Blog
#ISC2Congress: Light Bulb Moment: The Job of Cybersecurity Professionals Is About Assessing Risk
Cybersecurity expert Joseph Carson, CISSP, learned a valuable lesson after conducting a penetration test at a power station that took him four months of preparation: How you communicate your findings to an organization’s leadership makes all the difference in how they decide to act on the information.
During a virtual presentation as part of the (ISC)2 2020 Security Congress, Carson, who serves as Thycotic’s chief security scientist and advisory CISO, said he was shocked when the power utility’s board essentially shrugged off his findings. After all, he thought the findings were pretty damning. Get this: After spending a morning inside the power station disguised as a photographer on a commercial shoot, he found a printed list of all usernames, passwords and URLs sitting at the station’s Command and Control center.
Carson had spent the morning scanning the facilities, from the engine rooms to the Command and Control center and found very little to work with. The SCADA (supervisory control and data acquisition) controls, laptops and other network access equipment were all locked away as they should have been.
He was starting to get frustrated that he wouldn’t be able to break into the network and would fail in his quest to demonstrate security vulnerabilities. The day wasn’t a total loss: He had noticed employees had access privileges that they used to install personal unpatched, non-business applications for social media and streaming. He found this alarming because it indicated the power station’s network was connected to the internet. Still, he couldn’t find a way to get into the network because everything was guarded.
That is, until he found the list with the user information and took pictures of it. The list was four years old, and he could tell the staff was still using default credentials and scripts provided by the systems’ vendors.
Wrong Approach
Carson prepared a report on his findings and presented it to the board of directors. But he didn’t get the response he expected. The CFO explained why: Carson had based his report on findings and fear, but what the board needed was a calculation of tangible costs – “the cost of doing something vs. the cost of doing nothing.” In other words, what Carson would recommend to improve the business.
“We had to talk about how it helps reduce costs to the business, how it accelerates innovation, reduces exposure to threats, and how it helps employees do their job better. When you put something in place, it has to be better than what they have today. It has to be usable,” Carson said.
He went back to the board a week later with a totally new approach – a set of recommendations on how to improve the power station’s cybersecurity operation. “What made the difference was how to communicate it to the board effectively and make sure the board understood what the potential risks were to the business,” Carson said.
It was an important lesson that he said applies to him and the cybersecurity profession as a whole. “We are risk reducers. We are risk mitigators. That’s our ultimate job.”
One big lesson he learned was to take a people-centric approach to security by presenting a security solution that is better than the alternative to the solution. Other lessons included the need to implement multifactor authentication, automate the management and security of privileged accounts, and an overall focus on the business to determine risk.
Carson said he now has a better understanding of the cybersecurity professional’s role. “I realized that my job is not cybersecurity. That’s my skill. My job is business risk.”