Category: #CISO CORNER

Their brand names are notorious in cybersecurity circles: Equifax, Uber, Maersk and Saudi Aramco. Each of these businesses suffered a big breach – cyber incidents that, together, affected many millions of customers. But it wasn’t only consumer data that was compromised; these companies took huge reputational hits as well. Today, all organizations live in fear of experiencing a similar “digital black swan” event and being made an example of by the media.

Understanding Digital Black Swans
Digital black swans presuppose two key characteristics. First, their impacts are catastrophic. For example, during the 2017 Equifax breach, hackers stole personal data from over 145 million Americans – nearly 44% of the US population. Equifax’s CEO, CIO, and CSO were all forced to resign. And the company is facing dozens of government investigations and hundreds of class-action lawsuits.

Digital black swans are not always limited to individual companies and their customers; sometimes, there can also be national or global impacts. During the 2012 Saudi Aramco cyberattack, three-quarters of the company’s hard drives were destroyed. Saudi Aramco sent representatives directly to computer factory floors in Southeast Asia to purchase 50,000 new hard drives – every single hard drive on the factory line. This constrained the global supply of hard drives, causing computer prices to spike.

The second characteristic of a digital black swan is that they are unpredictable. The cyber event appears to come out of nowhere, catching companies by surprise. Consequently, organizations often don’t hold themselves accountable because they are under the false belief that there is nothing that they could have done to prevent an attack of this nature.

Controlling Your Swans
On the surface, digital black swans may seem unforeseeable, but if you dig a little deeper, you’ll generally discover that many of these incidents could have been prevented. For instance, in the Equifax breach, hackers exploited a vulnerability that was publicly disclosed two months prior to the attack. If Equifax had installed the patch in a timely manner, this breach would likely have been prevented.

The key to preventing digital black swans is carefully putting critical controls in place. There are a number of controls that companies can use to reduce the odds of experiencing a major cyberattack. For example, Equifax suffered from faulty vulnerability management. The credit reporting company had ample time to install a routine security update that would have prevented the cyber incident.

Poor security practices at Equifax were systemic. Shortly after the breach, it was revealed that one of the company’s online employee portals could be accessed using the default credentials of  “admin” as both the username and password. This simple negligence put millions of Americans’ data at great risk.

Likewise, the major cyber incidents at Saudi Aramco, Uber, Maersk and even the Ukrainian power grid could have prevented their attacks – or at least drastically reduced the impacts of those attacks – with proper security controls in place.

Flying (In)Formation
Contrary to popular belief, cyber risk is not a nebulous concept. Cyber risk can be measured, and because it can be measured, it can be managed. Cyber incidents can be anticipated by using risk scenarios that quantify potential loss magnitude (such as business impacts). When organizations evaluate the variety of threats and potential success rates against the various assets they own, they can quantify the possible losses in these observed or contrived scenarios. As such, senior business leaders can prioritize the appropriate controls and countermeasures to ensure that their most valuable assets – their crown jewels – are properly protected.

Cybersecurity matters affect many areas of an organization, and thus involve people in an array of positions: auditors, CISOs, senior officers, etc. Though each of these roles have different responsibilities, they share a common mission: keeping the company safe from cyber threats. Cybersecurity is a true team sport. And like all team sports, one of the keys to success is effective communication. IT auditors need to look across the organization to ensure it is in compliance with any regulations as well as to identify potential areas of weakness and to convey new requirements and recommendations to the CISO or other information security managers. CISOs need to work within their budgets to protect their enterprise from cybersecurity risks, while balancing the need to keep the organization fluid and functioning. There are several resources available that can help senior executives and other business leaders manage and oversee cyber risk, such as CyberVista’s Resolve Program. Furthermore, CISOs need to communicate this risk to executives and the board by explaining cybersecurity issues in business terms; they need to translate bits and bytes into dollars and cents. And conversely, business executives need to overcome their technophobia, become more informed on cyber risk issues, and prioritize and manage that risk as an enterprise risk.

Editor’s Note: Jeff Welgan will present on this topic at the 2018 Governance, Risk and Control Conference, to take place on 13-15 August in Nashville, Tennessee, USA.

Jeff Welgan, Head of Executive Training Programs, CyberVista

[ISACA Now Blog]

by Tamer Gamali, CISSP, CISO Mashreq Bank, and member of the (ISC)² EMEA Advisory Council

Is the CISO well positioned to mitigate operational risk? (ISC)² will be asking this probing question of Security leaders at the kick-off session for Infosecurity Europe’s Leaders Programme in London next month. A round table discussion conducted under the Chatham House Rule, the session creates an opportunity to offer up frank comment and illuminate the challenges currently hampering companies from appreciating and truly gaining control of cyber risks. Infosecurity Europe’s Leaders Programme is open to CISOs and Heads of Information Security, who are the final decision-makers and budget holders for information security in end-user organisations, making this a bespoke session for those charged with managing the risks. It’s also a continuation of a discussion we started in Abu Dhabi at Infosecurity Middle East in March which proved to be very enlightening.

We had 10 participants sitting around the table in Abu Dhabi, all with CISO-level responsibilities representing government, at city and national levels, small companies and larger corporations. Overall, the group confirmed a persistent governance challenge when it comes to mitigating cyber security risk, despite the acknowledgement of a National Framework and/or documented company policy and procedures. Understanding what should be done, it seems, is proving not enough: organisations must also build in the motivation and influence across their management structure to get it done.

The group confirmed, for example, that the status of a project or its business owner, is more likely to determine whether it goes forward without sign off from the security experts, than the understood risks. In all cases, participants felt they couldn’t always put their hand up and highlight concerns, even when there was a security governance committee in place: if a project was considered critical or high -profile the chief motivation is to deliver making it likely to move ahead into production with the risks logged in a risk register. The group also revealed that increasing levels of risks logged in this way were being realized within months.

Clear lines of accountability proved to be another concern. Participants noted the existence of many consultants and recommenders, but very few approvers in the security and risk governance process. In the best-case scenario, particularly within government, a governance committee will have authority to veto acceptance of risk by a business owner, yet the veto occurring will still be determined by the criticality of the project, not necessarily the level of risk. Further, all described an unhealthy relationship with auditing grounded in the belief that auditors are biased to find something wrong rather than contribute to development, while traditional auditors lack the skill needed for cyber.

Overall the group concluded that there is no single model for security governance, including the auditing stages, but there are some intangible yet clear shortcomings that must be recognised and accepted. Ensuring the right level of influence and a healthier balance of considerations is needed. Regulators are recognising this and some, including within the UAE, are requiring the appointment of a CISO accountable for regularly updated plans within particular sectors. Clearly, greater visibility and co-ordination of the overall risk will be required if CISOs, and the organisations that appoint them are going to live up to the expectation. Frameworks, best practice and policies must be backed up by a process to document that they have been followed and best efforts made.

As a Chief Information Security Officer (CISO) based in Dubai with over 12 years working in this capacity within financial services, and a volunteer member of (ISC)²^’s EMEA Advisory Council, I am 
keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats. As every company marches toward their own digital agenda, I believe that the CISO will increasingly play a strategic, not just supporting role. A well-positioned, business-aligned CISO can help align corporate priorities so that security issues can be properly addressed as companies increase their dependency on technology and, therefore, the capacity to address the risks properly.

I look forward to continuing and sharing more insights from the discussion in London, June 5 at 10:30am. To join us, qualifying Infosecurity Europe delegates must register for a Leaders Pass, which also gives them access to a Leaders Lounge and networking opportunities, in addition to the round tables. Learn more, and register to join us.

(ISC)² Management

[(ISC)² Blog]

CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.

Since information is a key part of almost all business transactions, information risks are becoming pervasive. The trends I want to highlight include increased need for Security departments to partner with business colleagues to understand risks from their point of view, and increased importance of integrity and availability.

Integrity
In my mind, integrity issues go back to the ChoicePoint data breach in 2005. This breach did not result from a zero-day attack. It was carried out by fraudulent customers using fake accounts. This falls under the “data integrity” mandate. At the time, many would have thought that this breach was outside of the scope of information security. But this needs to change today.

Such incidents have taken off in recent years. Fake news incidents have regularly made headlines. The potential effects of fake information on SEO results also have been highlighted. Consider the reports of identity “theft” using synthetic identities. Or the recent scandal at Kobe Steel over the internal falsification of quality data.

After the Yahoo breaches cost that company US $300M, cybersecurity assessments have become a more important part of M&A transactions. This type of assessment has to mitigate business risk. Is the firm’s risk posture what it says it is? Class action lawsuitsin the state of Michigan for faulty software algorithms bring up another information business risk. Software development errors may have real human life consequences as well as business consequences.

Availability
In the recent volatile financial market, several investment firms suffered outages, even in our era of scalable, virtualized application architectures. Ransomware attacks last year led to real money being lost from victims, not from ransoms, but from outages. The largest ever DDoS attack recently was reported. These attacks are likely to continue to be common.

Confidentiality
This is still an important issue, but the diversity of incidents is increasing. An ex-Expedia employee pleaded guilty to stealingcompany information to facilitate his insider trading of company stock. Better keyless entry systems now facilitate faster theft by car thieves, not just theft of information. In 2016, steelmaker ThyssenKrupp lost trade secrets to cyber criminals. A large retailer recently was hit with a $27 million fine for stealing a small contractor’s intellectual property. Instead of just stealing IDs, criminals are now stealing whole systems and the intellectual property that goes along with those systems.

These incidents highlight newer ways to misuse information resources and adversely affect a business. More longstanding hacker attacks using technology are not going away; traditional technology controls are still needed to mitigate these risks and significant progress has been made in doing so. But these newer incidents highlight threats in which the misuse case and consequences are highly entwined with the business. To find these risks, CISOs will need, more than ever, to understand the business they are protecting and the risks that are seen by senior management. Security controls will need to be more integrated in business operations to be effective.

A recent presentation by Facebook CISO Alex Stamos also highlighted these issues. In his talk, Stamos distinguishes between two components of technology risk: traditional InfoSec and “abuse.” He defines abuse as “technically correct use of a technology to cause harm.” In his view, the abuse category of risk is much broader than the traditional InfoSec concerns. Some of his solutions to better manage the abuse category of risk include broadening the focus of security practitioners and increasing empathy toward business users and leaders.

My own conclusion is: if the issue involves company information, and misuse can affect the company’s risk posture, then CISOs need to play an active role in mitigating that risk.

Frederick Scholl, Ph.D., CISM

[ISACA Now Blog]

By David Shearer, CISSP, CEO (ISC)² 

I was recently reading an article by my colleague, ISACA CEO Matt Loeb, that got me thinking. In his piece, Creating cyberculture, Matt creatively reworks the “cybersecurity is everyone’s responsibility” mantra with his seatbelt analogy. While I certainly applaud any effort to create an inclusive cybersecurity culture – and Matt has some great suggestions on how to do so – I believe most organizations simply are not ready. To build on Matt’s seatbelt analogy, we’re buckling ourselves into a car seat that’s not yet bolted to the frame.

Let me explain. We still have a great deal of work to do at the operational levels of most organizations that stems from a fair of amount of US vs. THEM within IT/ICT and cybersecurity teams often fueled from top-level conflict between CIOs, CTOs and CISOs.

There I said it. I don’t draw attention to it easily or carelessly. I say this based on my own experience and the experience of those I have mentored over the years. In far too many organizations, cybersecurity remains a poorly defined discipline with unclear boundaries and areas of responsibility. Despite these organizational headwinds, IT/ICT and cybersecurity professionals are doing their best every day to keep businesses moving, minimize risk and secure their data. I like to call this unofficial collaboration at the operational levels Shadow Cybersecurity.

While the concept of Shadow IT is by and large interpreted negatively, I view Shadow Cybersecurity in a positive light. Throughout my career in IT leadership positions, I was no stranger to hunting down rouge IT efforts in the shadows of the organization that ran counter to our enterprise architecture, policies, standards and procedures. These Shadow IT challenges remain today, and frequently occur when IT is viewed as unresponsive or not fast enough in delivering on business and mission requirements. This is not unlike the perception that cybersecurity slows progress and too frequently says ‘no.’ IT/ICT and cybersecurity face the same challenge in that they are often viewed by others in the organization as inhibitors vs. enablers.

Admittedly, I’m a bit old school. I came up during a time when cybersecurity was under the umbrella of Information Assurance, along with information security versus the all-encompassing definition of cybersecurity that’s evolving today. However, contrary to what my wife might say, I’ve learned to adapt to the perpetual naming convention changes. So at the risk of demonstrating unbounded hypocrisy, I’d like you to consider the concept of Shadow Cybersecurity.

Those of us who came up through the Information Resources Management (IRM), CIO and CTO ranks had some level of cyber, information, software and infrastructure security responsibilities that were inherent to our area of responsibility. Today, the IT/ICT workforce still retains what I’ll refer to as collateral cybersecurity responsibilities. IT/ICT staff are still responsible in many organizations for hardening mobile devices, laptops, storage devices and servers that are on premise and in the cloud under Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud deployments. IT/ICT workers may never be interested in or consider themselves cybersecurity professionals, but it’s likely for the foreseeable future that IT/ICT workers will continue to be the unofficial force multiplier for the CISO function. They often turn the nuts and bolts of the organization’s cybersecurity policy, standards and procedures, whether they get credit for it or not.

For the purposes of this discussion, I’m referring to this type of workforce multiplier effect that IT/ICT can have on enterprise cybersecurity as Shadow Cybersecurity. In this case, these IT/ICT workers have not gone rogue working in the shadows without oversight. They represent a hardworking community that cannot be overlooked by CISOs. The may never work for the CISO; they may never consider a pure play cybersecurity position, but they can and often are contributing in positive ways to the overall enterprise security posture.

Providing serious education and certification opportunities for these individuals can help establish a lexicon of understanding and best practices that build bridges and can lead the operational areas of an organization toward the cybersecurity culture Matt describes. In my view, IT/ICT has and will continue to cast a long shadow. With the right leadership and unified perspective, these resources can have a very positive effect and compounding impact on securing the enterprise.

Whether you’re an IT/ICT professional or pure cybersecurity professional, I believe we all hope for the cybersecurity culture that Matt describes. However, I think we tend to focus too much on getting upper management, the C-suite and the board of directors onboard. We still need to continue to actively improve the relationship between CIO and CISO functions. Granted, sometimes the CISO works for the CIO, and I have heard of arrangements that are working. More often than not, I hear there’s still relationship management and turf challenges. Do we really find that surprising? Was it surprising when the CIO positions started to emerge in organizations in the 1990s and the challenges of getting the right line authority surfaced? Are we surprised that the CISO role is still often too far down the organizational chart to have the authority needed? Will the CISO ever have the type of carte blanche authority they feel they need? Arguably not; so like the evolution of the CIO, the CISO needs to build rapport and find ways to advance the organization’s cybersecurity program. It may happen in some organizations, but it’s unlikely in my view that the CISO will ever have line authority over all IT/ICT resources. Consequently, the concept of Shadow Cybersecurity is one a CISO should consider embracing and leveraging. Doing so can provide for the force multiplier effect that I’ve described. Granted, some organizations are already on their way, but others are just scratching the surface.

That’s my attempt to shine some light on the concept of Shadow Cybersecurity as an organizational dynamic that, if treated properly, can have a positive impact on an organization’s cybersecurity operational readiness and culture. Establishing a common lexicon and best practices between CISO and CIO resources is paramount. For practitioners, working in the shadows isn’t always a bad thing. Sometimes it means you’re providing complementary, but sometimes unrecognized contributions to something inherently bigger than self like cybersecurity. To all the IT/ICT professionals providing Shadow Cybersecurity in accordance with best practices, thanks for your contributions to a safe and secure cyber world.

Please stay the course, but until we address these issues, you may need more than a seatbelt for this thrill ride. Sometimes it takes someone to call out the “elephant in the room” issue to evoke positive change. That’s my hope.

[(ISC)² Blog]