Jay Spreitzer leverages a diverse background of public and private sector experience in information security and technology as Protocol 46’s CISO and co-founder.
Jay retired from the US Army after 23 years working in various technology fields culminating as Information Management Officer overseeing all facets of the organization’s cyber security program.
Jay also has 13 years’ experience working at a large financial institution in cyber security.
In addition, to experience Jay completed a Masters in Information Security and Assurance and hold several certifications.
Are there any common traits to what makes a successful security program?
In my experience there are several traits that make a security program successful. It begins though by having well-defined policies and baselines. They are the building blocks for security and technology architecture. Policies will explain to employees what is acceptable conduct and online expectations of the security program. Baselines will ensure systems are setup and hardened in a consistent manner. Some references for developing security baselines include vendor product security recommendations and the National Institute of Standards and Technology’s (NIST) US Government Configuration Baseline.
Developing a vulnerability management program to ensure systems and devices are promptly patches is just as important. Hardened baselines will not provide much protection when a hole is left due to an unpatched vulnerability. While many organizations are good at patching operating systems and a few core applications, threat actors now are often targeting applications that are not as widely used, making a thorough vulnerability management program vital.
Security education and awareness is another trait. While an organization can spend a significant portion of their budget on cyber security, if it is not ingrained in its users it will most likely fail. Users tend to be referred to as the weakest link; however, they can also be the most important defense. This begins with a good security education and awareness program. To generate interest, make the training interesting and when possible show how it can help protect their family at home.
In addition to user involvement, the program must have strong support of management. It is difficult to get users to follow something that is not supported by management. Their involvement will foster that support.
Implementing security controls in layers has been a best practice for years. However, due to the rapidly changing threat landscape threat intelligence will enhance those controls by proactively providing better situational awareness. Threat intelligence also provides an understanding of threat actor methodologies and scenarios they might use in attacks.
All controls and procedures need to be continuously reviewed and checked to ensure they are working and being followed. You can never just assume everything is working and secure.
It would be very easy to fill volumes with common traits, but those are some common ones that are sometimes overlooked or taken for granted.
For security executives who don’t have a strong relationship with their board, how can they improve it?
It is important to open a dialog with the board. While some might be tempted to provide a long briefing on the threat landscape and the need for an increased budget that’s not likely to create the desired bond. The board would be interested to know the threats faced by organizations in the same industry as well as what is being done to protect the company. An organization’s intelligence team and security operations center will provide a lot of valuable content for the briefings. This would also provide an opportunity to explain strategic direction to make improvements to defend against emerging threats. When doing so explain the return on investment of implementing additional security controls. Schedule short periodic updates on a quarterly basis will keep them informed and keep the communications path open.
Some people call for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies. What are your thoughts on this?
Conducting security drills is important to ensure everyone knows what to do in the event of a real incident. However, daily drills can make people complacent and they may miss a real security event. The cost of a daily drill for all levels could be better spent improving existing controls. When involving all levels quarterly drills are more feasible and provide better value. Depending upon resources this could include full drills as well as a walk-through with key teams and leaders to ensure everyone knows what to do and also make updates or changes to existing procedures. Call trees should be verified more often to ensure numbers are current and working.
Threats are everywhere and always changing. How to address this difficult reality?
Coming from a 23-year military you learn to continuously improvise and adapt to a changing threat environment. I think that is one of the things makes information security interesting. In order for organizations to adjust to changes they must monitor the threat landscape. Having a team to conduct threat intelligence is how to accomplish this. The intelligence team can help the organization understand attacks and breaches at other organizations. This information can be analyzed and turned into actionable intelligence that then can be used to direct tactical and strategic actions. The intelligence team working with other security teams can take internal event alerts indicators and develop an understanding of techniques an attacker may employ, so controls can then be hardened to keep the attacker out and prevent them from being successful.
How can CISOs balance security and innovation?
Innovation can introduce many risks to an organization and while staying on top requires some, it must be carefully evaluated. The internet of things includes many devices that are difficult to manage patching and that add holes, if added to the corporate network. If an innovation needs to be implemented consider on a separate network with additional monitoring. If possible, hold off implementing every trend innovation that comes along and only ones there is a business need. Often, we can learn from other organizations failure. Just don’t be an example for others unless its on the way to implement good security.
How has industry cooperation made an impact on cybersecurity?
Cyber security experts are probably the most collaborative compared to other fields. Organizations need to evolve further in that area. The financial sector has made significant progress in sharing threat and attacker information to protect each other from threat actors. Its important for all industries to learn from their success. I think one reason many fear sharing information about a cyber-attack is they think of it as a sign of weakness. I think that is a false assumption, since if you have information about an attack that shows it was detected. Years ago, I shared on piece of data on a threat actor with peers. In doing so I ended up getting back six more pieces of data that were tied to the same attacker. I would not have had that data until the attacker used in an attack against my organization. So, having that information ahead of time will allow proactive implementation of controls. Besides, cooperating and sharing threat information with each other is not giving our competitor an advantage. When it comes to cyber threats all organizations should realize, we are competing against criminals and partner together.
While security has always been seen as a cost center, we must change that perception. Breaches today are costing organizations significantly more than in the past. Today’s threat landscape is evolving at a rapid pace and this requires forward looking to stay ahead of those threats. Cyber threat intelligence and sharing threat information with other peer organizations is one of the best ways to stay on top. The criminals have already learned to cooperate amongst themselves to fill their coffers with money. Reach out and partner with peers to form a stronger proactive defense.