What cloud service providers need to know to prepare for FedRAMP Baselines Rev. 5, as documented in the new Transition Guide.

On May 30, 2023, the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board approved new Revision 5 (Rev. 5) baselines. The new baselines align with the National Institute of Standards and Technology's (NIST) "Special Publication (SP) 800-53 Rev. 5" and "SP 800-53B Control Baselines for Information Systems and Organizations."

This article covers high-level information that cloud service providers (CSPs) need to know to prepare for their transition to FedRAMP Rev. 5, as documented in the "FedRAMP Baselines Rev. 5 Transition Guide."

**What's Changing in FedRAMP?**

The FedRAMP baseline security controls, documentation, and templates were updated to reflect changes in NIST SP 800-53, Rev. 5. This means the two programs will better align with each other.

FedRAMP has also added guidance for many of its controls. There is a new control family, Supply Chain Risk Management. The baselines also require a higher configuration management level of diligence and increased focus on privacy and customization for agency requirements.

Along with these changes, FedRAMP includes "integration of new privacy considerations, notable control families, and guidance not featured in Rev. 4," as well as "changes to the control totals," according to IT attestation and compliance firm Schellman.

However, program management (PM) controls remain an agency responsibility and are not reflected in the updated baselines.

**How CSPs Can Transition to FedRAMP Rev. 5**

Your transition timeline will vary depending on your organization. To begin, identify your current FedRAMP authorization phase. There are three phases outlined in the Rev. 5 transition guide: planning, initiation, and continuous monitoring. Each phase has detailed instructions on the next steps, including an overall timeline; refer to the "Transition Guide" for further information.

**Develop a Schedule**

To transition to Rev. 5, you need to develop a schedule demonstrating your transition plan, called a Plan of Action and Milestones (POA&M). Major milestone activities listed in the "Transition Guide" are:

1.  **CSP:** Complete a new Rev. 5 System Security Plan (SSP) and appendices (which, along with the other documents listed below, can be found on the FedRAMP Documents and Templates page).
2.  **Assessor:** Complete the Security Assessment Plan (SAP) template.
3.  **CSP and Assessor:** Submit the SSP and SAP to your FedRAMP Joint Authorization Board (JAB) Point of Contact (POC) or agency authorizing official (AO) for approval.
4.  **Assessor:** Conduct testing.
5.  **Assessor:** Complete the Security Assessment Report (SAR) template.
6.  **CSP and Assessor:** Submit the SAR, POA&M, attachments, and updated SSP to the FedRAMP JAB POC or agency AO.

**Update Your Documentation**

Included in Rev. 5 are new, updated templates for the SSP and attachments, provided by the FedRAMP project management office (PMO). You must complete a new authorization package based on the updated templates.

**Determine the Scope of Your Assessment**

The scope of your assessment will depend on your determination of specific FedRAMP NIST SP 800-53 Rev. 5 controls that require an assessor to test. According to the "Transition Guide," all new or modified requirements must be tested and, depending on CSP-specific implementations and continuous monitoring activities, other control testing may be required.

**Control selection process:** FedRAMP provides in-depth worksheets and information for the control selection process. The main template, the "FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template," is categorized into High, Moderate, and Low — just like FedRAMP impact levels.

The template, which comes in the form of a spreadsheet, contains four worksheets: Rev. 5 List of Controls, Conditional Controls, CSP-Specific Controls, and Inherited Controls. You can find more information on these worksheets and how to use them in the "Transition Guide."

**Complete the Security Assessment**

While there are quite a few differences between FedRAMP Rev. 4 and Rev. 5, assessors will perform the same processes and procedures for a FedRAMP Rev. 5 assessment. The scope of the assessment will differ based on the organization. Testing will require using the FedRAMP Rev. 5 Test Case templates, which can be found in Section 6, FedRAMP Rev. 5 Test Cases (available on the FedRAMP templates page), as well as the requirements outlined in the "Continuous Monitoring Strategy Guide."

To complete your security assessment, you must: define your processes, procedures, and methodologies for testing in your SAP; define the processes, procedures, and methodologies used in testing as required and document the results of the tests in your SAR; and have your assessor prepare and submit the relevant FedRAMP Security Assessment Test Cases as part of the SAR.

**Complete the POA&M**

To complete your POA&M, you will need to use the "FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide." All residual risks listed in your SAR will need a defined plan for remediation. In the POA&M, you also need to include known risks identified by the third-party assessment organization (3PAO) associated with your platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) systems.

**Learn More**

Tackling FedRAMP Rev. 5 can be overwhelming, but there are governance, risk, and compliance (GRC) tools available to help you get a full repository of your controls, track your progress against the framework, and streamline assessments using automated evidence collection. FedRAMP also provides training and educational forums specific to the Rev. 5 updates and transition process for those looking for additional support. You can also join the FedRAMP subscriber list to receive program updates, important reminders, blog announcements, and the monthly PMO Newsletter to stay up to date on the latest FedRAMP changes.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member. He focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

FedRAMP Rev. 5: How Cloud Service Providers Can Prepare

If we really want to move the dial on security habits, it's time to think beyond phishing tests. Our panel of CISOs and other security heavy-hitters offer expert tips that go beyond the obvious.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

9 Innovative Ways to Boost Security Hygiene for Cyber Awareness Month

Attackers compromised customer support files containing cookies and session tokens, which could result in malicious impersonation of valid Okta users.

Okta, an identity and access management services provider, disclosed that its customer support case management system was recently compromised, exposing sensitive customer data including cookies and session tokens. Attackers could potentially use the information to impersonate valid users contacting support.

The customer support case management system is separate from the Okta service itself and the incident only impacted customers with recent support cases, the company's Chief Security Officer David Bradbury stressed in a blog post on Oct. 20. Impacted customers have been notified, he said.

"Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," Bradbury added.

In its blog post, Okta listed IP addresses and user-agents that security teams can use in their threat hunting efforts.

The announcement comes after Okta was identified as the initial attack vector in recent twin cyberattacks on MGM Resorts and Caesars Entertainment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Okta Customers Hacked

Most companies offer some kind of awareness training these days. But how much of those lessons are employees actually retaining?

Imagine this: As part of an exercise to teach security awareness, employees enter a room. An actual, physical operational security "escape room," which at first looks like a regular office room. But as people look closer, roleplaying as criminal social engineers that broke into the building, they start to spot information they can use for nefarious purposes.

For example, there's a password in a trash can. And there's a video conference meeting left unclosed. All around the participants are clues that could help them exploit the business. The hope is this experience helps them see through the eyes of a criminal — and leaves them understanding the importance of physical security. Once they are done, the goal is to have them remember the need to keep things like whiteboards clean, laptops locked, and documents hidden or shredded to protect the company.

This is the kind of security awareness training that Kim Burton, head of trust and compliance with Tessian, has used to make sure training leaves its mark on employees.

Awareness training that sticks is still desperately needed as human error is responsible for many breaches and data loss events. In fact, the most recent Verizon Data Breach Investigations Report found that 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.

Figures also reveal many companies still fall short in their delivery of awareness training. New data from Hornetsecurity found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely, a common arrangement in a post-COVID world. And those organizations that do provide awareness training — whether to on-site or remote employees — often administer it only annually. This is far from effective, according to Lisa Plaggemier, executive director at National Cyber Security Alliance, who has a long history of developing and running security awareness programs.

It's time, she says, for organizations to get it together when it comes to effective awareness.

"Short but frequent; no more of this once-a-year nonsense," she says.

**Go Beyond Compliance**

But more frequency is only one of many ways that modern security awareness training needs to improve. In a constantly evolving threat landscape, what does an effective security awareness training look like?

"At the National Cybersecurity Alliance, a lot of the behaviors we're trying to influence are the same, so the advice is the same — using MFA, reporting phishing, etc. — but we deliver them through unique messages over time," says Plaggemier. "Those messages use different approaches: storytelling from a victim's perspective, storytelling from the defender's perspective, leveraging current events in the headlines."

Compelling, timely, engaging, and memorable. It sounds simple, right? But it's not. They key problem holding many companies back, is attitude, says Dr. Jason Nurse, director of science and research at CybSafe and associate professor in cyber security at University of Kent.

"Many security awareness programs still fall flat because the organization views the training as a box that must be ticked," he says. "Organizations often focus on compliance and meeting the basic requirements, which may result in training that lacks depth and engagement."

**Create 'Sticky' Awareness**

How can security leaders put together a program that moves far beyond compliance mandates and shape training into something people not only remember, but actually use when faced with risk-based decisions?

One way is to deliver the content through a communication channel that works for them, says Nurse. Research by CybSafe earlier this year found that 79% of office workers are likely to act on security advice provided on the platforms they use daily, such as Slack and Teams. And 90% of respondents thought security nudges on instant messaging platforms would be valuable. Similarly, people who received cyber information daily and weekly were twice as likely to remember all of their training as those who received it monthly, quarterly, or annually.

"While a base-level understanding of cyber hygiene is essential through regular, engaging training, it's equally crucial to help employees when they need it in a helpful format," says Nurse. "Training should go beyond just conveying information; it should guide individuals on how to behave securely in their day-to-day activities. Furthermore, it should ensure people know where to seek help when needed."

Another way to make it mean more is to make training role-based. One-size-fits-all is "necessary to a degree for compliance," says Plaggemier, "but once you've fulfilled your compliance obligation, people should be receiving training that is appropriate for their role and the specific risks that affect them."

Tessian's Burton says in addition to making it too generic, many organizations fail to consider the culture and big picture when devising training.

"The programs fail to take into account the holistic experiences of employees, such as the current culture of the organization, the current signals from leadership about the importance of secure practices, and where the general employee is being asked to use most of their time and energy," she says. "Security awareness programs may neglect non-engineering employees, and engineers may lack mentorship to integrate the material into their practice."

"There is no one right way to train people to be cyber secure. There is only the right way for your organization, department, or team," adds Nurse.

**Play to the Room**

Another important factor to sticky awareness is knowing your audience, says Burton. Like a good stand-up comedian, you need to understand who you are playing to if you want them to remember what you're telling them.

"The first step is empathy," she says. "The security educator needs a deep understanding of the people they are teaching. Repetition over a longer period of time while introducing content in a variety of ways will also ensure recall. And finally, don't forget to have fun. Organizations frequently lose interest and engagement because of a fear of being too weird. However, people are more likely to retain unique content. Weird is good! Be funny, be creative, find joy!"

Burton, in addition to the escape room, has also had employees take part in a story contest that asked employees to write out a "spooky Halloween tale" of how they would attack the company. She has also created narratives that put people in the position of a security analyst at the company, in which they have to evaluate the security of external vendors.

The most effective security training, she says, covers core risks the business is concerned about; it is tailored to the audience; the concepts are presented over time and in a variety of ways; and the material is memorable due to its unique delivery, humor, or creative experience.

"The key component has been, and always will be, a focus on the people themselves."

**HOW TO MOVE FROM FORGETTABLE TO MEMORABLE SECURITY AWARENESS**

Sticky security awareness training can be elusive for many organizations. And with 74% of security events directly tied back to human error, it is important to find ways to reach employees and help them understand cyber risks. Kim Burton, head of trust and compliance with Tessian, uses a variety of awareness training techniques in her programs. Here are the important tenets she says to keep in mind when creating a program at your own company.

1.  **Work with how people work:** Use information about how human memory works, how human beings learn, what incentives provide the best long-term outcomes.
2.  **Approach holistically:** Understand the employees. What pressures do they face? What is the local culture like? What is the internal culture like? What professional backgrounds do these people have? How is the security team or IT team currently perceived internally? Do executives champion security?
3.  **Tell stories:** Share real anecdotes, tell stories from the industry or your experience, and use examples. This helps people see themselves in the narrative. Ideally, each individual would be able to see how they uniquely contribute to the security story of the organization.
4.  **Gamification:** Go beyond a leaderboard. Make engaging with security content fun by using your knowledge of how people work and the holistic experience of working at your company. Make puzzles, encourage curiosity and mystery, recreate the delight of discovery in learning, point out progress, and use positive reinforcement for secure behaviors.
5.  **Build trust:** Build relationships internally. Become a trusted source of information, but also a safe person to be vulnerable with about difficult concepts, security mistakes, and general concerns. The security educator should be one of the most well-known people within the business.

From Snooze to Enthuse: Making Security Awareness Training 'Sticky'

SolarWinds' access controls contain five high and three critical-severity security vulnerabilities that need to be patched yesterday.

Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.

As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.

So, admins should take note that on Thursday, Trend Micro's Zero Day Initiative (ZDI) revealed a series of "High" and "Critical"-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, "The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets."

**Serious Issues in SolarWinds ARM**

Two of the eight vulnerabilities — CVE-2023-35181 and CVE-2023-35183 — allow unauthorized users to abuse local resources and incorrect folder permissions to perform local privilege escalation. Each was assigned a "High" severity rating of 7.8 out of 10.

A few more — CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186, all rated 8.8 out of 10 by Trend Micro — open the door for users to abuse a SolarWinds service, or its ARM API, in order to perform remote code execution (RCE).

The most concerning of the bunch, however, are another trio of RCE vulnerabilities that Trend Micro assigned "critical" 9.8 ratings: CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. (For its part, SolarWinds diverged from Trend Micro here, assigning them all 8.8 ratings.)

In each case, a lack of proper validation for the methods _createGlobalServerChannelInternal_, _OpenFile_, and _OpenClientUpdateFile_, respectively, could enable attackers to run arbitrary code at the SYSTEM level — the highest possible level of privilege on a Windows machine. And unlike the other five bugs released Thursday, these three do not require prior authentication for exploitation.

A new ARM version 2023.2.1, pushed to the public on Wednesday, fixes all eight vulnerabilities. SolarWinds clients are advised to patch immediately.

Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover

A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.

Cisco said a patch for two actively exploited zero-day flaws in its IOS XE devices is scheduled to drop on Oct. 22.

The first Cisco zero-day bug, tracked under CVE-2023-20198, was announced on Oct. 16 and has a severity rating of 10 out of 10. At the time it was discovered, it had already allowed threat actors to compromise more than 10,000 Cisco devices.

On Oct. 19, Cisco said it believed the cyberattacks against its IOS XE devices were all being carried out by the same threat actor.

Now, in an Oct. 20 update to its threat advisory, Cisco reported there's another previously unknown flaw involved, tracked under CVE-2023-20273 — it carries a slightly less scary CVSS score of 7.2.

Both are being used in the same exploit chain. Threat actors used the first bug for initial access, and the second to escalate privileges once authenticated, according to an emailed statement from Cisco announcing the coming patch release.

Cisco also added another clarification from its earlier reporting on the first bug: it was thought in the early response that the threat actor had combined the new zero-day with a known and patched vulnerability from 2021, raising the specter of a patch bypass issue. But Cisco has now dismissed that theory, according to a statement from the company.

"The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," it said.

**Exploitation Could Continue for Years**

As Cisco continues to wrap its arms around the breadth of the threat, cybersecurity expert and consultant Immanuel Chavoya expects to see a spike in malicious activity against vulnerable devices in the lead up to the release of the updated version.

"Active exploitation will continue and lead to ransomware probably over this weekend, as threat actors rush to capitalize before any patch or remediation," he predicts.

But beyond the short-term, Chavoya is dubious many Cisco customers will take the necessary steps to remediate.

"I can tell you from experience many customers do not or will never patch — and are absolutely unaware of the exploitation status currently (SMBs, etc.) — and so thus, exploitation will continue for months or years."

Cisco Finds New Zero Day Bug, Pledges Patches in Days

Though there is speculation regarding potential candidates, the Department of Defense will likely not nominate someone in the near term.

The RAND Corporation, which the Pentagon assigned to study the measures it would take to create a position for an assistant secretary of defense for cyber policy, has submitted its research on the matter, and the US Defense Department is reviewing the results. However, it will be months until anyone is formally nominated.

RAND submitted its research at the end of September. A Department of Defense (DoD) spokesperson stated that it "will inform forthcoming decisions on the organizational structure, resourcing, and workforce of the new office."

Mieke Eoyang, current deputy assistant secretary of defense for cyber policy, is considered a likely candidate; however, her background as a senior Democratic staffer and as an MSNBC commentator has raised concerns that the country's divided Senate would not confirm her.

Another rumored potential candidate is Michael Sulmeyer, principal cyber adviser for the Army. His past experience includes working on cyber policy for the National Security Council.

The DoD, which was opposed to forming the post, has not commented on these potential candidates.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoD Gets Closer to Nominating Cyber Policy Chief

Vietnamese cybercrime groups are using multiple different MaaS infostealers and RATs to target the digital marketing sector.

Cybersecurity researchers have uncovered a connection between the notorious DarkGate remote access trojan (RAT) and the Vietnam-based financial cybercrime operation behind the Ducktail infostealer.

WithSecure's researchers, who spotted Ducktail's activity in 2022, started their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

"It rapidly became apparent that the lure documents and targeting were very similar to recent Ducktail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group," the report noted.

**DarkGate's Ties to Ducktail**

DarkGate is backdoor malware capable of a wide range of malicious activities, including information stealing, cryptojacking, and using Skype, Teams, and Messages to distribute malware.

The malware can steal a variety of data from infected devices, including usernames, passwords, credit card numbers, and other sensitive information and be used to mine cryptocurrency on infected devices without the user's knowledge or consent.

It can be used to deliver ransomware to infected devices, encrypting the user's files and demanding a ransom payment to decrypt them.

WithSecure senior threat intelligence analyst Stephen Robinson explains that at a high level, DarkGate malware functionality hasn’t changed since the initial reporting in 2018.

"It has always been a Swiss-army knife, multifunctional malware," he says. "That said, it has been repeatedly updated and modified by the author since then, which we can assume has been to improve the implementation of those malicious functions, and to keep up with the AV/Malware detection arms race."

He notes DarkGate campaigns (and the actors behind them) can be differentiated by who they are targeting, the lures and infection vectors they are using, and their actions on the target.

"The specific Vietnamese cluster that the report focuses on used the same targeting, file names, and even lure files for multiple campaigns using multiple strains of malware," Robinson says.

They created PDF lure files using an online service that adds its own metadata to each file created; that metadata gave further strong links between the different campaigns.

They also created multiple malicious LNK files on the same device and did not wipe the metadata, enabling further activity to be clustered.

The correlation between DarkGate and Ducktail was determined from nontechnical markers such as lure files, targeting patterns, and delivery methods, collated in a 15-page report.

"Nontechnical indicators like lure files and metadata are highly impactful forensic cues. Lure files, which act as bait to entice victims into executing the malware, offer invaluable insights into an attacker's modus operandi, their potential targets, and their evolving techniques," explains Callie Guenther, senior manager of cyber threat research at Critical Start.

Similarly, metadata — information like "LNK Drive ID" or details from services like Canva — can leave discernible traces or patterns that might persist across different attacks or specific actors.

"These consistent patterns, when analyzed, can bridge the gap between varied campaigns, enabling researchers to attribute them to a common perpetrator, even if the malware's technical footprint differs," she says.

Ngoc Bui, cybersecurity expert at Menlo Security, says understanding the relationships between different malware families linked to the same threat actors is essential.

"It helps in building a more comprehensive threat profile and identifying the tactics and motivations of these threat actors," Bui says.

For example, if researchers find connections between DarkGate, Ducktail, Lobshot, and Redline Stealer, they may be able to conclude that a single actor or group is involved in multiple campaigns, which suggests a high level of sophistication.

"It may also help analysts determine if more than one threat group is working together as we see with ransomware campaigns and efforts," Bui adds.

**MaaS Impacts Cyber-Threat Landscape**

Bui points out the availability of DarkGate as a service has significant implications for the cybersecurity landscape.

"It lowers the entry barrier for aspiring cybercriminals who may lack technical expertise," Bui explains. "As a result, more individuals or groups can access and deploy sophisticated malware like DarkGate, increasing the overall threat level."

Bui adds that malware-as-a-service (MaaS) offerings provide cybercriminals with a convenient and cost-effective means to conduct attacks.

For a cybersecurity analyst, this poses a challenge because they must continually adapt to new threats and consider the possibility of multiple threat actors using the same malware service.

It also can make tracking the threat actor using the malware a little more difficult as the malware itself may cluster back to the developer and not the threat actor using the malware.

**Paradigm Shift in Defense**

Guenther says that to better comprehend the modern, ever-evolving cyber-threat landscape, a paradigm shift in defense strategies is overdue.

"Embracing behavior-based detection sequences, as well as leveraging AI and ML, allows for the identification of anomalous network behaviors, surpassing the previous limitations of signature-based methods," she says.

Furthermore, pooling threat intelligence and fostering communication about emergent threats and tactics across industry verticals can catalyze early detection and mitigation.

"Regular audits, encompassing network configurations and penetration tests, can preemptively unearth vulnerabilities," Guenther adds. "Moreover, a well-informed workforce, trained in recognizing contemporary threats and phishing vectors, becomes an organization's first line of defense, reducing the risk quotient substantially."

Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors

Users could hold up to five SIM cards previously, but now they can only have two; it's a move that the government says is intended to cut down mobile spam levels.

Burkina Faso aims to increase mobile security in the African country with a new bill that says users can only hold two SIM cards (i.e., lines of service) from a mobile provider.

And the sale of SIM cards will only be made in approved agencies and points of sale.

The use of multiple SIM cards can allow for SIM farms to be built, which are typically connected to organizations where the SIM cards are connected to computer servers to send large amounts of SMS spam.

Aminata Zerbo-Sabané, Burkina Faso's Minister of Digital Transition, Posts, and Electronic Communications, said this measure is aimed at reducing the improper use of electronic communication services.

The bill will better regulate the identification of customers of electronic communications service providers, and reduce the illicit use of mobile services, she said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SIM Card Ownership Slashed in Burkina Faso

To make cybersecurity an organizationwide priority, CISOs must avoid these common input, empathy, and alignment obstacles.

Whether they're earned or not, there are certain stigmas associated with chief information security officers (CISOs): They work in isolation, with only a vague sense of how various departments contribute to the organization's greater good. They impose controls without considering business impact. They focus on highly technical metrics with unclear net positive value. They aren't good at listening. Or empathy.

Be honest. Does this describe you and your team — even just a bit? Or more so? If you concede that it does, that's a good thing. The first step toward a solution is acknowledging that a problem exists. Improvement requires change, which is sometimes uncomfortable, because change starts with you.

Accountability, then action. For CISOs and their teams, that means transforming into ubiquitous advocates for cybersecurity — and then leading the transformation for everyone in the enterprise into advocates for the same.

CISOs will thrive within this change by focusing on input, empathy, and alignment. This will enable lasting success for the shift by allowing CISOs to fully identify and understand information asymmetries throughout the organization and then remove them to clear the path to optimal communications and awareness.

However, there are several obstacles that hinder these efforts. Here are three and how to overcome their traps.

**Assigning Tasks to the Wrong Subject Matter Expert (SME)**

CISOs are responsible for an extremely wide scope and frequently deal with high stress — but are consistently biased toward taking action themselves. They lead the organization well, but at times miss opportunities to leverage SMEs' soft skills to optimize resolution. As leaders, it is necessary that CISOs remain cognizant of the balance between SMEs' skill sets, shared values between them and the target organization, and the true goal of this collaboration.

The solution requires raising engagement between security and the enterprise across the board, building relationships that ensure the right expert is assigned to the right issue to give the right support.

CISOs must rely on the people around them to truly know what is going on. They must create pathways so that the right information flows freely everywhere and that this knowledge is committed to organizational and institutional memory. By interfacing with external teams, CISOs create contacts that result in the effective ingestion of information and the proper application of personnel and responses to the information.

**Failing to Tie Actions to Organizational and Business Goals**

If CISOs don't connect their work to broader goals, it's pretty much impossible for non-IT managers and employees to appreciate the value of their actions. CISOs know why certain controls and responses to threats are needed. But they can never assume those outside their team do.

To overcome these potential credibility gaps, I've proactively communicated with my heads of finance, marketing, sales, and other key departments to learn about their roles. Because I've invested that time — to find out what they do every day, along with their strategic goals and challenges — I gain their trust in myself and my team. They are confident we will approach threats, risks, and remediation with an appreciation of business objectives.

**Executing Without Making Broad Impact**

I push my team members to constantly ask themselves: "Am I implementing a fix that benefits people outside our team? Or am I just trying to make my own life easier?" Obviously, we seek to achieve the former and avoid the latter. Simply stated, we need to think big. Our return on investment (ROI) growth is directly tied to our ability to sow seeds once and reap the fruits of our labor in multiple seasons to come. 

"Everyone has a plan," boxer Mike Tyson is credited with saying, "until they get punched in the mouth." If we work within security silos — isolated in our knowledge, dogmas, and execution — every security issue is like the first time in the ring, and we consistently take punches that we have little understanding of how to handle. 

But if we proactively pursue empathy and alignment as part of our core values, we gain a level of trust that builds pathways throughout the enterprise. Subsequently, we can remove those informational asymmetries, elevate the conversation across the organization, and lead strategically. And we will walk out of the ring with our arms raised — stronger and together.

Source

DARKReading