Year: 2018

Posted on

Dear CEO, Are You Enabling Your CISO?

Managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Yet, many executive committees are still ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks. What are the key questions executives, board members and audit committee members should ask themselves regarding how security risk is managed within their organization?

What do we see?

Over the past 10 years there has been a dramatic increase in the number of security incidents. To give just one example; in just 10 years (2006-2015), the US government saw a 1300% increase of cyber security incidents. 2016 and 2017 have only confirmed this trend with a staggering number of data breaches, ransomware attacks, phishing incidents, etc. Not surprisingly, security risk has claimed a top spot in the top business risks in many, if not all, industries. Company boards and executive committees can no longer ignore the fact that just one serious security incident could significantly impact the bottom line and future growth of their company, and potentially even cost them their jobs.

The good news is that managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Managing business risk, and even firefighting, is part of the job description, and planning to prevent the fires is what successful companies do. Hence, CEOs and other members of the C-suite should be well versed in dealing with risks, including security risks.

Yet, both the security incidents as research seem to indicate that many executives are not ready, nor set up to manage security risks:

  • A recent report by F5 Networks found that although 65% CISOs say they report to senior executives, most often that reporting is limited to incident and crisis reporting. It also indicates that 35% is not even reporting on that.
  • A 2016 reportfrom Nasdaq and Tanium states more than 90% of corporate executives say they can’t read a cyber security report and aren’t prepared to handle a major attack.
  • Severe data breaches already cost the jobs of CEOs (e.g. Equifax and Target). However, it is more likely (though less reported) that the CISO takes the fall. After all, isn’t the CISO responsible and accountable for security? While this may seem a logical reasoning, it negates the fact that security is a shared responsibility across the company and that there are many times that the security requirements and the CISO are ignored. Additionally, I would like to quote a question of Wim Remes, Chairman of the Board of the International Information System Security Certification Consortium, or (ISC)²: “You don’t fire your general counsel when you get sued, so why would you fire your CISO when you get breached?” So, without looking into the individual cases, but just at the trend, blaming and even firing the CISO seems to be one other indication that there is still a major disconnect between the CISO and the CEO.

Basically, it comes down to this: when the CEO (and by extension the executive committee and the board) is ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks, then:

  • Important decisions about security do not get made
  • The CISO is not enabled, nor empowered to successfully help protect the company
  • The company is not prepared for the many and ever increasing security risks it is facing

6 key questions executives should ask themselves

As C-level executive, board member or audit committee member there are a number of key questions you should ask yourself about the manner in which security risk is managed is in your company.

1. Does your CISO have both the organizational and positional power to escalate issues that they feel strongly about to the appropriate C-level or even board position?

Your CISO will not be successful unless he or she has the buy-in and engagement of the executives. Without this, your CISO will simply be perceived as a business blocker and his or her efforts circumvented. Your CISO needs to have the organizational power and position to effectively challenge business risk decisions that are not good for the company.

2. Are you a passive listener to what your CISO has to say or do you actively engage in the conversation? Are you demanding the latter also from the other execs?

An involved CEO meets regularly with the CISO, reviews reports, asks questions, and provides encouragement and support in front of the other executives and board.

3.  Do you know what your security policies are about, what their objectives are, and do you understand that they help to define the level of risk you are willing to take as a company.

As executive you must actively endorse and support the security policies, and not just passively agree to them as a mere formality. If you don’t bother or don’t believe in enforcing the security policies that were put in place to protect your company’s information (systems), if you don’t help to enforce the policies that you let down your company, your employees, your suppliers, your customers, …, then you probably deserve the security incidents that will inevitably occur.

4. Are you considering security as a responsibility and accountability that is shared across the company or are you attributing it completely to your CISO and his or her security team?

Controlling security can’t be relegated to one person or one team. It’s an enterprise risk and business problem, not just a CISO problem to resolve. It should not be the CISO making all the decision as to how much investment and what the right thing to do is. That actually needs to be in the hands of the Executive Committee. The CISO obviously plays a facilitating role and you can make a CISO responsible for particular security tasks, but a CISO can never be held accountable for security tasks and responsibilities of others. You should therefore –    with the help of your CISO – institute a security program that engages all different stakeholders in the company. Clear assignment of responsibilities is vital. Groups who are responsible for protecting crucial data, like IT, HR, procurement, and marketing, must become cyber-conscious and accountable too.

5.  Are your discussions on executive and board level driven by front page news and incidents?

As information security breaches continue to make the front pages, organizations need to ensure that headlines don’t drive the information security program. Ensure your CISO has regular interactions with executive leadership to create clear visibility into all areas of security risk, i.e. a structured form of risk reporting allowing you to manage security risks in a forward looking and business strategy-aligned manner.

6.Do you believe security problems can be solved by simply investing in the right security tools and solutions?

Incident driven security risk discussions tend to result in throwing money at the issue and investing in new security solutions.  However, and to quote Tim Holman, past president of the Information Systems Security Association in the UK (ISSA-UK): “The cyber threat cannot be solved by buying products. A common-sense approach of reducing the amount of sensitive data stored, booting out insecure suppliers, restricting access to information and getting cyber liability cover will often be ten times as effective and ten times cheaper than the next generation security appliance with flashing lights sold to you by expert salesmen. All these require support from the lines of business and the executives.”

Not sure where your company currently stands?

Did the previous questions make you realize it is time to talk to your CISO? Good, then here are some questions that you should ask him or her to trigger a critical discussion about the state of security risk within your company:

  1. Do you understand our wider business strategy?
  2. (How) have you aligned our security approach to our organizational strategy?
  3. What are the biggest risks?
  4. What are the gaps?
  5. How are you evolving our security approach to match the changing risk landscape?
  6. Are sufficient resources available, and are they being used wisely?
  7. Are you being heard? If not where and why are people ignoring you?

Based on the answers you are getting, you will be able to see where the lines of communication between CISO and executives are obscured, where the CISO may not have been given the tools and resources in line with his or her responsibilities, and – most importantly – if and where you need to improve your understanding of security risk to the same degree as any other business risk.

Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. Currently, Tim is working on securitythisway.com; an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content.

Source: https://www.csoonline.com/article/3241466/governance/dear-ceo-are-you-enabling-your-ciso.html

Posted on

First US Federal CISO Shares Security Lessons Learned

Greg Touhill’s advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.

INSECURITY CONFERENCE – Washington, DC – Greg Touhill encouraged his audience of security leaders, whom he dubbed “the cyber neighborhood watch,” to swap war stories and lessons learned during his keynote at Dark Reading’s inaugural INSecurity conference, held this week in Washington, DC.

As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.

One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who “speak a different language than we do,” he explained.

“I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff,” said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.

One of Touhill’s lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.

Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can’t explain what it means or how much it’s worth. It’s tough to know where to prioritize security if you don’t know which data is most valuable.

“Information is one of the most valuable assets any business, any operation has,” Touhill emphasized. “Look at your infrastructure, look at how you architect. Know the value of your information and don’t try to defend everything. Defend what you need to defend.”

Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. “A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud,” he pointed out.

Touhill’s lessons extended to security employees. “Humans fail all the time,” he said, but you can bring down the risk of catastrophic events by training people and making sure they’re appropriately resourced. Hardening the workforce is “critically important.”

“People are your weakest link but also your greatest assets,” Touhill continued. It’s up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to “think like a hacker” and “be very suspicious.”

The sentiment extended to another lesson: have a zero-trust model. Most security pros haven’t taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and “be skeptical.” Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.

“We’re raising a generation of folks who are freely surrendering their privacy – your privacy – by giving up information and not recognizing the value of it,” Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren’t mastering basics or being consistent. “How many times has someone gotten breached and left the backdoor open?” he asked, relating his advice back to thinking like a hacker.

Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they’re not, they will take advantage of it.

Ultimately, along with protective measures and strategies, leaders must also “be prepared for a really bad day,” he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don’t.

In the best organizations, everyone participates in cyber exercises and drills – even the boards and the CISOs. “A bad day is going to come for each and every one of us,” Touhill emphasized.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Source: https://www.darkreading.com/attacks-breaches/first-us-federal-ciso-shares-security-lessons-learned/d/d-id/1330519

Posted on

Cybersecurity Leadership Role A Sweet Spot for the CISO

Cybersecurity has traditionally been a subject only a few executives were expected to understand. However, as additional security concerns are spreading across businesses, cybersecurity now concerns all members of the C-Suite. For example:

  • The chief financial officer needs to ensure secure transactions between financial institutions or business partners.
  • The chief marketing officer needs to master how to securely leverage digital and social media without putting the organization at risk.
  • The chief human resources officer needs to know that digital recruiting processes are secure and personal data won’t be compromised.

Cybersecurity concerns and capabilities for each managing function should be harmonized under companywide priorities and principles. This presents new opportunities for the Chief Information Security Officer (CISO). To get to this point, the organization needs to establish these key processes:

  1.  The CISO needs to interact directly with all C-Suite members.
  2.  The  C-Suite needs to agree on what the company wants to do from a holistic perspective.
  3.  The CISO needs to facilitate these discussions.

To facilitate these critical conversations in the C-Suite, the CISO should be prepared to ask the following questions:

  • What are the crown jewels we want to protect with the highest priority?
  • What are the business consequences if those crown jewels are stolen?
  • How much are we willing to invest to mitigate those risks?

Integrating cyber-resilience solutions

Across each organization, there can be many solutions to address cyber resilience. A technology solution could be managed-security services; a financial solution could be cyber insurance; an operational solution could be a Computer Security Response Team (CSIRT); a legal solution could be fiduciary actions based on the advice of attorneys.

The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company. Many companies have not defined and assigned a person to lead that effort. This is a new space in corporate business management—and a new opportunity for the CISO.

Conclusion

By taking on the cybersecurity leadership role in the C-Suite, a CISO can develop and drive a cybersecurity strategy that becomes a comprehensive and integrated package, rather than an aggregation of independent tactics. It can be owned by the entire C-Suite and woven into the companywide business strategy. This will help to reduce risk and improve cyber resilience.

Source: https://www.securityroundtable.org/cybersecurity-leadership-role-sweet-spot-ciso/

Posted on

The Yahoo Lesson for CEOs: Bring your CISO into the Boardroom

If you view your CISO as a techno-nerd, capably managed by the CIO and therefore someone the board doesn’t need to make time for, think again.

Poor cybersecurity poses an existential threat to your business. That makes it a board-level matter which demands close attention and priority resourcing. You undervalue your gatekeeper at your peril.

Cybersecurity is an operational issue, not an IT one, so your security mastermind must be established, accountable, and independently funded. Delegation can be dangerous when it comes to responsibility for security breaches: just ask former Yahoo CEO Marissa Mayer.

It is now just a year since Yahoo reported two major hacks, one in 2013 and one in 2014, which compromised a total of 1.5 billion customer accounts. That delay, which is still under investigation by the Securities and Exchange Commission (SEC), exacted a heavy price. The company’s share price dropped immediately and plunged the Verizon takeover deal into uncertainty, while Mayer forfeited her annual bonus and stock award.

Where did Yahoo go wrong?

Yahoo made a series of fundamental errors which exposed the company to attack in the first place and then compounded the damage. In short, cybersecurity was not on the C-Suite’s agenda because the people at the top fatally underestimated the destructive potential of a hack.

Firstly, Yahoo took too long to hire a CISO, and then the company failed to bring its security specialist into the inner circle, meaning some top-level decisions are likely to have been ill informed. For example, the CISO may not have been told about a secret program Yahoo installed on behalf of the government to scan users’ emails.

If a company sees cybersecurity as a business barrier instead of the business enabler it should be, then the CISO will inevitably be well down the pecking order for resources. Switch the thinking and you transform the CISO from a hindrance into a potent business asset.

The mind-set was simply wrong at Yahoo. Despite multiple vulnerabilities being noted by internal security teams, there was no appetite or financial backing for controls to be put in place. Some data was encrypted using secure algorithms while other data was plaintext or insecure, and the company also lagged behind other Silicon Valley heavyweights in implementing technologies such as end-to-end encryption and bug bounty programs.

Then, when the first attack was discovered, users were not immediately forced to change passwords. This is a prime example of the company’s poor attitude to cybersecurity. The SEC and the public were kept in the dark for two years. There was no action plan to contain the damage, no investigation to learn the lessons, and no communications strategy to protect consumer confidence.

Four lessons for industry

  • IT security needs proper investment and commitment from the board. Just because you have appointed a CISO, it does not mean you can ignore the issue. Empower your CISO to protect the organization.
  • Conduct detailed IT security due diligence during any takeover. You are buying data assets along with a company and you need to know whether any lax security might come back to bite you.
  • Tell users and the authorities about any security breach at the earliest opportunity. Not only is that the ethical thing to do, but the rules demand it.
  • Own the problem. Taking responsibility and communicating effectively can save a great deal of pain and ensure that reputational damage is minimized.

How safe is your organization?

The easiest way to determine whether your company has a healthy cybersecurity culture is to look at where the CISO sits in the organization.

When a CISO reports directly to the CEO, the C-Suite has a better understanding of the issues, is better invested in minimizing the risks and planning damage limitation, and therefore less likely to fall foul of a Yahoo-style scenario.

You also avoid any conflict of interest between the team responsible for implementing IT projects and the specialists charged with protecting the organization.

  • Choose a CISO who can articulate business risk
  • Make room for the CISO at the top table
  • Resource the role properly
  • Have a clearly defined action plan in case of a breach

Cybersecurity is a business risk, so treat it like one.

 Senior Consultant at Mason Advisory

Source: https://www.infosecurity-magazine.com/opinions/yahoo-lesson-ceo-ciso-boardroom/

Posted on

The CISO’s Guide to Managing Insider Threats

Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.

An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.

According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”

Common Behavioral Indicators

The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.

The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:

  1. Downloading substantial amounts of data to external drives;
  2. Accessing confidential data that is not relevant to a user’s role;
  3. Emailing sensitive information to a personal account;
  4. Attempts to bypass security controls;
  5. Requests for clearance or higher-level access without need;
  6. Frequently accessing the workspace outside of normal working hours;
  7. Irresponsible social media behaviors;
  8. Maintaining access to sensitive data after termination;
  9. Using unauthorized external storage devices;
  10. Visible disgruntlement toward employers or co-workers;
  11. Chronic violation of organization policies;
  12. Decline in work performance;
  13. Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
  14. Excessive use of printers and scanners;
  15. Electronic communications containing excessive use of negative language;
  16. Installing unapproved software;
  17. Communication with high-risk current or former employees;
  18. Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
  19. Violation of corporate policies;
  20. Network crawling, data hoarding or copying from internal repositories;
  21. Anomalies in work hours;
  22. Attempts to access restricted areas;
  23. Indications of living beyond one’s means;
  24. Discussions of resigning or new business ventures; and
  25. Complaints of hostile, abnormal, unethical or illegal behaviors.

Remediation Pain Points

Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.

Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.

Steps to Combat Insider Threats

Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.

To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:

1. Information Governance

It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.

2. Advanced Forensic Data Analytics

User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.

3. Incident Response and Recovery

External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.

4. Legal Considerations

An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.

A Cross-Organizational Challenge

Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.

George Moraetes

Source: https://securityintelligence.com/the-cisos-guide-to-managing-insider-threats/

English
English
Exit mobile version