As the CISO's job has morphed from gatekeeper (no breaches!) to crisis manager (no outrageous breaches!), the questions boards and C*Os have learned to ask us have become more nuanced and sophisticated. This transition has been a good thing for CISOs, as the discussion that begins with the question
Are we secure today?
is far less productive or meaningful than the prompt,
Against whom are we secure today?
As I have taken this same journey with my C*Os, two concepts have been core to defining the vernacular we use to answer the against whom... question above. One is the basic threat model (see diagram to the right), which helps establish the idea that defending against corporate espionage requires a significantly different set of countermeasures than defending against a disgruntled customer or passing a tough regulatory audit. It is important to define the ground rules for what constitutes an outrageous breach: the expectations of a nation state's likelihood of success against companies in some industries will be higher than others, and having alignment with senior staff on what adversary one is willing to outwit and outspend is a critical building block to establishing a vision and creating the right tone at the top.
Once a threat model is established, the most intellectually stimulating part of the CISO's job truly begins. As the constant drumbeat of breaches reaches the ears of our stakeholders, the question we are routinely asked is,
Would that attack have worked against us?
While there are many frameworks (ISO, COBIT, NIST 800-53, HITRUST, PCI, etc.) available to help CISOs evaluate the response to that question, I have found that it helps to start with one that is simpler and predates these common information security guides by at least a decade: UL 687, the Underwriters Laboratories standard for rating burglary-resistant safes.
UL hires the world's best safe crackers to rate safes' effectiveness at thwarting theft based on three characteristics:
- the type of tool it will resist,
- the duration for which it will resist,
- and whether it resists on all six surfaces, or just the front face
So, a TL-15 rated safe will protect its "crown jewels" for 15 minutes against a skilled attacker using common burglar tools (drilling, wedging, etc.); a TXTL-15X6 safe will resist tools and a blowtorch for 15 minutes on all six faces; a TXTL-60X6 safe will hold for an hour when attacked with tools, torches, and explosives.
It is not difficult to begin to draw parallels between the UL model and what many information security programs aim to accomplish. We hire skilled staff to conduct penetration tests on our systems, armed with the best attack tools available. We take our lessons learned, adjust our defenses, and re-test until we are satisfied that an outrageous attack — one whose description starts with the painful phrase "it turns out that..." — is unlikely to succeed against our systems.
Perhaps the biggest difference between the UL model and what we face in Infosec is the complexity of the attack surface: instead of six faces, IT systems tend to expose dozens: web, application, database, network, storage, users, APIs... the list goes on and on. Despite this twist, there is power in the simplicity of being able to answer the natural follow-up to the against whom are we secure today question,
What makes you so sure?
with a response that begins, "we tested using the known (or likely) tools, techniques, and practices of the adversaries most likely to attack this system, and our defenses held for 40 hours".
While it's tempting to codify an information security assurance framework inspired by UL 687 (a design review is the equivalent to TL-15, a code review a TLTR-30, a team of professional pentesters a TXTL-something, etc.), the last thing our industry needs is another framework. On the other hand, as part of a CISO's scorecard — or as a conversation starter with the board or senior staff — being able to articulate how many of our systems have recently been rated TXTL-60X6 feels like a great place to begin.
July, 2015, update: somebody thinks this isn't complete nonsense.