Careers & People

2/19/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Leaders Are Fallible, Too

Security leaders set the tone for their organizations, and there are many places where the process can go wrong. Second in a six-part series.

We're only human; we all make mistakes sometimes. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity. We need to factor in human error as part of the cybersecurity process.

This is the premise of the article series we kicked off recently, addressing cybersecurity and the human element from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. Last time, we addressed the truth about end users. This time, we cover security leaders.

Security Leaders
Security leaders set the tone and the strategy for cybersecurity within their organizations. Depending on the structure and nomenclature of the organization, a security leader's title may be chief information security officer, chief security officers, chief information officers, chief risk officer, vice president of cybersecurity, director of cybersecurity, or any one of a number of similar titles. These leaders own the responsibilities of protecting the organization's digital assets and ensuring the confidentiality, integrity, and accessibility of their organization's data.

Common Mistakes
One of the biggest challenges for security leaders is how to communicate an accurate description of the organization's risk profile and security posture to senior officers and the board of directors. We have seen that some leaders have a tendency to paint a rosier picture than the reality of the situation, implying that there is little or no risk of a successful cyberattack. Others don't take the time, or are not given the opportunity, to provide vital information on threats and threat actors.

When the flow of cybersecurity knowledge does not move upward, security leaders run the risk of having those above them, who often have less understanding of cybersecurity, dictate the direction or minimize the role of the security team. Tasks are prioritized not based on their criticality within the organization but on the amount of attention the topic receives in the news. Purchases are not based on organizational needs but on how much publicity the vendor has received. Investment in proper training for security team members to enhance their knowledge, skills, and abilities is overlooked, and investments are focused primarily on procuring technology.

Incident response (IR) drills don't receive interdepartmental support. And the scope of the security leader's responsibilities doesn't include all of the areas that should be within his or her purview.

Repercussions
If the captain is not steering in the right direction, the ship is bound to go off course. In this case, that means the organization will likely end up suffering from a significant incident at some point. The incident may result from a lack of expertise or due to an insufficient budget (because if everything is under control there is little need to increase spending), an unpatched vulnerability (because the patch was put on the back burner while a vulnerability that was making headlines was addressed), a lack of pertinent technology (because funds were spent on "shiny objects"), an access control misconfiguration (because the security leader had no oversight of the activities), or a similar cause that is the consequence of misguided leadership.

In addition, if the risk was downplayed or proper IR plans weren't in place before the incident, then the rest of the organization will be unprepared when the situation arises. Organizational transparency suffers, proper response gets delayed, and the incident — be it a data breach, data destruction, or a business disruption — may have more effects and be costlier.

Minimize Mistakes
As many organizations have recognized over the past few years, cybersecurity must be a board-level issue. When cybersecurity is appropriately prioritized, it's given the resources it needs to operate effectively. We see reasonable budgets for personnel and technology, support from other departments, and a role where the security leader has oversight of, or is heavily involved in key areas that affect security posture, such as vulnerability management, access and identity management, and asset management.

The security leader must also provide a realistic depiction of how the organization's cybersecurity operations are running. That means being up-front about the state of the organization's security posture, identifying shortcomings, and devising concrete plans to address these deficiencies. In addition, the reporting of metrics/key performance indicators should not be viewed as an opportunity to sugar-coat or pat oneself on the back but, rather, a way to convey all the work that the security team is doing, how their work is reducing the security risk to the organization, and how weak points are being shored up.

Change the Paradigm
We must recognize that many of the security leader positions today are not set up for success. The security leaders face constraints from multiple angles — budget, network infrastructure, corporate policy, organizational structure — and often bear the full burden of the responsibility when there is an incident. This dynamic must change.

On the flip side, security leaders, who have an average tenure of about 24 to 48 months, need to be more committed to their roles. A strong cybersecurity posture isn't built in a day. When a security leader leaves after only a couple of years, he or she can set back the security program by months, quarters, or even years.

Obviously, if the position is better designed for success with board-level access, a culture that values cybersecurity, and sufficient budget, churn will decrease. But security leaders with true vision will recognize that they can create the environment they need for success by effectively communicating the critical role of cybersecurity in the organization's growth and prosperity. It is that type of security leader who can develop a security program that can effectively contend with today's threats.

Join us next time to discuss the third perspective in our series: security analysts. 

Related Content:

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.