CISO interview with Darren Desmond, the CISO with the Automobile Association in the UK

Image

Philip Ingram (PI) talked to Darren Desmond (DD). Darren currently works with the Automobile Association (AA) in the UK as the Chief Information Security Officer (CISO), joining in 2018.  He started his professional career in the British Army's Royal Military Police, before a stint in the Special Investigation Branch, and Military Intelligence. Darren has worked across multiple areas of the commercial information security arena, including online gambling, healthcare, telecommunications and media, and “Big Four” managed service sectors. 

(PI) The role of the modern CISO is changing. Based on your experience, what are the essential skills a CISO should have now?

(DD) The fundamental skills for a CISO that have always been vital for success haven’t changed much. The ability to network and build relationships, whether internal or external, remains a top priority for every CISO. It is imperative that those relationships are used to create an environment where security is something that is delivered with the business, rather than something that is done to the business.  Lasting security improvement can only really be delivered via an integrated IT, Business, and security risk management strategy, and this depends very much on solid relationships with your C-suite peers and key stakeholders from across the business.

(PI) When looking to rejuvenate, or build a new security program, what are a few areas that you would tell organisations to focus on?

(DD) The first thing to focus on is the security strategy, which itself must be tied to the wider technology and business strategies.  Establishing alignment to these strategies will usually inform an organisation’s risk appetite, which will then drive appropriate security investment and cultural buy-in.  Regulatory, legal, and contractual obligations need to be understood and mapped to a control framework.  Once these activities have been established, an organization should move on to the technical control environment. Typically, 80% of breach incidents have control failures in one or more of four key areas, so an organisations should examine its control environments relating to:

1. Asset management – an organisation simply cannot deal with the security aspects of a business without knowing what assets they have in their inventory, their condition, and location.
2. System management – tangentially linked to asset management, this relates to the baseline system configuration and, indeed, whole life management of an asset, including design, implementation, maintenance (including vulnerability management), and decommissioning of the asset. 
3. Access control – Some people might place this at the top of this list, and I wouldn’t disagree. Limiting access only to those that need it is fundamental to security, with privileged access management being an absolute priority. Tiering access to local admin, server admin, and domain admin assets will help to reduce the likelihood of a domain takeover, restricting access to those who need it, when they need it.
4. Operational security – Operational security typically needs to be implemented in parallel with the above activities. Organisations will tend to find that as their understanding of their security environment grows, so too will the need to react to incidents and events. 

(PI) What advice and tips would you share with other CISOs when it comes to communicating the ROI vis-a-vis security investments to other stakeholders? How do they obtain buy-in?

(DD) Ahh, the eternal question, to which I have not yet found the perfects answer! In all seriousness, regular communication with the Exec, with the Board, and Non-Executive Directors is crucial – the relaying of the misfortune of others who suffer breaches, particularly in the same industry vertical is powerful, and can provide useful insight and statistics, but often it takes a “near miss” to really focus attention.  Preparing the Board to make the mental shift from “keeping them out” to “letting them in, but being able to contain them quickly” is a paradigm shift for many business leaders. 

It’s impractical to build the walls and hope they’ll keep the enemy out, regardless of how expensive your walls are.  The key is to articulate at a high level, what defence in depth means in the context of cybersecurity, make efficient use of the funding that is available and add to your defence’s incrementally over time. 

Incremental improvements, the gradual layering of defences / tooling, and a robust assurance strategy will help produce metrics that can be aligned to the most prevalent attack methods at that time. This, of course needs to be aligned with a regular risk assessment, ensuring that the organisation remains oriented towards the current threat.

(PI) Based on your experience and insights, how are cyberattacks changing now? What are the biggest threats companies need to focus on?

(DD) The main challenge for many organisations remains that of legacy systems, whether they be infrastructure, business critical applications, or old operating systems that never get patched.  Basic cyber hygiene tends to be inconsistent and in many cases lacking, with businesses focusing on “tooling up” before they are ready to correctly integrate security tools with their business processes.  We are our own worst enemies. 

The threat from the insider remains, with many businesses failing to tackle who has access to what. Externally, an increasingly volatile environment is likely to see increased activity by cyber criminals acting as a proxy for various nation states, not limited to Russia.  China remains highly active and appears to demonstrate technical prowess over other nation states, where cyber warfare is concerned.

(PI) What do you think about when you hear integrity? Particularly system integrity. How important is that in security, compliance, or just operations?

(DD) Integrity – part of the Confidentiality, Integrity, and Availability (CIA) triad, is a fundamental cornerstone of security.  A few years ago, integrity was possibly treated as a bit of an afterthought, depending on which industry you occupied. However, GDPR changed that way of thinking.  Whilst there was a lot of panic to become GDPR compliant leading up to 2018, the legislation altered the way many organisations think about data integrity, and it did so for the betterment of the industry.

(PI) Security frameworks are a vital part of any security program – where would you advise organisations to invest most of their time? (NIST, CIS, others.)

(DD) This is quite a subjective question, as it very much depends on where an organisation’s business priorities lie. They may be seeking to work with a government contract, in which case Cyber Essentials Plus (CE+) might be a priority, or they may be seeking to win new business in a sector where ISO27001 is vital for contractual compliance.  All the frameworks have their place, but the NIST Cybersecurity Framework (CSF) is as good a place as any to start a programme.

(PI) We know that supply chain risk management is a huge issue right now. How do companies typically manage this process? What best practices can you share?

(DD) Many companies rely on a desktop review of certifications, policies, and standards, but this is outdated and insufficient for a modern business, particularly a modern digital business. Many of the organisations I work with have built dedicated supplier security management teams, with appropriate tooling to deliver higher levels of assurance than is possible with a desktop review.  There are a number of services out there now providing a cybersecurity focused view of your suppliers, articulating that suppliers’ externally-facing security posture is derived from publicly available sources.  If these organisations can assess the external security posture, you can be sure that the bad guys can as well, so organisations need to be prepared to think like the bad guys, gathering as much information from as many sources as is practicable, to gain better visibility of supply chain risk. 

(PI) What are the key threats in your industry right now? What are the main challenges CISOs are facing?

(DD) The industry is still seeing a significant talent shortage, specifically in the technical security space.  The convergence and automation of some technologies will undoubtedly improve this, but whilst I can find numerous folks who are ISO27001 certified, the same cannot be said for laterally-thinking problem solvers who have technical understanding and Governance, Risk, and Compliance (GRC) skill sets.  Often the two areas are separate in larger organisations, and so the individuals develop in their own lanes.

The global pandemic, political, and economic landscapes are having strategic and probably lasting impact on security.  Longer term, as we move into a recession, there will be more law-abiding citizens turning to cyber criminals for work, with “cybercrime as a service” accelerating, as techniques, tactics, and procedures become commoditised.  I undertook an investigation into a cryptocurrency theft a few years ago that seemed to involve 34 separate criminal components, each playing a different and unique part in the theft of many millions of Euros.  Commoditisation is the objective of many organisations, to maximise efficiencies and therefore profits, but the bad guys have read that playbook and seek to do the same.  The bad guys have time on their side, whilst the defenders do not.

Legacy systems pose a significant challenge for many organisations, and a reluctance to invest in the replacement of these often critical business systems will only be tempered by the velocity at which attackers can compromise them.  Business resilience cannot truly be built on such legacy platforms, and we will continue to see extortion based attacks decimate organisations who choose not to build cyber resilience into their armoury.

(PI) Have you ever been involved directly in a data breach? What lessons did you learn?

(DD) Sadly, several. I ran Ernst and Young’s cybercrime investigations team in the UK for a few years, and so dealt with many smaller breaches in client environments, but I’ve also experienced them as an end user.  Key lessons were that you must, must build a strong network of internal stakeholders. Identify your top performers, and ensure they know what part they can play when things go badly. 

Having playbooks and processes is important, but no good plan survives first contact with the enemy. Know your team, your tools and your assets, and deploy them accordingly. Following process for process’s sake benefits nobody. Create a light change control process that goes beyond emergency change management that may be invoked in times of crisis.

Identify the decision makers, seek out responsibility and own your decisions. Ensure that your stakeholders, the executives, and the Board know the positions that they will play in the event of a breach.

Ensure you and your team are appropriately empowered to make critical decisions.   Document your decisions and ensure regular communication to the right people at pre-defined intervals.  Ensure that you have a prepared communications plan in place.  Get the Legal team on board! It’s always good to have some coverage from multiple disciplines. Have an Incident Response (IR) provider on a retainer, and ensure that they are adequately resourced to deal with an extended IR activity, possibly lasting several months. Test their capability by exercising the IR plan, and don’t do this in isolation, involve the whole business. Then do it again! Sweat more in training to bleed less in battle!

(PI) How do you measure your success? What metrics do you have in place?

(DD) The key metric I like to track is around risk appetite. If you can confidently say you are at your highest limit of risk appetite, and have that independently verified, then it’s time to consider moving up a level of security and reducing your appetite.  Or maybe not. It’s highly subjective.  Once the organisation understands and accepts the level of risk it is wiling to take, then your strategic measure of success is aligned to that.

At an operational level, I’d recommend keeping it relatively simple: MFA coverage, Critical / High vulnerabilities, what is your percentage of micro-segmentation coverage on all systems, what is your percentage of users who fail a phishing simulation, what is the total number of externally open RDP ports (this should ALWAYS be zero!), as well as a few other key risk indicators.