Security Blindspots in the Novel Normal with KC Carnes
In our recent panel webinar, Security Blindspots in the Novel Normal, security expert KC Carnes discussed the security concerns that arose from the rapid transition to a remote workforce and how those concerns may require permanent solutions going into the Novel Normal.
KC Carnes has spent his career focused on technology and security in grid operations in the electric sector and is a member of several power organizations, including being the National InfraGard Energy Sector Chief.
We’ve published his expert commentary below for our broader blog audience. Don’t forget, you can watch the webinar here.
Hans Davies: How do you step out of this sort of strategic fog that has enveloped us as we’re in the Acute Response stage and moving into The Great Wait? How do you start to secure and take steps to secure that Novel Normal of the future?
KC Carnes: It’s easy to get bogged down in the now – all the response that you’re dealing with, trying to respond and be preventative as you shifted to work from home. Individuals and teams that are able to look to the future well will best navigate those new norms.
People have to really start looking and thinking differently about how they secure their workforce and the systems in which they operate. It will require a paradigm shift in your brain around how you’re going to enable that workforce.
It’s very important to take time and understand how we get in front of those things to give people policy and guide rails that are necessary for them to understand. Those boundaries will help give them the freedom to innovate and fail fast, so they are able to survive in this new environment.
The most important thing to me is knowing our security and environment and having visibility to see the attacker. Response will remain very critical, and it’ll be difficult as we continue into this long term.
HD: How do you value the preparation aspect for this? Preparing for the low probability, high impact issue? And, what’s the value of that preparation as you move forward?
KC: In the electric sector, we do a lot of preparation around this. If you go back to the previous bird flu, we had pandemic plans developed. We did a lot of things with swine flu in different regions. So, we actually had pandemic plans developed, and we respond to those regularly.
When we went to work at home, there really wasn’t a security posture change for us in any way. The only thing that really changed was I added an EDR, endpoint detection and response capability, to all the clients so that we’d have better visibility and remote control to black hole a device in our security posture.
Ultimately, having that preparation is critical. For ourselves, we’ve already had eight drills this year, you really see that training in people now. You see that capability for people to think on their own and be able to respond outside of the normal hierarchy of management.
That incident command structure is a key thing that everybody needs to really understand and be able to respond to. It doesn’t matter if it’s an event like this, or if it’s a crisis response to bad news, a cyber event, or ransomware. You’ve got to have that in your DNA to be able to survive in the world we live in.
HD: How are we able to communicate and ensure that people understand the real risks associated with a remote work environment? Not just the technology side of the risks, but the process for those intangible sides of that risk as well.
KC: We have to find a way to help people with their technical fluency because the challenge that I’ve seen as we’ve gone to work from home is for these individuals to use some of these technologies to think outside of the box about how they can execute.
Managing the risk that comes with that is going to be very interesting because the workforce is going to be the driver, especially as we stay in this type of environment. Those people are key to your success, so you have to really focus on how to train and bring them up.
HD: One of the challenges that I’ve experienced working with security organizations is that security tends to be on the wrong side of the ledger. It’s a cost. In all of the roles you’ve played, how do you convince the folks controlling the money that these things are not just a cost, but they’re an investment in resilience and preparation, and could be a revenue driver?
KC: You need to have a brand strategy that ties into what they understand. The finance and business operations will drastically help to sell and clarify to them what risk mitigation they’re getting from that investment. It really helps to drive the motor of security in the environment.
HD: Yeah, security needs to actually have a voice rather than just a seat at the table. I think in return what we’ve been learning is that security needs to understand the business as well and know how to communicate with the executives.
When we’re talking about a remote environment, we’re now mixing cyber and physical risks, and a human operator becomes not only a risk but a potential issue. This is no longer just about checking a box. The security voice needs to be listened to, not just heard.
KC: You need to be able to articulate to them why you’re changing and what you’re needing. I’ll use myself as an example. With this, I was putting in things, securing my internal networks, and had all these segmentation plans, and now, that’s not going to really help me as much. I’ve got to refocus on controls on data governance and DLP and stop trying to prove the negative.
HD: I like that idea of, “Stop trying to prove the negative.” That’s a very difficult thing for any security organization to prove.
I want to put our Toffler Associates Future Hat on you. We talked a lot about COVID-19 and how the pandemic forced a lot of companies to very quickly adopt a digital strategy, but what enhancements do you see in the Novel Normal? What do you see as the great acceleration in this security world?
KC: I think it’s going to be around decentralization. For so many years we’ve put all this effort into the central login and controlling the network and preliminary access, and it’s just going to go out.
You’ve got to have better endpoint technical capabilities and visibility to still do security, but how are you getting that now? They can completely bypass every control you’ve got by just going to the cloud service that is outside of your network.
It’s going to really push back down to the endpoint from whatever device or tool they’re using to access the information, and it’s really got to push back down where else you’re not going to have it.
HD: How do you deal with the potential employee burnout, and how do you keep the team as a cohesive unit as you move forward?
KC: An interesting thing I’ve noted through this is that in IT cybersecurity we do a lot through chat. We do a lot through tasking. We do a lot where you don’t have to have that human, person, day-to-day interaction on a call. I see other areas of the business really struggling to work from home.
I think people need to start doing work like they did when they were in the office, and start thinking about how do I do it differently where I can have more conversations, more capability, but not always have to be at a screen? Pushing people to more tasking, tools, being able to assign work, and seeing that it got done and followed up on without having to have a status meeting will keep the team stable.
HD: Has the value proposition for a business changed in the new normal, and does that change the security landscape?
KC: There was a great statement a long time ago gentleman made, and I can’t claim it, about identity being the new boundary when we started going into identity management. At this point, I don’t think you can think of anything being contained in any one location.
With those technical controls, you can have a policy. It tells somebody they shouldn’t do something, but you’re going to have to start finding ways and implementing technical controls to stop people from doing those things.
No matter how well you train people or how great your staff is, you’re going to want a technical control that’s going to limit what they can do and make sure that things are operating within those policies.
HD: Can you expand more on risks to the cloud that many organizations are relying on today? What should you be expecting from your cloud or SaaS provider versus what do you need to take on yourself?
KC: You’ve got to be realistic, right. As you’re putting together all those contracts and everything else, you offload certain expectations of those vendors. But ultimately, nobody cares more than our company name because those individuals have an invested interest in what we do and how we do it.
No matter how much I’m paying this other service provider, the day I stop paying, they don’t care anymore. I have to be thinking about how I can protect myself, leveraging the capability that I’m using or the technology I’m using from them? And I have to do it in a way that’s proactive protection and not just some contract language.
You should protect your stuff by teaching individuals that you have a data classification policy. Telling your technical teams to make sure that they’ve implemented those controls, like tagging everything made with 365 as sensitive by default and putting certain limitations around it, and then allowing staff to move it up to confidential to protect it even more.
HD: What new managed detection and response technology will emerge for more visibility?
KC: You’re going to have to find a new way to get the visibility between the endpoint and your critical information, whether it’s in your data center, or in the cloud, etc. You’re going to have less central log visibility, you’re going to have to have more agent control capabilities, and then you’re going to have those integrated with your SOC capabilities.
The one big change I saw is pumping out EDR so that we could black hole the device and do an incident response on that. Then we can send them a new one, and we don’t have to deal with going to people’s homes. But we have that visibility, we have the capability, and we can do it all remote.
HD: I’m going to throw a bonus question out there. When you’re looking to hire a security professional, what do you look for in a candidate to see whether they really have that healthy paranoia?
KC: The answer depends on if you’re asking a question around somebody who’s a risk manager versus a technologist. I’ll never forget I had a boss that informed me I wasn’t paranoid enough. However, the challenge was he freaked out about everything, and he didn’t understand the risk and concerns that I had about what I technically knew about our environment versus what he perceived.
Pulling those questions out of individuals that are more behavioral and asking them a question that boxes it in a way that says, “give me an example of a time you had so much going on that you were afraid you’d drop something.”
The way they respond to that question, coaxing it in that way, it gives you so much insight to know if it’s always we or he or she or that or me, how they’re looking at responding to that. I think asking the question in that way to really coax out what they’re thinking.
Other COVID-19 resources:
- Security and Resilience Analysis