Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/19/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Leaders Are Fallible, Too

Security leaders set the tone for their organizations, and there are many places where the process can go wrong. Second in a six-part series.

We're only human; we all make mistakes sometimes. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity. We need to factor in human error as part of the cybersecurity process.

This is the premise of the article series we kicked off recently, addressing cybersecurity and the human element from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. Last time, we addressed the truth about end users. This time, we cover security leaders.

Security Leaders
Security leaders set the tone and the strategy for cybersecurity within their organizations. Depending on the structure and nomenclature of the organization, a security leader's title may be chief information security officer, chief security officers, chief information officers, chief risk officer, vice president of cybersecurity, director of cybersecurity, or any one of a number of similar titles. These leaders own the responsibilities of protecting the organization's digital assets and ensuring the confidentiality, integrity, and accessibility of their organization's data.

Common Mistakes
One of the biggest challenges for security leaders is how to communicate an accurate description of the organization's risk profile and security posture to senior officers and the board of directors. We have seen that some leaders have a tendency to paint a rosier picture than the reality of the situation, implying that there is little or no risk of a successful cyberattack. Others don't take the time, or are not given the opportunity, to provide vital information on threats and threat actors.

When the flow of cybersecurity knowledge does not move upward, security leaders run the risk of having those above them, who often have less understanding of cybersecurity, dictate the direction or minimize the role of the security team. Tasks are prioritized not based on their criticality within the organization but on the amount of attention the topic receives in the news. Purchases are not based on organizational needs but on how much publicity the vendor has received. Investment in proper training for security team members to enhance their knowledge, skills, and abilities is overlooked, and investments are focused primarily on procuring technology.

Incident response (IR) drills don't receive interdepartmental support. And the scope of the security leader's responsibilities doesn't include all of the areas that should be within his or her purview.

Repercussions
If the captain is not steering in the right direction, the ship is bound to go off course. In this case, that means the organization will likely end up suffering from a significant incident at some point. The incident may result from a lack of expertise or due to an insufficient budget (because if everything is under control there is little need to increase spending), an unpatched vulnerability (because the patch was put on the back burner while a vulnerability that was making headlines was addressed), a lack of pertinent technology (because funds were spent on "shiny objects"), an access control misconfiguration (because the security leader had no oversight of the activities), or a similar cause that is the consequence of misguided leadership.

In addition, if the risk was downplayed or proper IR plans weren't in place before the incident, then the rest of the organization will be unprepared when the situation arises. Organizational transparency suffers, proper response gets delayed, and the incident — be it a data breach, data destruction, or a business disruption — may have more effects and be costlier.

Minimize Mistakes
As many organizations have recognized over the past few years, cybersecurity must be a board-level issue. When cybersecurity is appropriately prioritized, it's given the resources it needs to operate effectively. We see reasonable budgets for personnel and technology, support from other departments, and a role where the security leader has oversight of, or is heavily involved in key areas that affect security posture, such as vulnerability management, access and identity management, and asset management.

The security leader must also provide a realistic depiction of how the organization's cybersecurity operations are running. That means being up-front about the state of the organization's security posture, identifying shortcomings, and devising concrete plans to address these deficiencies. In addition, the reporting of metrics/key performance indicators should not be viewed as an opportunity to sugar-coat or pat oneself on the back but, rather, a way to convey all the work that the security team is doing, how their work is reducing the security risk to the organization, and how weak points are being shored up.

Change the Paradigm
We must recognize that many of the security leader positions today are not set up for success. The security leaders face constraints from multiple angles — budget, network infrastructure, corporate policy, organizational structure — and often bear the full burden of the responsibility when there is an incident. This dynamic must change.

On the flip side, security leaders, who have an average tenure of about 24 to 48 months, need to be more committed to their roles. A strong cybersecurity posture isn't built in a day. When a security leader leaves after only a couple of years, he or she can set back the security program by months, quarters, or even years.

Obviously, if the position is better designed for success with board-level access, a culture that values cybersecurity, and sufficient budget, churn will decrease. But security leaders with true vision will recognize that they can create the environment they need for success by effectively communicating the critical role of cybersecurity in the organization's growth and prosperity. It is that type of security leader who can develop a security program that can effectively contend with today's threats.

Join us next time to discuss the third perspective in our series: security analysts. 

Related Content:

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13961
PUBLISHED: 2019-07-18
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
CVE-2019-13962
PUBLISHED: 2019-07-18
lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.
CVE-2019-10101
PUBLISHED: 2019-07-18
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
CVE-2019-10102
PUBLISHED: 2019-07-18
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersControlle...
CVE-2019-10102
PUBLISHED: 2019-07-18
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suric...