What every CISO needs in their Security Playbook


by Martyn Booth

| min

Today’s fast and ever-changing security landscape, be it privacy and regulatory policies, diverse threats or internal business management challenges, is constantly challenging chief information security officers to refresh their playbook.

Martyn Booth, Group CISO at Euromoney Institutional Investor PLC (Euromoney), gives his views on what the current changes and challenges are, and the approach CISOs should be adopting to overcome them.

Euromoney is a FTSE 250 Information Services Company with 60-70 individual businesses employing 2,500 people, covering events, commodity pricing, asset management and publications on investment strategy.

Building a Robust Cloud Security Strategy

Strategy is a good place to start, and specifically, this concept of ‘security by design’. Information security professionals often talk about creating ‘security by design’ when it comes to building their applications, be it on-prem or in the cloud.

Some argue that you can’t integrate security into a continual build process, as it gets in the way of more agile development methodologies. I don’t agree. Agile and devops  methodologies do indeed work well with security, while the traditional waterfall model can be slightly cumbersome for effective security integration.

In a devops or agile model, you can move testing to earlier on in the project rather than as a stopgap check during the deployment stage. It then becomes a continuous process, checking the security of the application being developed, whilst it is being created. This is opposed to the traditional way of performing analysis where all of the security  assessments were conducted when the application was complete and prior to deployment, creating a significant bottleneck.

Running static code analysis on a daily basis results in a list of tasks for your developers to complete. As long as the most significant issues have been dealt with prior to deployment, a full code analysis is not required.

Using Automation for Faster Security Integration

Developers typically want to create great products, but they aren’t necessarily experts in security. They can’t be expected to automatically know everything required to handle confidential client data in a secure manner.

We’ve created a process for security and privacy by design, a modified workflow tool designed to define as many of the security controls up front as possible. It starts by filling out as many details as possible about a new project or initiative, whether that’s a new product or a major internal change:

  • What kind of data will it be handling?
  • How it will exchange that data?
  • Will any third parties be involved?

This information feeds into an automated risk profiler, that suggests a high, moderate or low risk depending on the kind of application. It then suggests a set of security controls that we would expect to be applied before that product is ready to launch.

It recommends a different set of security processes depending on whether the application is low or high risk, and these recommendations are set out with the guidance of the security team.

This process makes it easier to clearly show the security controls that need to be in place to launch a product and helps avoid issues that could possibly result in a project needing to be pulled down.

From Automation to Autonomy

At Euromoney we provide central support to business departments like HR, legal, information security, I.T and finance, but they all operate leanly.

This means each business unit can grow and be flexible but is also supported by an overarching central group. Other federated businesses operate in a similar way.

While each business benefits from its own strategy and approach, continual changes in policy and regulation can make it more challenging to manage a single security model across the organisation.

One option is a “Trust-but-Verify” model, which we adopt at Euromoney. Here, we assume the business is doing the right thing.  However, we provide detailed guidance, then run checks to ensure everything is running well, and no areas are being missed or requirements misunderstood.

There’s a 3-step approach:

  1. Set central expectations, policies and standards, which spell out clearly how things should be done.
    We have Azure and AWS standards that have strict deployment rules, and then we check them on a sample basis with risk assessment.
    Risk assessors examine those businesses and look at a whole series of criteria. If standards are not being met it may indicate we need to take action, often by increasing checks.

  2. Secondly, run automated controls to perform some of this checking.
    Again, using the cloud as an example, a tool like Qualys allows us to plug in the standards we have created, and that alerts us when it sees policies differing from what we expect. This tooling gives us an additional level of automated assurance.

  3. Finally, enforce policies directly
    It may be necessary to enforce policies directly.  For example, Azure implementations are centrally managed so we can choose to automatically restrict specific policies that we do not wish to be operated. 
    Conversely our AWS implementation is handled more softly, and we typically don’t control it centrally. We expect these to be running standards and we plug those into our monitoring solution, allowing us to notify teams if policies are drifting away from expectations.

Handling Post-Attack Recovery

Regardless of your organisation’s risk appetite, a when-not-if mindset towards security breaches is a sensible strategy.  It may sound counterintuitive, but if an organisation reports a number of incidents, it can be a good indication of their information security maturity (their ability to detect incidents could suggest a level of maturity above those  organisations that report no incidents, possibly because they have no detective capabilities in order to identify them). This isn’t true in every case, however. Organisations that continually report the same kind of incidents can indicate a poor incident management process that could lack proper route cause analysis.

Companies should prepare for the inevitable and be ready for any potential security breaches in advance. At Euromoney we have a team in place that’s highly skilled at managing these situations and know our systems well. They do a lot of work to understand:

  • What the breach involved
  • How extensive it might be
  • What the likely damages are
  • How it can be controlled to minimise the spread

Most companies are still on a reactive path. As soon as they know they’ve had an incident or breach, they’re usually good at investigating it. But they’re not so good at proactive monitoring, discovering problems and dealing with it before it becomes an issue.

Again, a great monitoring tool can help. Incidents will happen, regardless of how good your proactive monitoring capability is. It’s crucial to ensure you have very clear policies about incident management and what to do when one occurs. A good tool needs to be supported by a good team (to monitor it effectively and with appropriate time coverage) and a good monitoring strategy (to identify the correct sources and ensure that the business is looking for the right things).

To help with managing incidents consistently, create a security playbook that details the steps to go through following any incident, using decision trees showing what you should do in certain scenarios and a formal escalation path detailing who should be informed and at what stage. It’s equally important to clearly lay out who should engage with the
media if the incident is deemed sufficiently important. You’d be surprised how often somebody isn’t told something important when a formal communication process isn’t followed.

Test this playbook whenever you can against plausible scenarios and with other members of the team.

Incident managers can make a big difference, and for any global organization, it’s important to have a well-trained team that covers all time zones and hours of the day.

Managing Security in a Recession

We can’t ignore the recession, perhaps the biggest we’ve seen since WWII. This will naturally put pressure on budgets and resources, while financial services organisations will still be challenged to innovate yet remain secure. Does this put added pressure on myself and fellow CISOs?

From a budgeting perspective, while many are assessing their overall security strategies to cope with the demands of a recession, given changing business attitudes, it’s unlikely that security budgets are going to be unequivocally cut. But some organisations will have to make cuts across the board, and security may be hit to varying degrees.  

Every management team will naturally look at areas and tools that aren’t providing value and consider if they can be cut without significant risk to an organisation. Problems can occur though when a business makes cuts without being fully informed by the security team, which will lead to more incidents. The more incidents you have, the more difficult it is to recover from them quickly. That will further impact the business in a number of ways.

So, for every CISO, it’s important to understand where you are with the business, keeping the rest of the organisation informed about what risks you are trying to mitigate, and which risks will materialise if certain areas aren’t adequately funded. One way of doing this is through metrics. All critical security programmes at Euromoney are underpinned by
reporting programme that keeps senior management informed about why the controls are in place and how effective they are proving to be. That helps explain the real-life impact of making changes to the control landscape in order to reduce costs. That, in turn, helps the security function demonstrate the consequences of certain decisions.

Businesses take risks every day, and if they choose to take the risks it is the CISO’s role to keep the business informed about the consequences of the risks that they wish to take. But that decision can only be made by keeping them informed and reporting programmes help to achieve that A CISO will increasingly be called upon to be a trusted business partner, not just somebody that does something technical to keep the organisation safe in the background.

Preparing for the Challenges of Tomorrow’s World

Increasing threats and skills gaps to increasing / changing regulations, are typically singled out as the key future challenges for information and data security leaders.

But, really, it depends on what your business is trying to achieve, what risks you’re worried about and the environment in which you operate. Banks and data companies will face different challenges in the future, for example.

The pace of change is a major challenge faced by many organisations. Most security functions simply weren’t designed or prepared to change at the pace required to be effective today.

Here are my three key pieces of advice:

  1. Use metrics for quicker responses
    There could be a fundamental change in how we assess our environments. Right now, you risk assess everything, informing about how much risk you’re exposed to and how to mitigate it. 
    But this is cumbersome, so in the future, planning scenarios could become more widespread. With clear and transparent risk metrics, you can make instant decisions on security-related matters.
    It’s impossible to measure risk effectively without metrics in place. But with enough information, you can combine it all together and see which areas of the business are risky and could run out of control.

  2. Retain key talent
    No matter how much you pay your most skilled individuals, if they’re in demand, there could always be someone willing to pay higher. If they go, their knowledge goes with them.
    And it’s incredibly damaging for a security department to lose that innate knowledge and keep the security function running smoothly. If people leave too often, it can seriously affect your ability to operate smoothly and effectively.
    It can help to offer staff an incentive to stay, beyond just their salary. It helps to develop them, grow them as individuals and provide something extra to make them want to remain. Providing a level of autonomy and ownership over certain aspects of their role, will make them feel part of the security strategy, rather than just a replaceable component in it.

  3. Be prepared for the cloud
    You read and hear this frequently but plenty of businesses and security functions are simply completely unprepared for the cloud infrastructure. The security procedure differs greatly between data center and cloud projects, for example, and the skills to manage both is not common in business circles.
    The downside of the cloud is how easy it is to set up. It means infrastructure in places that we can’t see, and obviously then it’s not covered by metrics or testing. And that makes it a prime target for being breached.

So in summary, the future issues you may encounter include today’s fast pace of change, the lack of and retaining of skills, and then making sure that you’re transitioning those skills to cope with the most recent threats, which in the cloud landscape is slightly different to what many businesses have become accustomed to. For more insights and advice around information security and cloud transformation, check out our other articles and podcasts on The Financial Services Cloud Hub. 

The Financial Services Cloud Transformation Hub is brought to you by Nutanix.

© 2021 Nutanix, Inc.  All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.