The New CISO Foundations: Building an Insider Threat Program from Scratch

How should we build out a robust cybersecurity platform that doesn’t fall prey to complacency and become static in the face of ever-evolving threats? And how can we best staff our team in the face of the shortage of security practitioners?

Knowing they’ll need effective tools to accomplish this task both now and going forward, how might the enterprise best manage its cybersecurity arsenal? Is it wholly a cost center, or might our investment yield unforeseen business strategies vis a vis risk assessment? And what about governance and regulatory compliance?

Focusing mostly on leadership, these are some of the topics Rakuten’s KT Boyle, CISSP, discussed with our own Steve Moore in the June 10, 2021 episode of “The New CISO” podcast. A former cyber operations officer at US Cyber Command (USCYBERCOM), Boyle has worked on both offensive and defensive cyberspace operations and wit and Joint Special Operations Command (JSOC).

Organization Assessment

Boyle says it starts with upper management and stakeholders with whom he communicates daily. “I like to deconstruct everything from the highest level,” says Boyle. “The first things I think about are, ‘What questions might they ask?’ My COO is not asking about our MTDD and MTDR. They’re asking, ‘Are we protected from breaches? How are we most vulnerable to attack? Should our investment levels and security change? Is it too much? Not enough? How can we have an ROI? How can you make us leaner, faster?’

“In meeting with executives and stakeholders, it’s important to understand this target audience and confidently express what’s required. All you need are three slides to exhibit team performance, full enterprise visibility, and security tool efficacy. If I’m showing upper management more than a one-page executive summary, I’m not doing justice to my team..”

But before getting to that point, Boyle asserts that it’s essential to understand what the business is all about, saying, “And just when you have a handle on that, is the organization in a state of change? At least in tech, if you have plans going out further than two years, good for you—but it’s going to change.

“If you’re a tech startup trying to rapidly deliver a minimum viable product, you could either get bought out, go through a funding series, blow up, or be the next Amazon. The point is you’re going to approach security differently. If you can clearly articulate what your organization does as its security leader, you’re ahead of the game.”

The Security Triad

“From a cybersecurity perspective, building an effective security posture breaks down into three core components,” Boyle posits. “The first is performance from a personnel perspective—it’s the cornerstone. Then comes visibility into all disparate environments, e.g., logical, physical. The third item is efficacy; regardless of tool, I don’t necessarily need to find a subject matter expert (SME) at every level to operate it effectively.

“When considering those executive questions you might be asked, it comes down to those three components. The onus is on the security leader, not the team who is doing the actual work. The leader’s job is to remove as many barriers as possible for the team to be effective.”

Team Building

“Here, all I really need to know is ‘Are they a good person? Are they willing to work hard and enjoy being challenged?’ They’ve checked 90% of my criteria right there,” asserts Boyle. “We need people who’ll take risks and innovate. If their team leader or manager puts them in a situation where they don’t feel safe, they can’t take risks to match adversaries’ increasingly advanced tactics.

“They need to be incentivized to be engaged, such that their role isn’t a sort of ‘ticket closing’ help desk effort. They need encouragement to continually ask questions — that shows me they’re engaged and is what I want to see.  Someone who is continually asking questions during our daily standup is learning; and I expect everyone to share something they’ve discovered at least once a week. Indifference is an indicator of failure. I want the person who shares with the team, ‘Hey, look what I found. Did anybody know this?’”

Being a fan of British SAS soldier/author Andy McNab, as a green beret Boyle got into cybersecurity in a roundabout way when his CO asked, “What do you know about cybersecurity?” Boyle says, “I knew the difference between an IP and MAC address; that was about it.” But, he “took to heart that SAS motto: ‘He who dares wins.’ In other words, one needs to recognize opportunities — you make your own luck. Faced with a briefing the next day about this new domain, I had to quickly come up to speed.

“I did the best thing I could think of, which was to listen to two hours of “Security Now” podcasts with Steve Gibson. I chose that because I didn’t want to listen to an audiobook or read a textbook that was probably two to three years out of print. After that, I got a lot of SANS training compliments of the Army. 

“Using an enlisted soldier analogy, the practitioner is there to work — to execute plans set forth by leadership. The latter are the ones who develop strategy. So, when the security team arrives to the workplace — wherever that might be physically located given WFH — they have their checklist of all that needs to happen and they’re able to execute.”

Policies & Visibility

Boyle is “a big fan of the controls issued by the Center for Internet Security [it being an arm of the Department of Homeland Security]. If you can establish controls one and two — that is, asset management — to 80% efficacy, you already have a reasonably secure program. It’s a challenge that every security team should strive to reach.

“That other foundational piece are policies to ensure proper governance—whether you’re a small-to-medium business, a big tech startup, or a Fortune 30 company. I recommend a steering committee at the executive, stakeholder, and HR levels to establish a legal set of policies. With everyone’s buy-in, this defines security practitioners’ left and right limit. Understanding the scope of where they can operate removes a lot of ambiguity, especially when talking about insider threat and data loss prevention (DLP). 

“It sounds Orwellian, especially when an aghast employee remarks, ‘What do you mean, you’re looking at my stuff?’ But their tune changes when we can unequivocally state, ‘It’s in our acceptable use policy (AUP); consult your employee handbook.’ Thus, when a SOC analyst is working through an insider threat playbook, they don’t have to stop and check with me or with legal. Rather, they have a preapproved workflow that has been clearly defined.

“Most of the time, a perceived insider threat has been triggered by an act of ignorance, such as a user having an iCloud or a Dropbox sync configured on their laptop. Our approach to security is to assume positive intent, that everyone has the best intentions. In that regard, my security team is here to collect objective data. I want them to be empowered to rapidly iterate an incident as quickly as possible, without any sort of blockers. If you’re building out a program early on and can implement the policies and workflows correctly, that’s going to expedite your team’s efficacy.”

Accommodating Tools

“There is no shortage of GUIs that enable a team to very rapidly drill an event down into its core components and then be able to execute,” states Boyle. There are a couple of products where you just drag and drop playbooks and hit execute. If the person who configured them did it right, you have a security orchestration, automation, and response (SOAR) platform.”

Mergers and Acquisitions (M&A)

“Consider when a company has been acquired,” suggests Boyle. “Some industries view certain documents to be of higher criticality. If you’re at a tech startup, source code is everything. But this will be different for an e-commerce organization; perhaps any time its security tool senses some JavaScript, it gets flagged as source code and a red flag goes up. So the more proactive you can be with policies and the foundational documents, it becomes easier to assess a critical asset or document list.”

Boyle continues, “Pertaining to insider threats, cultural impacts can be palpable. Being able to enforce AUPs is essential. That said, different areas of the world view policies differently. In Germany, for example, a workers’ council typically oversees security monitoring, and an escalation path might be part of the equation.”

Check out the full episode. If you like the show, remember to review and rate us, and subscribe to get new episodes when they go live.