Скачать книгу

training, real-life experiences, relationships, and tools to do the job is a must.

      One such CISO is Mark Weatherford, currently the chief strategy officer at the National Cybersecurity Center and CISO at AlertEnterprise. Mark served previously as the deputy undersecretary for cybersecurity in the U.S. Department of Homeland Security (DHS) and vice president and CSO for the North American Electric Reliability Corporation (NERC), in addition to other senior leadership roles in cybersecurity.

      While Mark was the CISO for the State of California in the mid-2000s, he experienced what organizations should not be doing when hiring for this vital role.

      Because Mark was the first CISO in the state, it was important to him to put a face to the name of cabinet secretaries and agency heads. As such, he made the rounds to visit each of them and also to tell them about the governor's vision of Mark's statewide role and what he hoped to accomplish across state government. Mark also offered his assistance in everything from procurement to policy development to technology infrastructure to staffing. His proactive outreach seemed to be well-received and generally met with enthusiastic support.

      At the same time, Mark also met the security leaders and their teams at all of the agencies. During the mid-2000s, almost none had a formally appointed CISO, but most had someone they could point to and call their security leader.

      Mark recounts what happened next:

      “A few months after the conversation with this agency head, I received a call from someone who said they had just taken the CISO role at this agency and would be very interested in meeting with me to understand how they could quickly integrate into the statewide security leadership group. I remember thinking how odd it was that, even though I had no real authority within this agency and they were under no formal obligation to ask my opinion, they had hired a CISO without consulting with me about writing the job description or even being part of the interview process. Red flag number one.

      “When I met the new CISO for the first time I was impressed by their attitude and enthusiasm to pitch in and help me, as we were educating the legislature, crafting statewide security policies, and realigning statewide procurement of security products and services. Once again, however, I remember having a strange feeling that this person didn't seem to really have the kind of experience you would expect for someone taking over the security and privacy responsibilities of a fairly large organization. Red flag number two.

      “I walked back to my office and set up an appointment to meet with the agency head. As I walked into their office the following day, I could immediately tell something was askew. The agency head told me in an extremely embarrassed tone that the CISO was no longer employed there. Of course I was shocked and employed my best negotiation skill of sitting quietly, saying nothing, and waiting for them to talk. The rest of the story was slowly revealed.

      “In their haste to hire a CISO, this agency had posted a job description, interviewed candidates, and hired a CISO – all without ever conducting a background investigation. Several months after hiring the CISO, a law enforcement organization met with the agency head and informed them that their new CISO had just been released from prison after serving a term for embezzlement. The CISO job was their first employment following a multiyear prison term. The agency head was personally mortified telling me this story and I can only imagine the look on my face as I heard the tale. They kept saying how embarrassed they were since I had offered to help them with hiring a CISO and they simply forgot in the urgency of filling the role.

      “This is easily one of the most extreme examples I've been involved with where a simple background check could have eliminated a serious headache, but it is also one that taught me a good lesson. Not checking all the boxes during a critical process like hiring can be very painful.”

      No doubt, Mark's story highlights that building the right team to lead the overall cybersecurity program is a complex, difficult challenge. Beyond the CISO, most midsize and large organizations employ managers and/or directors to lead cybersecurity incident response and coordinate with the wider emergency management team throughout the enterprise.

      We cover much more about this in Chapter 4.

      Deborah Snyder is a senior fellow at the Center for Digital Government, and she has a distinguished career in cybersecurity, most notably as the CISO for New York State until her retirement in late 2019. Deb has a wealth of helpful stories regarding cyber incident response with many practical implications. Specifically, she shared the following ransomware stories.

      In the early hours of Sunday, April 9, 2017, Erie County Medical Center (ECMC), a 550-bed hospital in Buffalo, New York, was hit by a cyberattack. Staff noted a digital ransom note on a hospital workstation that demanded $44,000 in Bitcoin cryptocurrency for the key to unlock the hospital's files. Hackers had encrypted ECMC's data, impacting over 6,000 hospital computers.

      In another event, on August 30, 2017, the New York State Cyber Command Center (CYCOM) received a call indicating that Schuyler County had fallen victim to a sophisticated ransomware attack. The New York State CIRT team was immediately activated and an investigation confirmed that the attack involved SamSam – the same variant of ransomware ECMC had experienced. SamSam is typically distributed by compromising servers and using them to move laterally through the network to compromise additional devices. Given the touchpoints between state and county governments – both technical and programmatic – the government temporarily

Скачать книгу