What it really takes to build a resilient cyber program

In this Help Net Security interview, Dylan Owen, CISO at Nightwing, talks about what it really takes to build an effective defense: choosing the right frameworks, setting up processes, and getting everyone on the same page. Drawing on both military and private sector experience, Owen explains how preparation, communication, and constant adjustment are key to building a more proactive security approach.

What specific frameworks, processes, or organizational alignments do you believe are essential for effective cyber defense operations?

I think there are a couple of things that need to be considered for determining the frameworks, process, and organizational alignment when building out your cyber defense operations. From a framework perspective, the first thing that has to be considered is what, if any, frameworks my company must adhere to. If your organization is in a regulated industry like finance, healthcare, or defense, there are frameworks like CMMC or HITRUST that are required. If you are processing credit card transactions online, you would need to follow PCI/DSS standards. For Nightwing, as a DOD contractor, we are using a combination of CMMC, NIST CSF, and ISO 27001 as our frameworks. If you aren’t in a regulated industry, you could choose NIST CSF, ISO27001, or even mix and match the controls that are best suited for your organization and can be implemented and monitored.

From a process perspective, there are four key processes to implement in an organization:

• Risk assessment and management – You need to perform periodic assessments to discover vulnerabilities and threats, and have a way to prioritize and remediate those identified risks.
• Incident response – You need a plan to be able to protect from, detect, respond to, and recover from a cyber incident. Whether it’s phishing, ransomware, or a nation-state actor, preparation is critical. You also need to know how to respond to specific threats that were identified as part of the risk assessment.
• Continuous monitoring and improvement of your security posture – How do you know that you’re still protected from a risk you identified and put controls in place to mitigate? Things change fast in the IT and cyber world so being able to continuously monitor the security posture of your organization, and improve that posture when new threats and gaps are discovered, is critical.
• Security awareness and training – Training employees is key to implementing a security-first culture which will pay dividends in the long run.

Organizationally, there is no silver bullet. Every organization works differently, but there are a few principles that help provide cyber defense:

• Organizational alignment – When you have buy-in from the Board, C-Suite, business leaders, and functional area leads that cybersecurity is not only important from an IT perspective but from a business perspective, it’s much easier to be effective because everyone is moving in the same direction.
• Defined roles and responsibilities – Knowing who is responsible for what is important to ensure things don’t get stovepiped and cause issues in the future.
• Collaboration and communication – Constant communication between the cyber team and IT, functional and business leaders, and senior leadership of an organization is critical to prevent misunderstandings and ensure alignment.

Proactive defense is often easier said than done. What practical steps can security teams take to shift from reactive security to a more proactive posture?

When I was in the military, they had a saying: “Preparation Prevents Poor Performance.” I believe that applies very well to cybersecurity and to becoming more proactive. Preparation can mean a lot of things but there are a couple of areas where it’s really useful in cyber.

A good place to begin is the ‘Identify’ phase from NIST’s Incident Response guide. You need to identify all of your risks, vulnerabilities, and assets. Prioritize them and then determine the best way to protect and detect threats against those assets. Assets not only include physical things like laptops and phones, but also anything that is in a Cloud Service Provider, SaaS applications, and digital items like domain names. Determine the threats, risks and vulnerabilities to those assets. Prioritize them and determine how your organization is going to protect and monitor them. Most organizations don’t have a very good idea of what they actually own, which is why they tend to be reactive and waste time on actions that do not apply to them.

How often has a security analyst been asked if a recently disclosed zero-day affects the company? They perform the scans and pull in data manually only to discover they don’t run that piece of software or hardware. By knowing what you have, and what the risks and vulnerabilities are, it becomes much easier and quicker to answer those kinds of questions from leadership. There is a lot of work that goes into achieving that level of insight but it’s well worth the effort to become more proactive.

What are the most significant obstacles you encounter when putting defensive strategies into action, whether related to people, technology, or organizational buy-in? How do you address those pain points?

At Nightwing, I haven’t had to deal with many obstacles. Being in the national security industry, our employees and leadership understand that we have a high burden to protect our own data, and our customers’. What sometimes becomes difficult is explaining why we implemented a control that changes a process someone was using before. Change, in general, is hard for organizations and when you change the way an employee has done something or you are changing their user experience, communication and testing is really important.

People tend to accept change if it isn’t very noticeable or you are able to proactively address their concerns over what the new process or experience will bring. Through proactive planning and communication, you can eliminate as many concerns as possible, whether through training or up-front testing, and prepare your service center to address known issues. You will never get rid of all of the concerns and challenges, but only having to worry about a few (versus many) is a much easier mountain to climb.

What role does consolidation, automation, or AI play in helping you manage the noise?

I think automation is probably the one thing that we can always do more of, and it’s critical in helping manage noise. Even as a CISO, I can get a lot of alerts and emails from different systems that I know I’m not personally dealing with, but my team is. Using automation to make sure those are handled quickly is really important to help prevent burn out and a kind of Pavlovian response to seeing something hit my inbox. I tend to spot-check to make sure we are seeing all the opportunities to automate responses or tasks so that my team can focus on the things that require a more manual process or extra attention. AI plays some part, as well, in helping with automation.

How do you approach red teaming or adversary emulation exercises? How do those exercises inform your defensive playbooks? Is there a feedback loop between offensive testing and defensive improvement?

I believe that red teaming or adversary emulation exercises are very valuable to help identify gaps in technology coverage, process breakdowns and other vulnerabilities that haven’t been identified by your internal team. When you do one of these engagements it’s very important that when you review the findings and look to fix the identified issues that it is done in the light of improving your organization’s security posture and not about blaming people for not catching the activity in the first place.

Many organizations use a red team exercise to try and blame someone or group for a deficiency or even to score an internal political point. That will never end well for anyone. The name of the game is improvement in your security posture and these help identify areas of weakness. There might be things that don’t get fixed immediately, or maybe ever, but knowing that the gap exists is the critical first step. Having that feedback loop between the offensive team and defensive team is extremely important. Without it, I don’t know why you would do a red team engagement. I always insist on this being part of the engagement. I am in a lucky position in that Nightwing has a lot of experience in the red teaming space and I am able to tap into that experience and knowledge for our internal team. Things as basic as an architecture review from that adversary viewpoint to a full-on adversarial emulation at the nation state level are an invaluable part of our security program.