Cyberattacks on corporations are now a common and increasingly frequent occurrence, which should lead their boards of directors to take notice and recognize the need to increase funding and enable other security measures. But a recent Gartner report finds that 88% of boards of directors view cybersecurity as a business risk, not a technology risk, yet only a fraction have a dedicated, board-level cybersecurity committee, which means cybersecurity isn't viewed as a critical executive function.
With Log4j taking up a lot of security attention in the last month, it is imperative to revisit not only the cybersecurity funding conversation but also how to get the board to pay more nuanced attention to cybersecurity.
Log4j is a library of open source code that lets hackers run any code on vulnerable systems or hack into applications that use the Apache Log4j framework. The vulnerability, also called Log4Shell, is indeed a serious issue, so serious that the federal Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance on remediating Log4j. The Federal Trade Commission (FTC) also said it would take action against companies that don’t take steps to protect consumer data from exposure due to this vulnerability.
The FTC’s announcement appears to send a warning to boards more than security practitioners about the need for them to do their due diligence and take corporate ownership of risk impact. "When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others," the FTC stated.
So it behooves CISOs to get in front of their boards of directors and explain the potential implications of complacency and inaction. Most people (security practitioners included) are likely experiencing cyber-breach fatigue and may be inclined to downplay Log4j as just the flaw of the month. To do so would be dangerous and irresponsible.
Boards never want to hear "I don't know" or “It's not my responsibility” from their CISO. And CISOs certainly don’t want to appear before the board and give the impression that an issue isn't under control. But the Log4j vulnerability requires a new approach that relies on comprehensive runtime analysis to detect, prioritize, and remediate all instances of the Log4Shell instances. CISOs should reframe this as an opportunity to elevate security posture as a whole.
How to Get Board Buy-In On Log4j’s Importance
An increasing number of CISOs now present to their boards on a variety of strategic topics because security is no longer seen as just a technology function. The key is to speak in layperson’s terms and get some salient points across. The first is to emphasize that Log4j slowly but surely nests in the corporate networks and is one of the most critical zero-day vulnerabilities in recent history.
Board members aren't interested in the operational or tactical aspects of cybersecurity; rather, they are focused on the holistic impact of the risk that the vulnerability poses.
What will also get the board’s attention is that this vulnerability affects some of the world’s largest IT companies and tech vendors, including Amazon Web Services, Oracle, Cisco, IBM, Fortinet, VMware, and others.
There is widespread deployment of Log4j, from simple, everyday devices to high-end space vehicles. The proliferation of Log4j is akin to Russian nesting dolls; boards need to be aware that instances of the vulnerability can be hidden with multiple transitive dependencies, making remediation equally complex. And what they don’t know can hurt them.
Boards should also understand that Log4j is a growing and complex security problem that promises to be around for years to come. CISOs need to explain that not taking this flaw seriously could result in a data breach, data loss, productivity loss, and ultimately, loss of reputation.
Some key questions that the CISO should ensure can be addressed with the board include:
- Who is the person(s)/organization(s) responsible?
- Do we understand the true impact of this vulnerability on our organization?
- Do we have visibility into all Java-based applications so that true risk and financial impact can be gauged?
- Do we have enough resources from tools and talent perspectives to detect, address, and remediate vulnerabilities?
- Is the supply chain affected and are there contingency plans?
- Is there a remediation plan in place? Is there a business continuity plan in the event of a disruption?
Ultimately, the board will want to know what the short-term plan is to address the immediate threat of Log4j, as well as what is being done over the long term to prevent future attacks.
Also, make sure the board understands the big picture. As Log4jshell evolves as a vulnerability and as organizations put countermeasures and mitigations in place to prevent attacks, threat actors are also working to find workarounds and new threat vectors. The impact of threat actors gaining access to your network cannot be clearly defined at this moment.
Log4j is not a simple vulnerability. It is proving to be mutational and organizations need to be ready to address this if they want to stay ahead and be safe. Depending on the industry, the impact can range from data loss to ransomware, loss of profits, and production woes, so security leaders must have the funding and resources they need to deal with this vulnerability.