Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Can We Talk? Finding A Common Security Language
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JasonPolancich
JasonPolancich,
 User Rank: Author
10/4/2014 | 9:03:38 AM
Re: Intriguing but I'm not yet convinced
Same here! Thanks.
SDiver
SDiver,
 User Rank: Strategist
10/3/2014 | 2:21:48 PM
Re: Intriguing but I'm not yet convinced
In any case, I appreciate the discussion Jason.  Take care.
JasonPolancich
JasonPolancich,
 User Rank: Author
10/3/2014 | 1:19:57 PM
Re: Intriguing but I'm not yet convinced
Well, on this point, I cant argue with you at all.

Wth the JP Morgans, Targets and Home Depots becoming poster children on a weekly basis now, it's hard for me to believe cyber concerns have not become major, daily leadership opportunities for CEOs. That said, you're likely right that the "it wont happen to me" attitude will persist for some time to come. The unfortunate reality, though, is that, for pretty much every business, it will happen to them. It's only a matter of time.
SDiver
SDiver,
 User Rank: Strategist
10/3/2014 | 12:25:14 PM
Re: Intriguing but I'm not yet convinced
Hello Jason,


Like you, I also have to convey 'cyber-security' message to CEO's and also, like you, I attempt to present information that addresses business risk.  However, I am convinced that many CEO's simply refuse to take an interest in cyber risk management because:  1) They're too focused on compliance-based risk such as PCI, 2) They think they're hidden from any type of attack for a variety of reasons, or 3) they think that security will negatively impact their customers.

You're recommendions are excellent but nothing new; I've seen these types of indicators in risk assessments before. Please don't misunderstand; I encourage you to continue to help spread the message.

Perhaps the crux of my argument is that even the best business intelligence reports, risk assessments, etc. are useless if the CEO is not interested in cyber risk management in the first place.  While I agree that security experts need to improve their business communication it is painfully clear that CEO's need to change their attitude about cyber risks.  I personally believe that the Home Depot CEO is criminally negligable as a result of the breach because he was warned by many experts; some of whom I know professionally and will vouch for their security and business experience. 

One example.  I know somebody who is absolutely convinced that Microsoft's two-factor authentication is safe from attack and feels that no additional reasonable security measure is needed despite the information I provided to him regarding the vulnerabilities in RSA tokens and Microsoft Active Directory.  I assure you, your business intelligence reports won't change his mind because he doesn't want to spend any more money.

I'm sorry to be pessimistic but I am convinced that CEO's need to be a little more flexible and accept the fact that they may be at risk.  As the old saying goes, it's impossible to argue with a closed mind.
JasonPolancich
JasonPolancich,
 User Rank: Author
10/1/2014 | 3:12:05 PM
Re: Intriguing but I'm not yet convinced
SDiver,

Correct. Implcit in the piece above is that this sort of approach is just a starting point. That said, it's a starting point where there is little already established along these lines in most enterprises today.

Further to your points, when we consult with orgnizations, we often talk of this kind of approach developing into a kind of business intelligence practice for cyber at the same level as is typically and traditionally in domain areas  like the financial performance of a business, its products, people, etc.

Can that sort of biz intell and analysis "crystal ball" every thing that may happen with the accuracy required to, as you mention, not be dimissed? Absolutely not. But can you imagine a successfuly business who is turning a blind eye to a financial perf business intelligence approach? I cant. Again, the approach outlined is designed to address one (I think, missing) part of a comprehensive, multi-layered and multi-dimensiional cyber strategy with many, many pieces and parts. It's a puzzle and each individual pieces is a little bit of the overall picture.

Lastly, Im not sure the logic you use below around the whole Target-HVAC supplier vector doesnt sorta throw the baby out with the bathwater, so to speak. Meaning, convincing the "CEO of the risk the effect would be hard to define" becomes more and more easy a proposiiton over time as a dedicated data and intell analysis approach proves its merit as part of solving the overall puzzle (as, for example,  financial performance, market intell, logistics, business intelligence does)


Good comments and thanks for the dialog!

 

Jason
SDiver
SDiver,
 User Rank: Strategist
10/1/2014 | 2:40:16 PM
Intriguing but I'm not yet convinced
Jason, I appreciate your article I think it's a start but I don't think you go far enough.

Take the Target breach, for example.  The idea of combining company operations with a third party HVAC system in the same network segment was obviously considered a great idea at the time for saving money but I'm sure we all agree that Target now seriously regrets this decision.

If I was the CISO at Target I'm sure my concerns, even express through the "Threat Categories" model you linked to would have been dismissed because the idea of data compromise seems so abstract.  CEO's obviously understand and can picture the risks of shoplifting, robbery, etc. but stealing money and personal information through an electronic means is far more abstract.  Many people simply have a hard time of understanding this concept.  Even if you could convince the CEO of the risk the effect would be hard to define.  An attacker could compromise the system through the HVAC network but what would be gained?  Customer data?  Proprietary information?  Security experts can theorize what can happen but evidence would be difficult without a thorough (and expensive) penetration test.  I'm sure you'll agree that CEO's would not be open to shelling out money for a pen test every time a network infrastructure modification is proposed.

I look forward to your response.  Thank you.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/30/2014 | 9:09:44 AM
Re: Other Side Of The Coin
I wrote a column about the "geek gap" in 1997. Back then it wasn't focused on security, but general IT. I guess it shouldn't be suprising given the advances in technology in the past 17 years, that the chasm has not decreased (and it probably has increased). Your point is well taken about  the  attention paid in the cybersec market to "tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains." Never too late to start, though.
JasonPolancich
JasonPolancich,
 User Rank: Author
9/30/2014 | 9:01:49 AM
Re: Other Side Of The Coin
Marilyn, this is purely based on my own experiences. for the better part of the last two decades ive spent a big portion of time in close querters meeting with, working for, building things for, consulting to and finally sitting on the same side of the table as leadership exectuvies. i can tell you that, in every role, the understanding gap is palpable on the exec side. they may well sense the danger and urgency around topics, but the level of understanding and grasp required to steer strategy and budget effectively is still shallow water at best. Part of the problem is there is so much attention paid in the cybersec market to tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains.

 

 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/30/2014 | 7:19:42 AM
Re: Other Side Of The Coin
Thanks, Jason. I find it interesting that you think that the C-suite has "the longest road to travel" in understanding the security domain. Why is that? Surely, today infosec issues are front and center. Is it merely because of the language barrier? Or is there something more fundamental? 
JasonPolancich
JasonPolancich,
 User Rank: Author
9/29/2014 | 5:07:45 PM
Re: Other Side Of The Coin
Marilyn,

yes, ive used this approach a lot over the years, many times to convince organizations that expensive, complex, sophisticated approaches are not only often not necessary, they are noften ot even as effective as simple spreadsheets and a diligent data collection approach. it's actually what led me to start my latest company. where's the cyber business intelligence that typically brings org domains, at all levels top-to-bottom, together around plannign and managing success?



this all works especially well for connetcing the C-suite as they traditionally have the longest road to travel in not only understanding the domain, but in making informed decisions based on accurate, intuitive data. in other words, charts and graphs and simple analytics that come out of this type of data collection, when presented in clear, visual ways, leads often to immediate breakthroughs and encourages an ongoiing "closing of the gap" in communcations. vocabulary + data. The number one net result? much, much faster decision-making, whether it's incident reponse, budgeting, acquisition or any number of places where accuracy matters.

 

Jason
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file