How does security actually translate into a real-world environment?
J Wolfgang Goerlich, Advisory CISO for Cisco, describes the challenges he’s encountered when implementing security by design, and shares why CISOs need a change in mindset to adapt to growing cyber-physical threats.
Today we’re talking about security as it translates into the real world. So what are some of the challenges you’ve faced throughout your career?
So much of it sounds so great on paper: “I’m going to define a role, I’m going to decide some rights, people will flow into that role and they’ll flow out and everything will be great.” But of course, the minute you start to get even close, the business announces a merger or they are restructuring a division. So certainly there are lots of problems there.
Multifactor authentication – that sounds great, but then you realise only a certain number of your apps will support it. And single sign-on (SSO) – you realise that you’re not licensed for the SSO edition of your applications.
What I’ve learned about security over the years is that everyone who has a mature version of zero trust says that they’ve got a couple of other things as well: great relationships with their execs, great relationships with their peers, and a good security culture. And I think that’s kind of a cheat! If you have any of those things, all of a sudden everything becomes easier.
So much of my career has been coming to grips with the fact that security is not solved with a technical solution. It’s solved with trust – a good relationship and a good understanding of how tech rolls out when it’s touched and manipulated and used and consumed by people in the field.
One of the things you’ve previously touched on is the result not necessarily being defensible when you implement security by design. Can you unpack that a little bit?
My argument is that there are five abilities security teams need to master, and oftentimes we only focus on the defensibility. “I’m going to put a control in place and that’s it. Once I have zero trust or multi-factor, I’m done. I can go home.”
But there’s also usability. How widely is this going to be adopted? How accepted is it going to be in the culture? Then there’s auditability and manageability and marketability. These are the five abilities that I really focus in on, but the main two are usability and defensibility.
For years we’ve looked at security as, “Well, these two things are in conflict because every time I put a control in place, it makes it harder to use.” But not really. When we think they are in conflict, it’s often because we’re not using the right lens. Most of what an adversary will do is a pretty well-known path – we can threat-model that, we can use frameworks like the minor attack framework, we can map out tactics and we throw controls on a path willingly. Where we get into trouble is by not looking at the path the user takes.
What is the user journey? What are they doing to onboard and offboard users? What are we doing to check out credentials and what does that process look like? If you map both those paths, what happens is we oftentimes find a number of tactics that adversaries use that we can put in controls for, that are completely invisible to the user because it’s not on that path – it doesn’t affect them. Or conversely, we can see that if the user is doing one thing, we know that probably means the user is not a criminal, and we can use that as a signal.
One of the things that I love to see in PAM (Privileged Access Management) programs, for example, is to say, “Okay, rather than allow six billion devices on the planet to contact my PAM console, I’m going to limit it to the one or two devices that I know this user has.” And even if they’ve got the right creds, even if they’ve done a multi-factor challenge – if they’re not on that approved, authorised device then they aren’t getting in.
That radically reduces your attack surface. And it’s invisible the your day-to-day sysadmin who’s doing their job because that’s the machine they always use.
In the current cyber-threat environment, we’re now seeing a lot of conversation around cyber-physical. How are you seeing that evolve from your perspective as a security expert? Are things changing in terms of a CISO’s mindset to consider cyber-physical threats as opposed to just cyber threats?
Oh, absolutely. You know, it’s funny. It reminds me – many, many years ago, my data centre when I was in financial services switched to biometrics. When they put the sensor in, it went in during the summer, and it worked great. We headed towards Halloween and it was still working fine. By the time we got into winter, it wasn’t working, as you might imagine. What had happened was our fingerprints were dried out and the sensor wasn’t working. So, we brought the guy in and he fixed it. But the way he had fixed it was to adjust the crossover air rate.
Do you remember the old gummy bear trick where you could put your fingerprint on a gummy bear and log in with it? So for the next few weeks, I was logging in with a gummy bear. And I finally made my point.
But since that time, the sensors we’re all carrying around with us in our phones or FIDO keys have greatly increased. So what’s been interesting to me is using those mechanisms to say, “Okay, I am going to use a biometric to unlock a door that’s the same biometric I’m using to log into my apps or everywhere else.” It’s a consistent user experience. It’s a high-quality signal. Then I can also pair that with the GPS where the phone is and additional factors.
What’s your advice for CISOs trying to improve their overall security posture?
Here’s what I think, and the data seems to be bearing this out. What is the secret to identity access management? If you look at all the IAM programs, what is the secret of the ones that succeed compared to the ones that fail? It’s relationship management. What is the secret to good asset management? Relationship management. Vulnerability and patch management? Relationship management. DevOps? Relationship management.
When we’ve looked at the data, the folks who report great business-continuity disaster recovery, great instant response, great zero trust – all of them have fantastic relationships with their executives and their peers. Many security people like myself have come from wiring up data centres or configuring servers or using gummy bear in places they shouldn’t. But at the end of the day, the main underlying driver is, “Have I built good relationships before I launched the security programs?”
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.
