The New CISO Podcast: Managing Your First Zero-Day Attack
Being a CISO is a collaborative existence. The CISO community is critical to attaining the role in the first place, as well as succeeding in it once you’ve gotten there. From attending events to connecting with other industry professionals online, having a strong network will help those who are searching for a job. And CISOs help each other by sharing knowledge from lessons learned in cybersecurity attacks. So while it may seem like a breach is the worst possible thing that could happen, there are positive payoffs for the CISO and their information security risk management program. In this episode of The New CISO Podcast, Chris Wolski, the CISO of Port of Houston, discusses the challenges he faced during his quest to secure a CISO position, and what he learned in the aftermath of a cyberattack that took place under his watch.
Becoming a CISO — what to expect
As anyone who has ever had the goal of becoming a CISO can tell you, it’s a long, difficult process. You really have to want it to put forth the kind of time, effort, and emotional toll that it takes, all for a supremely stressful position that will likely burn you out in just a couple of years. Chris tells us what it was like when he was trying to find a CISO role, and what it is like to be a CISO who’s not a rock star spending lots of time in the spotlight, stating, “If you’re well known and you’re a well sought-after thought leader, the information security realm may not take as long to get a new position. But for others, it may take longer.” This is important to keep in mind when trying to find a job as CISO; it took Chris nearly nine months of searching to finally find his current position.
Via events and on LinkedIn, Chris was able to expand his network. Through his connections, he was able to educate himself well enough in maritime transportation, laws, and security to better understand his current job. Overall, Chris encourages anyone who dreams of becoming a CISO to do their homework on the industry, company, and people when job searching.
Chris also suggests reaching out to industry professionals on LinkedIn and asking them about their career, their expectations, and what their daily life is like. For example, something to ask could be, “If I was working for you, what would you expect from me, or your organization? What kind of experiences are you seeing with regards to information security?” This will teach you about the industry and help you grow your network.
As the first CISO at Port of Houston, Chris has faced unique challenges. In part, he’s had to convince the port why cybersecurity is needed, and its impact on cargo movement and the supply chain. As the first CISO of an organization, it is crucial to ensure that others understand why cybersecurity is necessary and how having a CISO will improve the organization. Chris says, “Be willing to educate, especially if you’re going into an organization that does not have somebody to lead their information security program. And do that, I think you’ll be on the road to success, being a successful CISO at that organization.”
The importance of having an incident response plan
Recently, the port had a zero-day attack, which was an eye-opening experience for Chris. Thankfully, he already had an action plan in place, as well as risk metrics to guide him. Within two hours the attack was contained, and after 10 hours, it was fully remediated.
Chris explains how having an incident response plan helped him through this, stating, “That (IR plan) was one of the first things I put together upon my arrival. We do pre-planning of different buildings and write these down in a book. They’re able to go through and actually execute the plan based on the knowledge that we already have. So we had a plan. We had it practiced, so people were not unfamiliar with how the whole thing worked.”
How an attack can prove the ROI on security risk management
After proving the value of his expertise and the importance of having a cyber defense strategy in place, Chris found himself trusted within the organization even though an incident had occurred. He documented everything throughout the attack and encourages other CISOs to do the same. As a result of his work, he was elevated within the organization and the maritime community. There was no doubt of Chris’s ability and purpose within the organization. Within two hours, the port saw its ROI on hiring him.
Chris states, “It (the attack) did help raise the awareness that the Port of Houston is subject to a cyberattack by somebody that has money that can sit there and put together a zero-day because these attackers are just like businesses. They have to have a return on investment.”
After the incident, they shared what had happened in the hopes of opening up communication and helping others avoid what happened to the Port of Houston. Chris says, “Within two weeks, the rest of the world was notified of all the indicators of compromise (IOCs), and having the software patched by the manufacturer.”
Chris believes cybersecurity attacks like this, or others like ransomware or phishing should be shared and used to help others, saying, “We need to be sharing the lessons learned. We’re not going to get better if we don’t do this in a collaborative environment.”
Due to the severity of the attack, Chris explains why the Coast Guard, FBI, and other entities had to offer assistance. While it may be hard to juggle all those organizations, they have access to resources that Chris couldn’t have had otherwise. Again, it came down to reaching out to connections and asking for help when needed.
Educating the organization can help CISOs succeed
Do you need to have a major incident in order for an entire organization to believe in the role of a CISO? Chris explains how equating cybersecurity to something others already know can help convince them of its importance so they can better understand it. With the Port of Houston, Chris compared cybersecurity to physical security to put everyone at ease. Chris says, “It (physical security) is something that they know. Safety is something that they know. And so you put in parallel descriptions of what you want to do for cybersecurity, and how it is similar to what they already know within the physical realm. It’s drawing those parallels that may ease their apprehension towards making changes.”
Being a new CISO in an organization comes with many challenges. Make sure you convey the value of cybersecurity and cloud security to your organization and do so in terms they understand. And, if an attack does happen, use this as a learning lesson; share what happened to help other organizations detect the intrusion, and share the IoCs or tactics, techniques, and procedures (TTPs) used in the attack.
Top 3 Questions from the CISO’s Guide to Communicating Risk Webinar
A CISO’s Guide to Communicating Risk
An Outcome-based Approach to Use Cases: Solving for Lateral Movement
Log4j by Another Name. It’s Coming; How Can You Keep Pace?
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!