Risk
7/18/2014
02:50 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CEO Report Card: Low Grades for Risk Management

Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.

Former Target chief executive Greg Steinhafel would be in good company today if the Dark Reading community had a say in his job performance on cyber security risk management.

Steinhafel, as I'm sure you recall, famously resigned from the retailers' top job this past May, following a data breach of 40 million hacked credit and debit card accounts compromising the names, phone numbers, email and mailing addresses from as many as 70 million customers.

In the Dark Reading community, according to the results of our latest poll, members likewise show a stunning lack of confidence in their chief executives' ability to marshal the talent, financial resources, skills and training to defend their companies from a similar attack. Only 16% of roughly 750 respondents gave CEOs an "A" for making cyber risk management a top priority. On the bottom end of the grade scale, 19% blasted execs for an "epic fail" that left company data an open target for hackers and criminals.

(Source: Dark Reading)
(Source: Dark Reading)

If there is any good news in the community report card, it's that for more than a quarter of respondents, their executive leadership is moving in the right direction, albeit with one significant qualification: "We lack critical tools."

More damning is the indictment from the 40% who say companies are either "barely meeting minimum compliance standards" or "flying blind" with security teams who lack the latest technology and training.

In Target's case, what happened to Steinhafel -- a 35-year company veteran -- should serve as a cautionary tale to other corner office execs that in today's complex and rapidly evolving threat landscape, security needs to be viewed as an investment not a cost.

Or, as PaloJoel observed in a comment on Why Security & Profitability Go Hand-In-Hand, "The real question business leaders should be asking security practioners is [how can I] make my security a competitve advantage versus how do I get you to stop draining my pockets. Bottomline: if I am robbed less, protect myself better, do it more easily, and spend less doing it than the other guy I am going to grow faster and be more profitable."

What advice would you give to your CEO about how to beef up the company's risk management GPA and turn infosec into a business benefit? Let ‘s chat about that in the comments.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 5:09:44 PM
Re: Compliance != Security
While I agree having everyone accountable is an ideal situation I would still argue the importance of having clear leadership.  We must have clear direction and motivation from leadership to be successful.  That is why it is important the CSO and other various people in management are in the correct spots on the org chart.  

For example, historically the CSO has reported to the CIO in many organizations.  Over the years it has become clear that this causes a conflict of interest many times.  The CIO is responsible for IT operations as a whole and as such will often put more value into the needs of operation over the needs of security.  This operation vs security conflict often times muddies the water and prohibits the CSO from providing a clear roadmap either for himself or his employees.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 4:20:11 PM
Re: Security as an Investment
@Dr.T. At the end of the day, the shift has to come at the upper levels: That is the CEO and Board of Directors have to understand that strong security a critical cost of doing business without which the business will become extremely vulnerable to every increasing risks and data breaches. 
Dr.T
50%
50%
Dr.T,
User Rank: Apprentice
7/22/2014 | 12:53:38 PM
Re: if there's a silver lining...
It is because a more integrated world simply means more threats. Also we have been experiencing major breaches that touch consumers directly such as Target case.
Dr.T
50%
50%
Dr.T,
User Rank: Apprentice
7/22/2014 | 12:50:27 PM
Re: Compliance != Security
That is one aspect of security we tend to get lost in my view. It does not really matter who needs to report where, it is actually everybody should be reporting to everyone by keeping everybody accountable on everything is the right approach to handle security in the enterprise. If we assume it is security departments' responsibility the problems start form there down. 
Dr.T
50%
50%
Dr.T,
User Rank: Apprentice
7/22/2014 | 12:46:09 PM
Security as an Investment
 

I agree with the article, we need to consider security as an investment. IT as a whole is always associated with the cost but without IT nothing can get done in today's world. The same for security, it may be way expensive to recover form incident than to prevent it.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 11:07:12 AM
Re: Compliance != Security
In my opinion the ideal organization setup for a companies information security department would be setup this way.  The CSO would report directly to the CEO and keep him well informed of the high level threats to the organization.  Below the CSO would be four seperate director level reports.  The Director of risk would manage the duties of risk management, business continuity and disaster recovery.  The Director of Compliance would obviously handle all components of regulation compliance.  The Director of Physical Security would ensure the physical security of the organization and it's employees.  The Director of Information Security would be responsible for all technical aspects of security.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 10:46:26 AM
Re: Compliance != Security
Good point, @Robert McDougal. So in our survey responses, I'm guessing the Org Chart 'checkbox' in this case might lead to Chief of risk / compliance. 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 10:38:42 AM
Re: Compliance != Security
Not trying to put words in @chriscinfosec's mouth but in my experience sometimes regulations put executives into a check box mentallity.  This means that they believe that if they do what the regulation says then they are protected.  The regulations are a good framework but not the entirety of the solution and executives need to be educated on that fact.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 10:28:40 AM
Re: Compliance != Security
Not sure I get your point @chriscinfosec about the relevance (or irrelevance) of PCI-DSS and the reporting structure of the CSO. Can you elaborate?
chriscinfosec
50%
50%
chriscinfosec,
User Rank: Apprentice
7/22/2014 | 9:42:44 AM
Compliance != Security
How has outdated compliance regimes like PCI DSS negatively impacted the security posture and readiness of organizations?  The industry is starting to say "A LOT" -- witness the work that SANS has done for their 20 Critical Security Controls to improve security through best practices and common sense.

For example, PCI mandates anti-virus for endpoints when repeated independent testing has shown that traditional anti-virus does not defend against advanced malware threats.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant