Podcast: Episode #10 - Tony Sager: Practicality Over Perfection and Simplifying Security Standards

February 24, 2023

We are excited to share insights from a conversation between Tony Sager of the Center for Internet Security and Aaron Crow, Industrial Defender’s CTO and host of The PrOTect OT Podcast. Tony is a renowned security expert with extensive experience in both the government and private sectors. He started his career as a cryptographer and vulnerability analyst at the NSA. Following his retirement from the NSA, he joined CIS as Chief Evangelist, where he is responsible for developing CIS Critical Security Controls and volunteering in various community service activities.

Here are some highlights of this important conversation about CIS, protecting national security, and helping organizations across the country practically improve their security postures. Be sure to listen to the full episode here.

The world of cybersecurity has always been an "arms race," and with the current technological landscape, it's becoming increasingly challenging to keep up. In Tony's extensive experience in national security, he has observed a significant shift in the threat landscape. What was once an issue of nation vs. nation, cybercrime has expanded to attacks on individuals, groups, and countries all at once. There are so many different actors, all with different motives and goals, that create a very complex cyber threat landscape.

Tony noted that the majority of the economy isn’t properly equipped to defend itself against cyberattacks today. Many small businesses don't have the resources to hire cybersecurity professionals, and even if they did, it's not enough to keep up with increasing threats. The traditional approach of building your own security simply doesn't work for most businesses. The challenge is, therefore, how to deal with this problem on a much more aggregate level -- how to help people make good security decisions when they don't have the expertise to do so. This is a real-life problem, as the economy isn’t just large enterprises and corporations, but also privately held business such as doctors, lawyers, and dentists.

The Center for Internet Security is a nonprofit organization that strives to develop and promote best practice solutions for cyber defense. The organization's goal is to scale cybersecurity best practices by leveraging the expertise of cybersecurity and IT professionals from government, business, and academia worldwide. They are taking on the challenge to align all the different pieces of cybersecurity, from technical security controls to public policy, regulations, insurance, and many other factors, to help people manage risk without requiring them to become cybersecurity experts. The organization's efforts are aimed at creating a national credentialing system and an accepted body of knowledge that enables people to make informed decisions about cybersecurity without requiring specialized expertise in the field.

There are several security frameworks out there, each with their own language, level of abstraction, and requirements. This can be overwhelming for companies, especially those that operate in multiple regions or industries, as they may need to comply with several frameworks at the same time. The result is that many organizations end up spending too much time and energy proving to auditors and assessors that they have done the right thing, rather than focusing on actually improving their cybersecurity posture. Tony believes the creators of frameworks have a responsibility to make them simpler and more accessible. The CIS Controls is a framework that aims to be more prescriptive and works to help organizations understand how different frameworks relate to each other, for example with mappings across CIS, NIST and PCI.

Formerly the SANS Critical Security Controls (SANS Top 20), the CIS Controls were developed starting in 2008 by an international, grass-roots consortium bringing together companies, government agencies, institutions, and individuals from every part of the ecosystem (cyber analysts, vulnerability-finders, solution providers, users, consultants, policy-makers, executives, academia, auditors, etc.) who banded together to create, adopt, and support the CIS Controls. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.

CIS works closely with state, local, and below governments, and Tony noted that many states are currently focused on incentivized voluntary adoption, where companies that demonstrate a security program based on accepted industry guidelines and frameworks may receive incentives such as protection from liability in the event of a data breach or cap on punitive damages. This is a market-driven trend and puts the decision-making about cybersecurity in the hands of the economy.

Tony graciously referenced our blog post “Don’t Give Compliance a Bad Name,” and noted that compliance is rather an important component of managing risk. While it is true that simply adhering to a checklist mentality is not enough, using checklists can be an effective starting point for ensuring that the basics are covered. Checklists are a way to capture mistakes of the past in a digestible form, rather than having to train everyone deeply in every mistake that has been made. This allows for a starting point that captures the mistakes of the past in a way that ensures that the obvious or repeatable mistakes are not missed.

In one of my favorite parts of the discussion, Tony talked about how cybersecurity was more like the movie Groundhog Day than Independence Day. We’d like for it to be like Independence Day, where we would capture the alien scout craft, reverse engineer it, create a virus, and heroically save the world. However, the reality is more like Groundhog Day, where the machine is running and it runs again every day. We have some memory and the ability to assess whether a change in its system would be beneficial or not. This is crucial as we are designing something that we will rely on.

The goal of cybersecurity is to balance the prevention of attacks with the ongoing maintenance of the system. A 100% success rate is not feasible, and investing too much to achieve that could bankrupt an organization. Instead, the focus should be on keeping the system running and quickly identifying changes that could affect its performance.

Tony also made some great points about decision intuition. He noted that military generals are often saved by their decision intuition. They recognize that a decision doesn't need to be perfect in order to be good enough for its intended purpose. However, many senior decision makers still struggle to develop this intuition, especially in the cybersecurity space and are overwhelmed by complex information, often seeking guidance from so-called "wizards".

As risk managers, our job is not to scare or inspire, but rather to help people manage risk. This requires us to take complex information and translate it into language and concepts that our clients understand and can use to make informed decisions. We need to adapt our output to be more useful for our clients by presenting information in a way that aligns with how they think about risk and make decisions.

Tony believes that there are great companies, work, and standards that exist, and that the fight against cyber threats can be done more efficiently by rethinking how we conduct online transactions, the role of privacy and anonymity, and building more secure infrastructure. With this vision in mind, Tony has been working tirelessly with many great people at CIS and across the community to bring about these necessary changes.

Listen to the full episode here!