my environment.”
Don’t go it alone
The adage, “The enemy of my enemy is my friend” applies to cybersecurity now more than ever. A PwC survey found that 55 percent of respondents collaborate with external partners to improve security and reduce risks. What’s more, half of those that did collaborate felt they shared and received more actionable information from industry peers.
“Collaboration and information sharing can allow organizations to gain actionable visibility into their most relevant risks, understand the motives and tactics of adversaries and shed light on the most effective response methods,” says Chris O'Hara, PwC’s U.S. co-leader for cybersecurity and privacy.
For large organizations, federal law enforcement can also make valuable partners. When Robinson steps into a CISO role, one of his first tasks is to contact the local FBI office to establish a dialog and gather what intelligence they can share.
Investigate promising tools
A slew of new technologies aims to protect networks from breaches and is worth investigating. Machine learning tools, which deliver the ability to analyze networks, learn about them, detect anomalies and protect enterprises from threats, may allow organizations to get in front of the threat, finding and eradicating them before they can do harm. Early reaction from users – mostly major cloud and media enterprises and financial institutions – has been positive. However, researchers caution that machine learning is no silver bullet and that it has its limitations.
Tools that provide consistent monitoring of your own security posture, as well as that of your partners, and then update networks accordingly, can improve cybersecurity assurance, says Alex Heid, chief research officer at SecurityScorecard. The vendor’s software platform, which analyzes publicly available data on known vulnerabilities to identify security holes, also has a collaboration feature. “If you’re seeing a problem on a partner’s scorecard, you can invite them in so they can see and fix it,” Heid says. “We’re trying to create a collaborative ecosystem to watch each other’s backs.”
As Hayslip rings in 2017, he’s relying on his team and his partners to sharpen San Diego’s cybersecurity defenses in the new year. “I’m confident that a lot of my partners are working to help us identify threats and help fight it. I’m confident in my team and the work they’re doing to build out our operations center and put policies in place. In this job, you’ll never know everything. As a CISO, you have to admit that at times you just don’t know, and you have to collaborate and ask for help. In this type of environment, you have no choice.”