Attacks/Breaches

12/1/2015
10:30 AM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How CISOs Can Change The Game of Cybersecurity

In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter.

As data breaches continue to escalate, organizations, regardless of size or industry, need a new mindset to rise to the pervasive challenge of cybercrime and cyber espionage. Despite the fact that the FBI claims that their number one criminal priority is cybercrime, less than five percent of computer intrusions are successfully prosecuted, according to the Department of Justice and FBI. With jail time and other penalties few and far between, corporate decision makers are on their own when it comes to protecting corporate reputations, intellectual property, finances, and customers.

Facing this challenge boils down to risk management and financial investment. But with only 8 cents of every corporate IT dollar allocated towards security, the current picture isn’t reassuring, especially given the hostility and unregulated nature of cyberspace. Worse, today’s security investment deficit is jeopardizing corporate brands and exacerbating their risk of serious reputational damage.

Board-level mandate beyond the datacenter
Typically, organizations serious about cybersecurity appoint chief information security officers (CISOs) to lead the charge. Historically, a CISO answers to the chief information officer (CIO). The problem with this model is that the CIO role is similar to that of a football offensive coordinator, a position that is concerned primarily with increasing efficiencies, access, and resiliency within the IT realm.

While important, none of these elements aid the CISO, (continuing our football analogy, the defensive coordinator), whose principal job is to improve security and risk management across all operational silos within the enterprise. From a governance perspective, the CISO needs a broader mandate than that of a defensive coordinator, a mandate befitting an executive with more far-reaching responsibilities and reporting to the COO or CEO.

In the modern enterprise, all corporate leaders should be held accountable for their cybersecurity posture, even though their position might be far from managing the datacenter. For instance, chief marketing officers are typically focused on the actual use of the Web, such as email campaigns, mobile app development, website updates, blogs and search engine optimization. Even though these responsibilities may seem like strictly promotional endeavors, they can leave the door open for malware or other cyberattacks against unsuspecting customers’ systems. It’s not a good outcome for the company or the constituency.

Preventing the systemic spread of malware
Malware infections often times migrate from one part of the enterprise to the other, even from a third-party partner. Once a network is compromised, an attack can become widespread throughout the entire IT infrastructure supply chain in a practice known as “island hopping.” A classic example of island hopping was the infamous Target breach, which ultimately resulted in the resignation of both the CEO and CIO. A holistic mentality toward cybersecurity will mitigate the systemic risk of the spread of threats across an IT infrastructure.

The subsequent investigation at Target also revealed that thieves had infiltrated a third-party vendor to steal the retail giant’s credentials. The result? Cybercriminals successfully gained access to approximately 40 million customer credit cards, potentially affecting more than 100 million individuals. The repercussions are still being felt throughout the retail sector today.

As Target shows us, third-party partnerships are another overlooked aspect of many security strategies – strategies that demand attention and support from the corporate leadership team to be effective. Organizations looking to strengthen security should examine the policies of their partners -- including law and accounting firms -- particularly if a company is publicly traded. These partners have access to sensitive information that make very attractive targets.

A new level of safety in the digital world
For two decades, corporate focus has predominantly been on cutting cost, improving access and increasing efficiencies to goods and services. The same commitment should now transition to policies that make customers, partners and investors feel safe in the digital world created for their convenience. Just as a customer at a shopping center should expect a level of safety from the landlord and retailers, an online environment should have the same trust factor.

To accomplish this, a concerted effort should be made to elevate cybersecurity to an operational and reputational risk management priority. It is the obligation of boards of directors to improve oversight and governance for cybersecurity. This translates to analyzing investment strategies regarding information technology, cybersecurity and drastically improving training in order to stay ahead of sophisticated cybercriminals.

The Internet is not a comforting environment. Proper due diligence of cybersecurity is not only a risk management function but also a reality of modern-day brand protection.

 

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
12/2/2015 | 2:59:26 PM
Data-centric
Antivirus software is falling behind the bad guys. I think the situation with the Target breach is very concerning that even if malware is detected it could be hard to notice in all the noise from different detection systems. This picture is not improving according to the two most recent Verizon reports that concluded that less than 14% of breaches are detected by internal security tools. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years.

We are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity

Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.