Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/19/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Leaders Are Fallible, Too

Security leaders set the tone for their organizations, and there are many places where the process can go wrong. Second in a six-part series.

We're only human; we all make mistakes sometimes. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity. We need to factor in human error as part of the cybersecurity process.

This is the premise of the article series we kicked off recently, addressing cybersecurity and the human element from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. Last time, we addressed the truth about end users. This time, we cover security leaders.

Security Leaders
Security leaders set the tone and the strategy for cybersecurity within their organizations. Depending on the structure and nomenclature of the organization, a security leader's title may be chief information security officer, chief security officers, chief information officers, chief risk officer, vice president of cybersecurity, director of cybersecurity, or any one of a number of similar titles. These leaders own the responsibilities of protecting the organization's digital assets and ensuring the confidentiality, integrity, and accessibility of their organization's data.

Common Mistakes
One of the biggest challenges for security leaders is how to communicate an accurate description of the organization's risk profile and security posture to senior officers and the board of directors. We have seen that some leaders have a tendency to paint a rosier picture than the reality of the situation, implying that there is little or no risk of a successful cyberattack. Others don't take the time, or are not given the opportunity, to provide vital information on threats and threat actors.

When the flow of cybersecurity knowledge does not move upward, security leaders run the risk of having those above them, who often have less understanding of cybersecurity, dictate the direction or minimize the role of the security team. Tasks are prioritized not based on their criticality within the organization but on the amount of attention the topic receives in the news. Purchases are not based on organizational needs but on how much publicity the vendor has received. Investment in proper training for security team members to enhance their knowledge, skills, and abilities is overlooked, and investments are focused primarily on procuring technology.

Incident response (IR) drills don't receive interdepartmental support. And the scope of the security leader's responsibilities doesn't include all of the areas that should be within his or her purview.

Repercussions
If the captain is not steering in the right direction, the ship is bound to go off course. In this case, that means the organization will likely end up suffering from a significant incident at some point. The incident may result from a lack of expertise or due to an insufficient budget (because if everything is under control there is little need to increase spending), an unpatched vulnerability (because the patch was put on the back burner while a vulnerability that was making headlines was addressed), a lack of pertinent technology (because funds were spent on "shiny objects"), an access control misconfiguration (because the security leader had no oversight of the activities), or a similar cause that is the consequence of misguided leadership.

In addition, if the risk was downplayed or proper IR plans weren't in place before the incident, then the rest of the organization will be unprepared when the situation arises. Organizational transparency suffers, proper response gets delayed, and the incident — be it a data breach, data destruction, or a business disruption — may have more effects and be costlier.

Minimize Mistakes
As many organizations have recognized over the past few years, cybersecurity must be a board-level issue. When cybersecurity is appropriately prioritized, it's given the resources it needs to operate effectively. We see reasonable budgets for personnel and technology, support from other departments, and a role where the security leader has oversight of, or is heavily involved in key areas that affect security posture, such as vulnerability management, access and identity management, and asset management.

The security leader must also provide a realistic depiction of how the organization's cybersecurity operations are running. That means being up-front about the state of the organization's security posture, identifying shortcomings, and devising concrete plans to address these deficiencies. In addition, the reporting of metrics/key performance indicators should not be viewed as an opportunity to sugar-coat or pat oneself on the back but, rather, a way to convey all the work that the security team is doing, how their work is reducing the security risk to the organization, and how weak points are being shored up.

Change the Paradigm
We must recognize that many of the security leader positions today are not set up for success. The security leaders face constraints from multiple angles — budget, network infrastructure, corporate policy, organizational structure — and often bear the full burden of the responsibility when there is an incident. This dynamic must change.

On the flip side, security leaders, who have an average tenure of about 24 to 48 months, need to be more committed to their roles. A strong cybersecurity posture isn't built in a day. When a security leader leaves after only a couple of years, he or she can set back the security program by months, quarters, or even years.

Obviously, if the position is better designed for success with board-level access, a culture that values cybersecurity, and sufficient budget, churn will decrease. But security leaders with true vision will recognize that they can create the environment they need for success by effectively communicating the critical role of cybersecurity in the organization's growth and prosperity. It is that type of security leader who can develop a security program that can effectively contend with today's threats.

Join us next time to discuss the third perspective in our series: security analysts. 

Related Content:

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.