What’s a CISO “Time-To-Leave” (and how to retain them)?

We are often told that CyberSecurity staff is both hard to find and hard to retain.

I have the feeling that, regarding experienced CyberSecurity experts, such as CISOs, we have reached the time at which some of them:

  • are talented enough to define clear objectives for themselves and their teams,
  • as a corollary, are less and less willing to slow down the pace of their activities (due to the high level of threat). They chose their job to overcome its challenges, and now they know how to achieve their goals – and are paid to do so.

For most of them, the reputation of their company, the size of their teams, and even their level of compensation is not their primary motivation to stay, as opposed to how much they actually learn from their job on a daily basis and are confronted to new challenges.

Now how do we define “experienced CISOs”? Of course, it varies a lot from one individual to another. But for sure, when someone has been a CISO a) for various large companies b) for at least several years each, and c) have globally more than 10 years of experience in CyberSecurity, they pretty surely qualify

Still, some companies are willing to hire a CISO “to tick the box”. Unfortunately, some of them get involved into various social/political issues, loose more and more ability to influence the operational level of protection of his company, and hence get more and more afraid of getting involved into a CyberSecurity crisis someday…

Other companies may first hire a CISO to perform a quite practical primary objective, but, after several years, the same companies are embarrassed with the amount of change management that such a protection requires, resulting from the activity of their CISO.

I have the growing feeling that, at that point, experienced CISOs choose to resign and either:

a) move to another CISO job,

b) start their own company,

or c) switch to a complete different job (one of my friend switched from CISO to photographer…).

This is probably the best case scenario.

Worse cases would include real “burn-out” situations.

Various press articles have covered CyberSecurity staff involved in such burn-out.

But, tell me… How can CyberSecurity experts, which are so passionate about their job, end up in a burn-out? Simply because they don’t want to abandon their vessel, even though they are more and more convince that they don’t have the means to avoid the iceberg…

So they keep running faster and faster, though they are never satisfied about their job and achievements.

Now, the question is: how long does, in average, a positive relationship between an experienced CISO and his company last for? How long are such experienced CISOs enjoying to execute their job in large companies? According to my observations and as well to Heidrick & Struggles last survey, it seems that 4 years is a fair number.

Are there exceptions? Could experienced CISOs actually stay longer than 4 years in large companies, while still fully enjoying their job? I believe that CISOs either:

  • running an external activity related to their job (eg: leading a CyberSecurity association)
  • and/or are hired by a tech (software/hardware) company, in particular in the CyberSecurity field
  • and/or moving on a regular basis from one job/position to another within their company

…are likely to stay longer as CISO of their company. For others, I’m less optimistic.

Knowing this, what could we recommend to CISOs / companies to reduce CyberSecurity staff turnover? I would summarize it this way:

  • Keep supporting your CISO/CyberSecurity teams. Focus on and support their progress rather than on what they need to improve
  • Apply Steve Jobs’ recommendation: “It does not make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do”.
  • Avoid mixing [too much] politics and CyberSecurity. Avoid changing CISOs objectives too often. It is hard enough to manage budget, skills and change management constraints to reach a proper level of protection. Keep in mind that CISOs enemies are (and must remain) hackers and malware. There’s no room to add others.
  • Instead, feed your CISO & CyberSecurity teams with challenges and training. Remember that what makes (and enables to retain) Great Employees is a mix of Trust, Talent, Tenacity and Training…

Still, I like this quote from Shawshank Redemption: “Some birds are not meant to be caged, that’s all”. Hence, companies should remain proud of the progression of their associates towards new positions, either internal or external. It usually means that they learned a lot through a fruitful multi-year experience!

Don’t pay the bloody ransom!

Several companies wander whether they should pay the ransom, in case of ransomware attack on their systems.

Unfortunately, multiple CISOs have faced such tough situation, not only from a pure technical point of view but also from a more deontological, social, political or even ethical point of view.

Some companies are strictly opposed to such “payment”, while others consider the difficulty to survive without the “lost” data (which is fully understandable), but some Execs also consider the “payment” as a “quick and easy way to solve the problem”.

Interestingly, while it’s sometimes quite hard for CISOs to get enough budget to perform their necessary projects, their management may take the decision to pay within a very short period of time (under the pressure of the incident). Well… I believe this is just the wrong way to address it.

Let’s study why.

First, you’re not sure to retrieve access to your data. Were you “trusting” the bad guys for that? Well you should rather trust your CISO, and his/her teams… Ransomware is not “a product”, it cannot be compared to ethical hacking, vulnerability disclosure programs, bug bounty and other useful commercial activity.

Second reason not to pay is that hackers would keep in mind that you’re a good customer.

That money is obviously not an issue for you.

That if you did it once, you may do it again.

Hence, they’ll come back. And unlike what you could do with your customers, there’s no “fidelity” program! Cost will not decrease over time.

So don’t put one more coin in the system, it’s not a piggy bank!

Last and not least, because giving money to those guys is just the same as funding cybercrime. The more money they get, the more weapons will be developed and sent out to all connected systems out there. And as you’re asked to pay in crypto-currency it’s gonna be hard/impossible to chase down criminals by “following the money”, just as law enforcement forces would have done decades ago. Forget it.

I’ve known one of my peers, a CISO who has been asked by his management (probably not enough aware…) to pay the ransom. When he informed the bad guys about it, there was another “surprise”: such criminals were suggesting to pay a little more, in order to download a “specific protection software” to avoid further attacks in the future!

Are you kidding? Do you believe it’s a “defense” or rather a “backdoor” to ease future attacks instead of preventing them? Well, his manager asked him again to pay for the addon. He did not, but rather resigned. Very brave, but sad, indeed. Keep your cybersecurity teams and install cybersecurity software, not malware.

With regards to the on-going discussions related to the reimbursement by insurance companies of the ransom (provided that victim companies declare the attack), I believe that we should not encourage companies to pay. That’s it.

For sure, companies that are about to bankrupt if they don’t retrieve access to the data could be forgiven for paying the ransom… But still: they encourage cybercrime and should rather invest in their protection to prevent cyber-attacks.

CyberSecurity Operations and the 3 Lines of Defense model

While the “3 Lines of Defense” model described by ISACA has demonstrated its efficiency, by splitting the responsibilities of governing and implementing CyberSecurity, on one hand, ensuring its compliance and proper impact on risk management, on the 2nd hand, and finally auditing proper execution of the first 2 functions on a 3rd hand, the need to ensure that CyberSecurity Operations are performed by and under the control of CyberSecurity professionals remains.

What I mean by CyberSecurity Operations is selecting, implementing, configuring, troubleshooting and updating CyberSecurity technologies that protect their organization.

In order to confirm this, I have interviewed various CISOs of large french companies belonging to very different verticals (banking and finance, insurance, luxury, cosmetics, health, retail, energy, communication, manufacturing, transportation). Here are the conclusions of this:

  • in terms of reporting line, CISOs mainly report to CIOs, but more and more to a COMEX member (which can be the CIO as well, but not only, eg: General Secretary, Risk Management and sometimes even CEO)
  • in almost all cases, CISOs are managing CyberSecurity Operations, at least on equipments that are dedicated to [advanced] pure CyberSecurity functions (eg: authentication, filtering, encrypting, data leak prevention, incident detection and response, etc.).
    • Network infrastructure equipments that are also involved in network segmentation may remain operated by infrastructure teams, provided that very clear rules are predefined to grant or reject network access rights, but that requires that infrastructure teams are aware, trained and fully accountable.
    • When such clear rules are defined, the objective and the trend are usually to automate (at least through a proper workflow) such management of network access rights, to optimize cost, agility, and risk management
    • In some cases, the infrastructure team staff in charge of managing such network segmentation is also reporting to the CyberSecurity team in dotted line
  • in terms of selection of CyberSec technologies, the CISO remains in charge of CyberSecurity market watch and selection of appropriate technologies, even if it’s often validated by the CIO and sometimes most of his direct reports as well (through a proper governance body). Of course, CISO is also consulted for the selection of other IT technologies as well
  • CISO also has the ability to perform audits by him/herself, provided that he/she finds/is given the necessary resources (people and budget) for that. Of course, it does not prevent many other controls or audits, to be performed by internal / external auditors, customers, insurance companies, certification bodies, and so on
  • similarly, incident response remains under the responsibility of CISO, both for triage, investigation, decision to respond, trigger a crisis, or close the incident
  • securing industrial systems (PLCs, HMIs, barcode readers, etc.) is also performed under the responsibility of CISOs, despite the fact that CIOs are not always in charge of managing the connection of such equipments to the network
  • when it comes to securing commercial products and services, CISO is often in charge of it, unless there is another dedicated VP who takes such responsibility. This does not prevent the CISO from being involved in analysis and risk management, ensuring the compliance to regulations, and having the ability to vet (or at least suggest to do so) improperly protected systems.

While the 3 Lines of Defense model focuses on the importance to split responsibilities (to avoid duplicated tasks, ensure Segregation of Duties and optimize cost), it does not describe at which level should arbitration / decision be performed.

For sure, CyberSecurity topic is more and more discussed by ExComm members but setting up arbitration / decision at that level would require that they have a deep understanding and experience on technological CyberSecurity topics. While this may be true for IT or CyberSecurity vendors, it’s usually not the case for other companies. As it is the same for global Security topics (securing people, premises, and information of all kind), gathering CSO, CISO, and EHS in a common team is also emerging but not yet quite adopted. Most of them collaborate a lot together, but are not [yet] reporting to the same individual in the organization.

With the emergence of several move-to-cloud projects, the need to recruit, upskill, and manage various CyberSecurity individuals, and the strong evolution of regulations, there is a growing need for all teams involved to be managed by CyberSecurity professionals who understand their daily job and the impact on the business. For such reason, I found interesting the idea that was given to me by one of the CISOs interviewed: “Let the CISO consolidate several Lines of Defense in his team, provided that each line is managed by a different direct report, while asking external auditors for an independant opinion on the efficiency of the protection of company’s assets, and how it benchmarks within his/her industry”.

To conclude, I would like hereby to thank all CISOs that have contributed to my survey, for their valuable inputs and thoughts on this crucial topic 😉 !

The Rise of the Machines (my interview by CIO Institute)

I have recently been asked by CIO Institute to give my opinion on the emergence of automation, machine learning and artificial intelligence in multiple IT topics (including CyberSecurity).

Even though the objective was not to focus only on CyberSecurity, I found it interesting to try to define my vision on this topic. I keep thinking that you learn a lot when you step out of your “comfort zone”… 🙂

Don’t hesitate to register on CIO-Institute website and read their articles, and of course attend their virtual events, as there are plenty of fruitful discussions and great things to learn!

Meantime, enjoy reading my article below, and feel free to send me your comments!

You may as well read it directly on CIO-Institute‘s website here.

NB: Thanks a lot to Stephanie!

The Rise of the Machines: Ensuring that the Human Element is Never Lost

The Global CIO Institute interviewed Olivier Daloy, VP of CIX-A’s on how firms can utilise the best of both worlds as people and technology develop. Read the interview below.

Published: Mar 16, 2022

Written by:

Stephanie Thilagalingam 

and Olivier Daloy

Q: As firms look to transform their businesses, what must firms do to ensure that they stay true to their people? 

OD: In my honest opinion, they must communicate regularly on what is at stake and what is the expected timing of the transformation. The biggest negative impact of communication comes from a lack of it. Firms must disclose their strategy and engage their people, avoid being shy or reserved to do so. They must clarify what are the expected gains, not only for the company, but also for each employee, both at corporate and personal level. Lastly, they must balance their ambition, adopt the right pace. Avoid going too fast as you will lose your employees but at the same time, avoid going too slow, as this will make you lose your competitive advantage.

Q: It was on the news recently that robots were running cafes at the Beijing Winter Olympics. Are we seeing a shift towards machines being trusted to carry out responsibilities that were once meant for humans? Would this shift mean that more jobs will become redundant in the coming years? 

OD: I don’t think so, but rather that it simply means that every task that becomes commoditized will sooner or later be replaced by a more value added task. We must be prepared for that, not afraid. We must welcome innovation, but always measure and manage the risks. It’s a very common activity for CISOs. 

Q: In your opinion, do you think that firms would prefer to have their workforces completely automated as this then reduces the risks of human error? 

OD: Again, it’s more a tradeoff between what can/should be commoditized versus what should remain under human responsibility. Not all workforces will be automated, but every “programmatic” task will definitely be. Keeping low value tasks is not only inducing financial losses, it’s also a huge obstacle for recruitment and retainment of workforces.

Keeping innovation, creativity, social and even political skills is key for many companies. These are all examples of where human workforces may be relevant and bring a lot of value.

Q: Is the human-machine balance achievable? If so, how? 

OD: I believe it can, but it’s a moving target. According to many criteria, such as what the available technology can do without making too many mistakes, but also considering ethics, and often the economy as well (not exhaustive). Proper arbitration, based on the risks, enables us to define what must remain a manual action versus what can and should be automated, taking the most benefit out of the added value of human actions.

Q: It is hard knowing what requires automation and what requires people skills. How can firms bridge that gap and be able to identify what truly works for their business? 

OD: I believe it usually comes from experimentation. Just like we do in IT, you define a minimum viable project/product (MVP) then you implement a pilot and based on its results you go for a larger rollout. But it should also care for what the users/customers/citizens require/are ready to accept – and of course, legal constraints.

There are various cases where companies thought they could automate much more than what their customers were ready to accept. In some cases, it’s only a matter of taking the challenge at the right time. In others, it’s just a matter of understanding whether there is a use case. Think about autonomous driving but also [Amazon] automated delivery: do you think it’s going to remain a possible idea, an exception or will it be live some day? If you look at science fiction 15-20 years ago, there were a lot of ideas, some of which have come true, others are still not there. We use a lot of chatbots in IT, and we have SIRI and “OK Google”, but we still have keyboards – voice operated IT remains exceptional.

Q: How can we leverage emerging tech to boost productivity and performance and ultimately, allow people and tech to completely align and thrive? What are some ways firms can support this?

OD: Again, my opinion would be that we must start small and grow fast, fail fast but learn faster. This is probably the best way to integrate technology at the right level. We must focus on our pain points, find the right technology to power up our actions. I used to say that I’m not interested in a solution that looks for a problem, but rather for a solution to my problems. I also believe that we must develop the creativity of our people, give them time to think about disruptive ways of addressing their problems – and even incentivise their work/solution. Look at bug bounty: the best way to make people find new ways of hacking into IT assets is, in some way, by leveraging onto gamification/challenge/financial gain. There is no big interest in technical solutions that are not embedded into pragmatic problem solving.

Q: What are some potential risks firms must be on the lookout for when trying to build a harmonious relationship between people and technology? 

OD: I believe it’s mostly a matter of trust. Trust from employees that technology is not going to steal their job, which they are afraid of. Also, trust that technology remains under control. For instance, I get questions from C-levels around; are we sure that when managing cybersecurity using machine learning and AI, we still know what we are able to protect against? And finally trust that, at the end of the day, the technology does not bring more risks than it helps to manage. For Amazon, it could be drones falling onto people, impacting their safety, for instance.

Olivier Daloy spoke at the CIO Institute DACH event which ran in February 2022. Daloy is a frequent speaker of the institute so sign up to the community today to interact with him and like-minded people. 

First lessons learnt related to Cyber Offensive actions led by Russia against Ukraine – How should you protect your assets?

Known recent cyberattacks originating from Russia include the following. Despite the fact that there is no magic way to increase in a very short period of time the level of Cyber Protection of a company, here are my (non-exhaustive) thoughts related to how you should protect against these threats or at least strengthen your cyber-posture.

  • Distributed Denial Of Service (DDoS) attacks,
    • Mainly observed against military, gov, media and banking critical services by Russia
    • To prevent or mitigate such threats, you should consider:
  • Website defacements
    • Mainly against gov sites
    • Probably coming from APT (Advanced Persistant Threat) UNC1151, with similar weapons than APT29 Russian state-sponsored group
    • To prevent or mitigate such threats, you should consider:
      • Ensuring that you have a full inventory of your websites (eg: Cycognito, Uncovery, Palo Alto Cortex Xpanse)
      • Checking that they don’t have any [critical] vulnerability (eg: using a vulnerability scanner such as Rapid7 Insight VM)
      • Filtering traffic at network level using regular or application firewalls – WAF (eg: Checkpoint, Palo Alto)
      • Fixing all such vulnerabilities or deactivating related services temporarily, otherwise consider virtual patch management solutions for limited periods of time (eg: TrendMicro)
      • Activating 2 (or multi) factor (2FA/MFA) authentication to prevent unauthorized accesses to your systems from Internet
      • Activating mechanisms to automatically ban sources that have failed to authenticate several times
  • Fraudulent messaging
    • SMS phishing (Smishing), typically pretending that there was a bank issue to trap target users
    • To prevent or mitigate such threats, you should consider:
      • Increasing the awareness programs of your users (eg: KnowBe4 service). Inform them in particular about attempts to steal their credentials using phishing websites or alike
      • Implementing or reviewing the configuration of your Anti SPAM systems (eg: CISCO IronPort, Barracuda Networks)
  • Malware attacks
    • Known code names are WhisperGate & Hermetic Wiper. Both aim at destroying files/filesystems, as opposed to ransomwares for which data access recovery is possible
    • Mainly against gov, communications, non profit organizations, e-services for citizens, IT organizations
    • To prevent or mitigate such threats, you should consider:
      • Implementing robust cloud proxy (in particular isolation techniques, such as Menlo Security) and Cloud Application Security Broker – CASB solutions (eg: NetSkope CASB, Microsoft CASB, etc.)
      • Implementing best in class Endpoint Detection & Response – EDR (eg: Cybereason, Mandiant) in a Managed Service mode (unless you’re lucky to have the proper internal ressources to manage it)
      • Making sure that such Managed Detection and Response – MDR or EDR and other CyberSecurity solutions are fed with all necessary Indices of Compromise (IoCs), that you either get from free (open) or commercial sources (eg: Recorded Future). To manage these IoCs, you may consider using a Threat Intelligence Platform (eg: Threat Quotient, Anomali), but I also strongly encourage you to contact us at CIX-A, to join our European Alliance of CISOs again hackers and other threats!
      • Contracting with a Rapid Reaction Force supplier to react to any major cyber-attack (eg: Cybereason Incident Response)
      • Generating off-line backups of your most critical systems and data and ensuring that you have properly documented how to restore them (or even already performed successful drills)
      • And of course updating your systems (cyber-hygiene) as often as possible, don’t forget to reboot them immediately when necessary

In addition to all of the above, you’ll need to :

  • closely collect, consolidate and monitor your logs (eg: Elastic Cloud, Rapid7 Insight IDR)
  • request your partners and suppliers to inform you immediately in case of detection of a proven cyber incident on their assets
  • and be ready to react to detected incidents, be them suspicious or proven.
    • To do so, numerous companies offer a Security Operation Center (SOC) service or Incident Response ressources that are worth considering. If you already contracted such service, consider increasing its level of vigilance on your known critical assets
    • You may also prepare to segment your network, to confine any detected attack. To do so, you’ll need a proper inventory of your business critical assets
    • Again, here, I also encourage you to join CIX-A, as we share technical critical and actionable information (including various cheat sheets, and IoCs) to respond to cyber-attacks!

Here are some interesting / relevant URLs that are worth mentioning:

Don’t write CyberSecurity Policies that nobody will ever read or even use!

When asked whether they have defined CyberSecurity policies, many CISOs answer: “Yes, of course! Even reviewed on a regular basis!…”

However, when asked whether all users know where to find them, how to search into them, and whether they always find what they were looking for in due time, it’s another story…

Many companies write policies only to comply with regulations or to pass certifications. This policy exists, check. That other has been reviewed, check. But nobody cares.

Worse is that, finally, no-one even knows what should be observed or complied with. Even worse, everyone prefers to ask the CISO or his/her team about it. It’s quicker than taking a couple of minutes (best case…) to search in the policy! Guess what? The more you answer, the more you’ll get questions!

Indeed, nothing prevents inconsistent answers from being given, either due to the turnover of CyberSec team members, their availability, skills, etc. And in any case, isn’t it a pure waste of time?

A good indicator is the number of times the CISO or his/her team has been able to use the written policies to avoid spending time writing accurate and exhaustive answers. Instead, they’re able to simply say : “please refer to such article from such policy, which should clarify everything, in a consistent and efficient way”.

OK, but… to do so, policies must be properly written. They must be short and straight to the point. They must be clear, accurate and exhaustive. They must include the mandatory rules, but also the recommendations and the allowances (that are not recommended, but only tolerated). They must be properly structured, but also be mapped over well-known reference documents (standards) available. And, of course they must be updated as soon as necessary. Not only once a year 🙂 .

Writing different policies instead of a single one is quite old-fashioned. Rather than splitting policies into different documents, I would believe it’s a better idea to use Intranet search engines to make sure to find the right article as quickly as possible.

Of course, with such an objective, there are far less companies that may consider to manage CyberSecurity policies in a mature way.

But when they do, they benefit from the full power of efficient documentation, spend far less time to explain what businesses must comply with, and avoid a lot of frustration: indeed, CyberSecurity team is much more “predictable”, and its reputation is drastically reinforced!

CISO – Chief Information Security Officer: A challenging and ever growing job!

A couple of decades ago, nobody was responsible full time for managing the cyber-protection of a company… At that time, such protection would be ensured in best effort by the local most “geek” guy, at least able to install, run and monitor an antivirus software!

Still, those days were fun, most SPAMs were nothing more than Apr 1st jokes, aiming at bothering IT system admins.

Just for fun.

Later on, with the evolution of the World Wide Web and the growing IT consumerization, the threats increased, and malware campaigns started to impact not only a couple of systems but indeed a whole datacenter or a machine room.

At that time, CTOs (Chief Technology Officers), usually reporting to the CIO (Chief Information Officer) were often assigned cybersecurity responsibilities. Obviously, at that time, most companies were convinced that CyberSecurity was a technical matter and that there was no need for a full time job and specific set of skills.

Still, the constant but rapid evolution of hacking Tools, Techniques and Procedures (so-called “TTPs”), along with the emergence of Denial of Service (DoS) and Advanced Persistent Threats (APTs), along with other new ways of hacking, started to impact an entire company or at least many of its key businesses. Many companies were discovering the threats far too late… CIOs started to look for less technical but more senior CyberSecurity Executives, able to communicate with other C-Level Execs, to convince users and communicate appropriately, but still experts in CyberSecurity topics and independent from technical IT management teams. The goal was also clearly to avoid CyberSecurity governance based solely on its impact on technical performance, available skills, and agility of the technical teams.

Still, the difficulty arose to assign and even sanctify a proper CyberSec budget, instead of simply allocating the left unused (and usually meaningless) IT budget to it. To avoid the battles between CTOs and CISOs and their teams, most of the time, CTOs would keep CyberSec Operations, at least to avoid splitting operational tasks – and of course to avoid operational impacts of such misalignments.

After that, more mature organizations started to split CyberSecurity Operations from Infrastructure and Applications teams, to ensure an end-to-end management of CyberSecurity features and topics within the CyberSecurity team, as the cyber-protection of an Information System kept evolving and getting even more complex along with time.

Later on, CISOs started to report above CIO positions, most of the time without responsibility over CyberSec Operations. In some cases, CISOs would then report to a business critical VP, but also sometimes to a CEO, and in most mature organizations to a Chief Security Officer, himself usually reporting to the CEO.

Chief Data Officer and Data Privacy Officer roles were also created, to ensure both a proper use of the data throughout the Company, but also the protection of personal data within such processes and of course the compliance to applicable regulations (which started to develop in a specific way in each region, eg: HIPAA in the USA, GDPR in Europe, China CyberSecurity Law in China, etc.).

In even the most mature organizations, CISOs are also in charge of OT (in addition to IT), be it industrial digital equipment protection or even electronic embedded Products protection against cyber-threats. Indeed, in several companies, hacking into IT systems can lead to a compromise of industrial systems which, in turn, may lead to a compromise of commercialized Products. And boundaries keep blurring.

Finally, today, CISO job descriptions vary a lot from one company to another, making it hard for individuals to compare their job, share return on experience, and learn to deliver more added value to their Companies (except for CIX-A members of course!). But that’s also the interest of such job, which is at the intersection of users (internal customers ^^ ), technical teams – typically both Applications and Infrastructure Depts, Legal, Purchasing, HR, Finance and of course Execs.

According to my last survey , and at the time of this article, today most CISOs still report to CIOs (41%), but as much as CISOs reporting above CIOs (32%), typically to the CEO or a CSO reporting to him/her. CISOs reporting to a peer of CIO who is *not* an ExComm member are clearly behind (20%), but far above CISOs reporting to a CTO or another CIO direct report (7%) – which, at least, is good news!

Obviously, it is quite hard to predict the future of the CISO job position. I still hope that CISOs will gather with other Security roles into a governance body in charge of protecting People, Premises and Data (either physical or digital). Of course, the higher the CISO reports, the more he/she is confronted to various business stakes, which means the more he/she may act as a real business enabler (you would never expect that from a technical geek, right?!).

However, the diversity of IT governance, strategies, various software and hardware, IT urbanization, delivery models and projects, will always reflect itself into the various CISO job descriptions.

That’s the beauty of such a diverse and ever-changing job!

Why LOTL attacks are a major concern…

Have you heard about “Living Off The Land” attacks ?

It’s usually quite hard to determine the effective and long term impact of new cyber-attacks emerging in the press. Some attacks make the buzz for a very short period of time while others do actually change the way CyberSecurity is perceived and managed in most companies. For instance, APTs (Advanced Persistent Threats) and Ransomware attacks have drastically impacted most CyberSecurity strategies over the last decade…

Well, LOTL attacks could be the right pick for the years to come…

So, what is it all about? The principle of LOTL attacks is that attackers don’t “bring” their own cyber-weapons into the victim’s Information System, but rather use what they “find” on the systems, to execute all phases of the attack. After the initial intrusion exploiting existing vulnerabilities on exposed systems, they propagate laterally, gain more priviledges, perform Denial of Service, scan for and exfiltrate data (for instance) without the need to download any malware. Instead, they use what has been “left”, installed “by default” or post-install allowed software, eg: used to monitor and check compliance of systems in production. For instance, they use PowerShell, WMI (Windows Management Instrumentation), PsExec, Mimikatz… Quite often, legitimate IT management software can also be used in a malevolent way. Usually, such attacks are fileless, avoiding generation of IoCs (indices of compromise), so that they remain fully “under the radar”. Even more scary, isn’t it?

So why are such attacks possible? Well, CyberSecurity is all about “hygiene” and proper IT management of systems. For instance, ensuring that only necessary software is installed on production systems, only necessary rights are granted to necessary users, software settings are properly set according to a validated configuration, etc. As usual: we all know what we should do, but hackers exploit our lack of discipline…

Such kind of attack seems quite advanced and hard to perform, only affordable to expert hackers… but they aren’t. Some malware are already exploiting it, such as info-stealing Astaroth as already described by Microsoft Defender Security Research Team on March 2020.

So, how may these attacks be detected or traced? This is usually done by behavioral detection systems, or deceptive CyberSecurity solutions. For sure, processes, software and even accounts used are usually legit, but they are executed in an unusual way, which makes it possible to detect and trigger the alert. Tentatively, they try to get hold over a canary file. However, detection requires either a proper modelling of the “normal” behavior of our Information Systems, efficient Artificial Intelligence (typically available through Endpoint Detection & Response software – EDR) or advanced deceptive CyberSec solutions. These are not “buzz words”, but rather highly relevant technologies to combat LOTL attacks! Of course, it also requires highly skilled SOC / CSIRT teams and Incident Response processes, on top of technology…

Nevertheless, I believe that the emergence of such successful attacks remains a real threat, as it demonstrates how hard it is to manage, control and monitor IT systems in a secure manner, avoiding to leave hazardous stuff available on those systems: you need to scan for vulnerabilities? Then install and remove the software, or disconnect the system from the network afterwards, or even protect it using Privilege Management Gateways.

Get ready for it, or the naked bad guys in the wild will indeed defeat all of your armed soldiers!