Attacks/Breaches
12/1/2015
10:30 AM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How CISOs Can Change The Game of Cybersecurity

In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter.

As data breaches continue to escalate, organizations, regardless of size or industry, need a new mindset to rise to the pervasive challenge of cybercrime and cyber espionage. Despite the fact that the FBI claims that their number one criminal priority is cybercrime, less than five percent of computer intrusions are successfully prosecuted, according to the Department of Justice and FBI. With jail time and other penalties few and far between, corporate decision makers are on their own when it comes to protecting corporate reputations, intellectual property, finances, and customers.

Facing this challenge boils down to risk management and financial investment. But with only 8 cents of every corporate IT dollar allocated towards security, the current picture isn’t reassuring, especially given the hostility and unregulated nature of cyberspace. Worse, today’s security investment deficit is jeopardizing corporate brands and exacerbating their risk of serious reputational damage.

Board-level mandate beyond the datacenter
Typically, organizations serious about cybersecurity appoint chief information security officers (CISOs) to lead the charge. Historically, a CISO answers to the chief information officer (CIO). The problem with this model is that the CIO role is similar to that of a football offensive coordinator, a position that is concerned primarily with increasing efficiencies, access, and resiliency within the IT realm.

While important, none of these elements aid the CISO, (continuing our football analogy, the defensive coordinator), whose principal job is to improve security and risk management across all operational silos within the enterprise. From a governance perspective, the CISO needs a broader mandate than that of a defensive coordinator, a mandate befitting an executive with more far-reaching responsibilities and reporting to the COO or CEO.

In the modern enterprise, all corporate leaders should be held accountable for their cybersecurity posture, even though their position might be far from managing the datacenter. For instance, chief marketing officers are typically focused on the actual use of the Web, such as email campaigns, mobile app development, website updates, blogs and search engine optimization. Even though these responsibilities may seem like strictly promotional endeavors, they can leave the door open for malware or other cyberattacks against unsuspecting customers’ systems. It’s not a good outcome for the company or the constituency.

Preventing the systemic spread of malware
Malware infections often times migrate from one part of the enterprise to the other, even from a third-party partner. Once a network is compromised, an attack can become widespread throughout the entire IT infrastructure supply chain in a practice known as “island hopping.” A classic example of island hopping was the infamous Target breach, which ultimately resulted in the resignation of both the CEO and CIO. A holistic mentality toward cybersecurity will mitigate the systemic risk of the spread of threats across an IT infrastructure.

The subsequent investigation at Target also revealed that thieves had infiltrated a third-party vendor to steal the retail giant’s credentials. The result? Cybercriminals successfully gained access to approximately 40 million customer credit cards, potentially affecting more than 100 million individuals. The repercussions are still being felt throughout the retail sector today.

As Target shows us, third-party partnerships are another overlooked aspect of many security strategies – strategies that demand attention and support from the corporate leadership team to be effective. Organizations looking to strengthen security should examine the policies of their partners -- including law and accounting firms -- particularly if a company is publicly traded. These partners have access to sensitive information that make very attractive targets.

A new level of safety in the digital world
For two decades, corporate focus has predominantly been on cutting cost, improving access and increasing efficiencies to goods and services. The same commitment should now transition to policies that make customers, partners and investors feel safe in the digital world created for their convenience. Just as a customer at a shopping center should expect a level of safety from the landlord and retailers, an online environment should have the same trust factor.

To accomplish this, a concerted effort should be made to elevate cybersecurity to an operational and reputational risk management priority. It is the obligation of boards of directors to improve oversight and governance for cybersecurity. This translates to analyzing investment strategies regarding information technology, cybersecurity and drastically improving training in order to stay ahead of sophisticated cybercriminals.

The Internet is not a comforting environment. Proper due diligence of cybersecurity is not only a risk management function but also a reality of modern-day brand protection.

 

Tom is a cyber intelligence expert, author, professor, and leader in the field of cybersecurity.  Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
12/2/2015 | 2:59:26 PM
Data-centric
Antivirus software is falling behind the bad guys. I think the situation with the Target breach is very concerning that even if malware is detected it could be hard to notice in all the noise from different detection systems. This picture is not improving according to the two most recent Verizon reports that concluded that less than 14% of breaches are detected by internal security tools. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years.

We are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity

Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.