When it Comes to Cyber Risk, Execute or Be Executed!

Nestled in William Craig’s book Enemy at the Gates, which recounts World War II’s epic Battle of Stalingrad, is the story about a Soviet division that was plagued by failure in the face of the enemy. Desertions were rising, officers’ orders were not being followed, and the invading enemy was making gains. Faced with this calamitous condition, the regimental commander called the troops into formation and let them know that collectively, they were failing and would be held responsible. Then, in an outrageously cold manner, he walked through the ranks and summarily executed every 10th soldier until six soldiers lay dead on the field. He got their attention, and the unit was instrumental in the subsequent Soviet counterattack that led to victory against the Nazi invaders.

Obviously, I do not support such extreme and violent methods of accountability, yet the example does make you pay attention. As we grapple with today’s digital “enemy at the gates” or even the “enemy inside the gates,” the importance of accountability for failure to properly protect the information our national prosperity and security depends on has never been more important. Firing CEOs and CIOs is typically a public gesture enacted to diffuse blame rather than address the root causes. Sadly, accountability and ownership often are missing components in cyber strategies and risk management planning at a time when risks are ever-increasing. Therefore, it is critically important that all organizations better manage cyber risk by embracing a culture of accountability and ownership that guides the implementation of due care and due diligence measures.

I define due care as “doing the right things” and due diligence as “doing the right things right.” Unfortunately, I’ve found too many organizations where due care and due diligence are not occurring. For example, ask most cyber incident responders about the root cause of cyber incidents and they likely will sigh and point to the “usual suspects” – failure to patch, misconfigured systems, failure to follow established policies, misuse of systems, lack of training, etc. As someone who led incident responders in both military and civilian government organizations, I found one of the great frustrations of cyber professionals is when they see leadership ignoring or tolerating the so-called “usual suspects” and not holding people accountable for a glaring lack of due care and due diligence.

While many media reports these days focus on the very real and present threat of well-funded nation-state actors, I contend that the greatest cyber threat we all face is what I refer to as the “Careless, Negligent and Indifferent” in our own ranks. Failing to properly configure a system so that it exposes information to unauthorized personnel is an example of carelessness. Failing to patch critical vulnerabilities quickly or implement additional compensating controls until the patch is ready for promotion could be considered negligence. Failure by personnel indifferent about following established policies such as prohibiting password-sharing exposes organizations to increased cyber risk. While nation-state actors get all the hype, I contend that more than 95% of all cyber incidents are preventable and are the result of the Careless, Negligent and Indifferent in our own ranks. We should not accept this!

Do we need more legislation, regulation or policies to thwart the threat posed by the Careless, Negligent and Indifferent? Do we need to continue our habit of buying the next neat technology in hopes that its “silver bullet” defense will save the day? I don’t think so. I believe what is needed is to execute our existing policies better and hold those who do not follow those policies accountable. While we can’t eliminate our cyber risks, we certainly can reduce our risk exposure by executing our plans, policies and procedures with greater velocity and precision. When we do so, we are exercising due care and due diligence that protects our brands, reputations, customer data, intellectual property, corporate value, etc.

Accountability must be clearly defined, especially in strategies, plans and procedures. Leaders at all levels need to maintain vigilance and hold themselves and their charges accountable to execute established best practices and other due care and due diligence mechanisms. Organizations should include independent third-party auditing and pen-testing to better understand their risk exposure and compliance posture. Top organizations don’t use auditing and pen-testing for punitive measures, but rather, to find weaknesses that should be addressed. Often, they find that personnel need more training, and regular cyber drills and exercises to get to a level of proficiency commensurate with their goals. Those organizations that fail are those that do not actively seek to find weaknesses or fail to address known weaknesses properly.

Sound execution of cyber best practices buys down your overall risk. With today’s national prosperity and national security reliant on information technology, the stakes have never been higher.

Brigadier General, USAF (ret) Gregory Touhill, CISSP, CISM, Former US CISO, President, Cyxtera Federal Group

[ISACA Now Blog]

CYBERSECURITY HIRING – AN ISSUE FOR ALL

As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.

It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.

To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.

Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.

The State of Cybersecurity Employment

Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.

The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.

Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.

The Recruitment Challenge

What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:

  • Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.
  • Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.
  • Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.
  • Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.
  • Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.

 

High Stakes

Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.

There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.

 

How to Attract Qualified Candidates

Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:

  1. Invest in training and certifications.

Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.

  1. Offer career advancement.

Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.

  1. Engage cybersecurity workers in decision-making.

Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.

  1. Fine-tune recruitment processes.

As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.

  1. Target untapped talent.

Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.

  1. Partner with school districts and universities.

The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:

  • Sponsor and participate in career days.
  • Offer internships and apprenticeships.
  • Actively participate in the educational process with guest lectures at local schools.
  • Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.
  • Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry. 
  1. Offer attractive compensation packages.

Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.

 

Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.

(ISC)² will soon have a report, based on survey research, on how job seekers – and those hiring – can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!

[(ISC)² Blog]

IoT Security in Healthcare is Imperative in Life and Death

We go into the hospital with a great deal of trust. We trust that doctors will help us and potentially even save our lives. Beyond hospitals, there are not many places in the world where we are willing to do anything we are asked: take off our clothes, talk about our sex lives, etc.

Recent cyberattacks, such as WannaCry and NotPetya, put this trust into question. An increasing number of cybersecurity incidents have impacted many hospitals and made them unsafe. Not only was patient information stolen and privacy impaired, but, in some cases, the cyberattacks interrupted normal operations and services. In hospitals, that could mean life or death.

Over the last decade, the healthcare industry made significant progress on digital transformation. Patients’ healthcare records are online, test results and images are digitized, an increasing number of medical devices are connected, and medical equipment can be remotely monitored and maintained. This technology has brought tremendous improvements in efficiency and convenience to medical staff and patients alike, while helping reduce human errors and lower operational costs. At the same time, however, this high level of connectivity has created a much larger surface area for security risks. Because there are so many connected devices and a large variety of different types of connected devices, it is becoming increasingly difficult to completely secure all of them at all times.

Hackers can not only use these devices as stepping stones to access critical assets, such as patients’ healthcare records, they also can compromise these devices to cause physical harm and put people’s lives at risk. For example, we demonstrated in our research lab that we can hack into an infusion pump from a leading vendor to change the dosage of the medication that is going directly into a patient’s body. This dosage change alone could be fatal to a patient.

Mid- to large-size hospitals use hundreds, if not thousands of third-party products and services. Even if the hospital itself is secured, these third-party vendors can bring in lots of vulnerabilities. Each of these third parties also uses many more other external vendors. If any of those external vendors is affected, there could be a domino effect on the hospital’s security – yet another reason it is extremely challenging to secure a hospital and all its IoT devices.

Is there a solution? In many ways, an IoT system is very similar to the human body – a large and complex system that is always on. Let’s use a heart attack as an analogy. We all know that a heart attack can be catastrophic. Although a heart attack usually happens suddenly, the conditions that make it likely actually take days, months or even years to build up. If we could continuously, automatically and intelligently monitor the heart and body, we could detect early signs of problems and take preventive actions to avoid the heart attack.

Doctors detect and cure diseases through their detailed knowledge of different parts of our body and their functionalities. Surprisingly, we don’t have similar information on IoT networks. Most hospitals we have talked to don’t have up-to-date information about what types of IoT devices they have, much less how many of these devices are connected onto their networks. So, IoT device visibility is the first task for each organization. At any given time, we need to know which devices are connected onto the network – plus, what they are supposed to do and not supposed to do – and conduct real-time monitoring of their behavior for early detection of potential cyberattacks.

Yet another challenge beyond the number and varied types of devices: these devices get on and off the network dynamically. How do we handle a highly dynamic system of such large scale? Obviously, manual monitoring is not feasible. The key is to leverage artificial intelligence (AI) to identify and monitor devices automatically, so that we can further protect them – and the hospital and its patients – in the event of a cyberattack.

In summary, visibility and AI are the keys for IoT security in healthcare.

Dr. May Wang, Co-Founder and CTO, ZingBox

[ISACA Now Blog]

World Economic Forum Report Reinforces Rising Prominence of Cybersecurity

The recent Global Risks Report by the World Economic Forum offers the latest evidence that cybersecurity is rising among the top global risks. Cyberattacks are now the global risk of highest concern to business leaders in advanced economies. This reflects the inability of enterprises to keep pace with today’s challenging threat landscape, and points to an urgent need for increased prioritization of and investment in cybersecurity by executive leadership.

While a cyberattack does not qualify as a natural disaster – one of the other top risks identified in the Global Risks Report – large-scale cyberattacks are capable of devastating critical infrastructure in similar fashion. A cyberattack has the potential to disrupt many of the most essential aspects of our lives, from electric, gas and water utilities to banking and cellphone coverage.

It is evident that the status quo will not be sufficient if we are to expect a reasonable level of security in both our personal and professional lives. Society and enterprises will need to focus on resilience, both technological and human. While contending with threats may be inevitable, our ability to recover cannot be undermined. We will need to build real and virtual firebreaks to ensure critical infrastructure elements do not fall due to the domino effect of a potential collapse.

Systemic challenges and threats require systemic solutions. Enterprises must focus not just on providing the next big app or solution to customers, but also on educating customers about potential threats and actions that can be taken to prevent or address them. In this context, it was encouraging to see the World Economic Forum announce plans for a new Global Centre for Cybersecurity. Deeper collaboration between the public and private sectors – while also tapping into the knowledge base of global industry associations such as ISACA – must be part of any substantive solutions going forward.

The increasing cybersecurity challenges that accompany the expanding threat landscape also call for the constant skilling and re-skilling of the technology workforce. Enterprises must be more committed to investing in real-world training for their security teams that takes into account the most up-to-date threats and vulnerabilities. Why is it so necessary to develop a more robust, highly skilled cybersecurity and tech governance workforce? Consider several realistic possibilities that I suspect we could encounter as 2018 progresses:

  • At least half the global population could become victims of privacy breaches;
  • The Internet of Things will become the Internet of Threats. Smart appliances will be used to take privacy attacks to the next level. Your television, your refrigerator and your connected toothbrush will know more about you than any other human can;
  • The rise of superintelligent threats, driven by AI and machine learning;
  • The potential for swarm attacks by drones;
  • The first bioengineered hack of the human body.

These, and other technology-driven stress points, are unprecedented challenges that demand proactive defense strategies. Disruptive technologies have the potential to power our global economy in many promising and innovative ways, but we must nurture new and more collaborative solutions to ensure these technologies are implemented effectively and securely.

While cybersecurity rising on the list of top global threats can not be construed as good news, at least the global community has begun to recognize the scope of the challenge. Now, it is time to pull together as a global community and meet this challenge together.

R.V. Raghu, CISA, CRISC, ISACA board director and director of Versatilist Consulting India Pvt. Ltd.

[ISACA Now Blog]

Introducing ISACA’s GDPR Implementation Guide

The purpose of the General Data Privacy Regulation (GDPR) is to harmonize the data privacy regulations that each European Union member state implemented to comply with GDPR’s predecessor. GDPR provides a single, comprehensive regulation that is compulsory for all organizations processing the personal data of individuals living within the European Union.

The regulation becomes enforceable on 25 May 2018, after a two-year grace period to allow organizations to implement GDPR. GDPR substantially increases data subjects’ rights – and with penalties of up to 4% of gross turnover, the regulation has the potential to fundamentally change the way organizations view and process personal data. That said, the purpose of this blog post is not to tell you what GDPR is, who it will impact, nor to pour more oil on the fear-mongering flames. Over the past two years, most of us have seen more than enough of these types of articles from privacy experts. I am writing today to introduce ISACA’s new GDPR guide.

Six months ago, ISACA brought together a team of information technology, information security, audit and data privacy professionals from around the world to help develop a guide that provides a pragmatic approach to implementing GDPR in organizations large and small. This guide provides a comprehensive introduction to GDPR, along with a plan to help organizations implement a data privacy program that complies with GDPR requirements.

The guide also includes the available information from the Article 29 Data Protection Working Party (WP 29), which provides clarification on various topics covered in the regulation. WP 29 guidance, where available, has been included within ISACA’s GDPR guide. At 100 pages, the guide can be easily read in a weekend. It will serve as a handy guide both during the implementation of your data privacy program, as well as a solid reference during your day-to day-activities.

The guide provides advice on topics such as identifying and classifying personal data, data governance, information security, managing compliance in your supply chain, data breaches, employee awareness and more. The guide also includes several annexes that provide specific recommendations to help practitioners implement an effective and efficient data privacy program. Annex 1 is divided into nine domains that cover 46 processes organizations should implement as part of their GDPR programs. Annex 2 provides guidance on how to set up and manage the Data Privacy Impact Assessment (DPIA) process. Annex 3 provides a sample personal data register that must be created, maintained and readily available in the event of an audit. Throughout the document, we have defined common data privacy terminology and included a glossary of terms that we suggest you ensure are correctly used within your organization to avoid confusion.

The ultimate purpose of the guide is not simply to help organizations become GDPR compliant, but also to ensure the privacy of real people. To this end, we stress that the comprehensiveness of your data privacy program should be based on the risk to the subjects’ data that you hold and not solely on the risk to your organization.

ISACA’s GDPR Working Group believes that implementing GDPR will not only reduce the risks to your organization, partners and customers, but also has the potential to improve the effectiveness of your organization through the implementation of sound policies and processes. Many of us on the working group are privacy practitioners who will use the guide to help implement GDPR in our organizations. This will allow us to see first-hand what worked well and what could be improved. Stay tuned to this space, as we will provide regular updates as we count down to 25 May. Once we’ve received sufficient feedback, we will review and update the guide. In the meantime, we hope this guide is beneficial to you and your organization.

Scott Rosenmeier, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP, TUEV SUED certified DPO (Germany), Senior Manager, Information Security

[ISACA Now Blog]

English
Exit mobile version