Tanium CISO Chris Hallenbeck on How to Handle the Inevitable Breach

As CISO for the Americas at the security and IT management company Tanium, a big part of Chris Hallenbeck’s job is helping customers ensure that technology powering their business can adapt to disruption through improved business resilience.

“We should prevent where we can, but the reality is that breaches and disruptions are still going to happen no matter what,” says Hallenbeck. “That’s just the inevitable thing. As long as we have computers, as long as we have users of those computer systems inside of organizations, breaches are going to happen.”

Unsurprisingly, that’s not usually what customers are hoping to hear from the guy in charge of their organization’s security and IT management. “It’s definitely a difficult conversation to have,” says Hallenbeck. “I think that’s where it’s incumbent upon CISOs to proactively engage with their peers in the C-suite, as well as with the board, to help educate them and help them understand that this is really an exercise in managing risks rather than outright prevention. Then it becomes a manageable conversation.”

Founded in 2007 by father and son David and Orion Hindawi, Tanium operates as a unified platform for monitoring, protecting, and controlling enterprise and government technology systems.The company’s strategy is built around endpoints—the many, many devices and servers connected to a network at any given time, each of which is potentially vulnerable to hacking that can compromise an organization’s data and infrastructure. Tanium provides its customers with what it calls a “central nervous system”: a comprehensive, real-time picture of their network’s endpoints, along with with the capability to assess them and respond to suspicious behavior in near-real time. “Our goal is to limit the impact of breaches and disruption to ultimately help organizations achieve business resilience,” Hallenbeck says.

While some might assume that successfully mitigating the effects of a break-in is simply a matter of detecting the breach, rooting out the intruder, and taking stock of the damage, safeguarding an organization for the long term requires thinking about an attack well after it has occurred. Once the immediate threat has passed, it’s crucial to “piece together what happened to allow [attackers] in in the first place, and build that into our protection plan going forward. That’s the final piece of this that helps us to build in some of that resilience,” Hallenbeck says. Business Resilience—the practice of ensuring that the technology running the business can adapt to disruption—is a particularly useful concept in the realm of cybersecurity, where, as previously noted, setbacks will eventually occur. The wake of an intrusion should be used as an opportunity to “gather the lessons learned” in order to “[improve] things overall.”

Hallenbeck—who, before joining Tanium, worked on the U.S. Department of Homeland Security’s Computer Emergency Readiness Team—has seen a lot breaches. He notes, “The [organizations] that recover the best and the fastest are the ones that effectively manage their crisis with open and honest communication.” Of course, in an ideal world, every crisis would be handled with open and honest communication—but, as most people know from personal experience, open and honest communication flows more readily in situations that aren’t wholly unexpected and overwhelming. When unexpected disruptions do occur, most organizations go into crisis mode and tend to make decisions too quickly. Instead, they should be focusing on preparation before the crisis ever hits, so they are not caught off guard. “The nightmare scenario is that you start making decisions on the fly. That’s when you’re going to find yourself in trouble,” Hallenbeck says. “It comes down to preparation.”

“The majority of incidents and events start from the most basic and mundane of things. Missed patches, bad configuration, things that you’ll look at it and you just do a facepalm, wondering, ‘How did we miss that?’ Taking care of those fundamentals and constantly checking on those things pays a lot of dividends,” Hallenbeck explains. For those who understand the value of some less-than-scintillating conversation, he recommends not just developing an emergency plan, but regularly assembling the people responsible for implementing it “to all sit around and walk through and game out a use of that plan, so that you can test it and challenge the assumptions that that plan has.”

“If I have a crisis management plan—maybe even have a couple of candidate companies lined up to help from externally—if I’ve done that preparation, I should be able to sleep at night knowing that my team can enact that plan and call me in the middle of the night if it’s needed,” he says.

Hallenbeck adds that as technology has grown more accessible and complex, CISOs have been forced to get comfortable with a host of new contingencies. “It used to be that security organizations could be the organization of no. They could say no every time, and that’d be okay,” he says. “The cloud has become rather democratizing for IT. If security says no and prevents something from running within the enterprise IT architecture, a business unit can simply go out and acquire that technology through the cloud.”

Now, “It’s really incumbent on CISOs to say ‘yes’ or ‘yes but’ or say ‘yes and tell me more,’” Hallenbeck says. “If you’re doing it right in your security organization, you become this trusted partner and this advisor that can help them navigate things and get their project done. People just start naturally baking in the right decisions up front and stop trying to work against you.”

To learn more about Tanium and hear from Egon Rinderer, Global VP / Enterprise & Federal CTO of Tanium, check out his interview below: