Five things I learned at IBM Security

Earlier this week I resigned from IBM … more on that and my future plans in the coming days.

It has been the highlight of my career to lead and grow the IBM X-Force into what is today one of the largest incident response and intelligence teams in the industry. As I start the next chapter, I wanted to take a few moments and reflect on 5 things I learned from this experience:

1.    US Companies are not prepared for a destructive attack. As an industry we primarily focus on data loss and privacy as the key metric for concern. The 52 different breach disclosure laws across the US almost all highlight the loss of private data as something that must be disclosed but in the process we are often ignoring the reconnaissance prior to a destructive attack. The actor that gets access to the network, elevates credentials and then just waits and does nothing knowing that they have a beach head for future use. Most destructive attacks have occurred outside of the United States and responding to these attacks is not as simple as apologizing and providing credit monitoring. A destructive attack is an all-of-business response that will test the resiliency of your business and we need to shift our focus to better understand this threat. In short, if your business does not have a resiliency plan and you are not leveraging HUNT teams then it is time to invest.

2.    Get to know the Cyber Jedi.  If you need cardiac surgery you want a specialist and not a general practitioner. You want someone that does this every day, has seen it all, and knows how to handle the toughest situations with calm precision. The same is true when it is your business having a “cardiac episode” from a breach. There are Cyber Jedi out there and I had the rare privilege (and challenge) of managing a few of them. They are the people that can recovery your active directory vs rebuild it, the folks that know who might have the decryption keys for that particular ransomware and the people that know the threat actor like their own children. There is no tool, product or machine learning that can replace a Cyber Jedi during a major incident.

3.    Crisis decision making is a skill you did not learn in business school and you cannot learn it from a book. It is a skill that has to be practiced. If you tried to learn to swim from a book, it probably would not end well. You need to jump in a pool and learn some new skills. The same is true for crisis decision making. Learn about OODA loops, Commanders Intent and build your runbooks.

4.    Nothing is more deadly in a large security incident than your own organizational structure. You are up against a human adversary and the only want to beat them is to make decisions faster than the adversary. You cannot wait for the executive that is on a plane for the next 12 hours. You need to make decisions with the people you have in the room and not making a decision is a decision. Can you assemble the team you need in minutes (not hours) and any time day or night? Learn about the Incident Command System and how it can be adapted for your team and your response.

5.    Crisis communication is an art form and a new skill we all need to master. You can easily lose access to your IT systems and phones during a breach. Do you know how to communicate with your team, your investors, you key customers when primary systems are down? Do you know what you would say in advance? Words matter and they can make all the difference between what is seen as a minor incident and a major reputation loss.

Lastly, I want to say thank you to the 8000 security professionals at IBM and in particular the X-Force team that I have had the honor of working with since we formed the security business unit at IBM. Stay on mission - you are the sentinels that stand guard on the walls of the Internet.