Risk
7/18/2014
02:50 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CEO Report Card: Low Grades for Risk Management

Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.

Former Target chief executive Greg Steinhafel would be in good company today if the Dark Reading community had a say in his job performance on cyber security risk management.

Steinhafel, as I'm sure you recall, famously resigned from the retailers' top job this past May, following a data breach of 40 million hacked credit and debit card accounts compromising the names, phone numbers, email and mailing addresses from as many as 70 million customers.

In the Dark Reading community, according to the results of our latest poll, members likewise show a stunning lack of confidence in their chief executives' ability to marshal the talent, financial resources, skills and training to defend their companies from a similar attack. Only 16% of roughly 750 respondents gave CEOs an "A" for making cyber risk management a top priority. On the bottom end of the grade scale, 19% blasted execs for an "epic fail" that left company data an open target for hackers and criminals.

(Source: Dark Reading)
(Source: Dark Reading)

If there is any good news in the community report card, it's that for more than a quarter of respondents, their executive leadership is moving in the right direction, albeit with one significant qualification: "We lack critical tools."

More damning is the indictment from the 40% who say companies are either "barely meeting minimum compliance standards" or "flying blind" with security teams who lack the latest technology and training.

In Target's case, what happened to Steinhafel -- a 35-year company veteran -- should serve as a cautionary tale to other corner office execs that in today's complex and rapidly evolving threat landscape, security needs to be viewed as an investment not a cost.

Or, as PaloJoel observed in a comment on Why Security & Profitability Go Hand-In-Hand, "The real question business leaders should be asking security practioners is [how can I] make my security a competitve advantage versus how do I get you to stop draining my pockets. Bottomline: if I am robbed less, protect myself better, do it more easily, and spend less doing it than the other guy I am going to grow faster and be more profitable."

What advice would you give to your CEO about how to beef up the company's risk management GPA and turn infosec into a business benefit? Let ‘s chat about that in the comments.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 5:09:44 PM
Re: Compliance != Security
While I agree having everyone accountable is an ideal situation I would still argue the importance of having clear leadership.  We must have clear direction and motivation from leadership to be successful.  That is why it is important the CSO and other various people in management are in the correct spots on the org chart.  

For example, historically the CSO has reported to the CIO in many organizations.  Over the years it has become clear that this causes a conflict of interest many times.  The CIO is responsible for IT operations as a whole and as such will often put more value into the needs of operation over the needs of security.  This operation vs security conflict often times muddies the water and prohibits the CSO from providing a clear roadmap either for himself or his employees.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 4:20:11 PM
Re: Security as an Investment
@Dr.T. At the end of the day, the shift has to come at the upper levels: That is the CEO and Board of Directors have to understand that strong security a critical cost of doing business without which the business will become extremely vulnerable to every increasing risks and data breaches. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/22/2014 | 12:53:38 PM
Re: if there's a silver lining...
It is because a more integrated world simply means more threats. Also we have been experiencing major breaches that touch consumers directly such as Target case.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/22/2014 | 12:50:27 PM
Re: Compliance != Security
That is one aspect of security we tend to get lost in my view. It does not really matter who needs to report where, it is actually everybody should be reporting to everyone by keeping everybody accountable on everything is the right approach to handle security in the enterprise. If we assume it is security departments' responsibility the problems start form there down. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/22/2014 | 12:46:09 PM
Security as an Investment
 

I agree with the article, we need to consider security as an investment. IT as a whole is always associated with the cost but without IT nothing can get done in today's world. The same for security, it may be way expensive to recover form incident than to prevent it.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 11:07:12 AM
Re: Compliance != Security
In my opinion the ideal organization setup for a companies information security department would be setup this way.  The CSO would report directly to the CEO and keep him well informed of the high level threats to the organization.  Below the CSO would be four seperate director level reports.  The Director of risk would manage the duties of risk management, business continuity and disaster recovery.  The Director of Compliance would obviously handle all components of regulation compliance.  The Director of Physical Security would ensure the physical security of the organization and it's employees.  The Director of Information Security would be responsible for all technical aspects of security.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 10:46:26 AM
Re: Compliance != Security
Good point, @Robert McDougal. So in our survey responses, I'm guessing the Org Chart 'checkbox' in this case might lead to Chief of risk / compliance. 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 10:38:42 AM
Re: Compliance != Security
Not trying to put words in @chriscinfosec's mouth but in my experience sometimes regulations put executives into a check box mentallity.  This means that they believe that if they do what the regulation says then they are protected.  The regulations are a good framework but not the entirety of the solution and executives need to be educated on that fact.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/22/2014 | 10:28:40 AM
Re: Compliance != Security
Not sure I get your point @chriscinfosec about the relevance (or irrelevance) of PCI-DSS and the reporting structure of the CSO. Can you elaborate?
chriscinfosec
50%
50%
chriscinfosec,
User Rank: Apprentice
7/22/2014 | 9:42:44 AM
Compliance != Security
How has outdated compliance regimes like PCI DSS negatively impacted the security posture and readiness of organizations?  The industry is starting to say "A LOT" -- witness the work that SANS has done for their 20 Critical Security Controls to improve security through best practices and common sense.

For example, PCI mandates anti-virus for endpoints when repeated independent testing has shown that traditional anti-virus does not defend against advanced malware threats.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.