Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Can We Talk? Finding A Common Security Language
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/4/2014 | 9:03:38 AM
Re: Intriguing but I'm not yet convinced
Same here! Thanks.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 2:21:48 PM
Re: Intriguing but I'm not yet convinced
In any case, I appreciate the discussion Jason.  Take care.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/3/2014 | 1:19:57 PM
Re: Intriguing but I'm not yet convinced
Well, on this point, I cant argue with you at all.

Wth the JP Morgans, Targets and Home Depots becoming poster children on a weekly basis now, it's hard for me to believe cyber concerns have not become major, daily leadership opportunities for CEOs. That said, you're likely right that the "it wont happen to me" attitude will persist for some time to come. The unfortunate reality, though, is that, for pretty much every business, it will happen to them. It's only a matter of time.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 12:25:14 PM
Re: Intriguing but I'm not yet convinced
Hello Jason,


Like you, I also have to convey 'cyber-security' message to CEO's and also, like you, I attempt to present information that addresses business risk.  However, I am convinced that many CEO's simply refuse to take an interest in cyber risk management because:  1) They're too focused on compliance-based risk such as PCI, 2) They think they're hidden from any type of attack for a variety of reasons, or 3) they think that security will negatively impact their customers.

You're recommendions are excellent but nothing new; I've seen these types of indicators in risk assessments before. Please don't misunderstand; I encourage you to continue to help spread the message.

Perhaps the crux of my argument is that even the best business intelligence reports, risk assessments, etc. are useless if the CEO is not interested in cyber risk management in the first place.  While I agree that security experts need to improve their business communication it is painfully clear that CEO's need to change their attitude about cyber risks.  I personally believe that the Home Depot CEO is criminally negligable as a result of the breach because he was warned by many experts; some of whom I know professionally and will vouch for their security and business experience. 

One example.  I know somebody who is absolutely convinced that Microsoft's two-factor authentication is safe from attack and feels that no additional reasonable security measure is needed despite the information I provided to him regarding the vulnerabilities in RSA tokens and Microsoft Active Directory.  I assure you, your business intelligence reports won't change his mind because he doesn't want to spend any more money.

I'm sorry to be pessimistic but I am convinced that CEO's need to be a little more flexible and accept the fact that they may be at risk.  As the old saying goes, it's impossible to argue with a closed mind.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/1/2014 | 3:12:05 PM
Re: Intriguing but I'm not yet convinced
SDiver,

Correct. Implcit in the piece above is that this sort of approach is just a starting point. That said, it's a starting point where there is little already established along these lines in most enterprises today.

Further to your points, when we consult with orgnizations, we often talk of this kind of approach developing into a kind of business intelligence practice for cyber at the same level as is typically and traditionally in domain areas  like the financial performance of a business, its products, people, etc.

Can that sort of biz intell and analysis "crystal ball" every thing that may happen with the accuracy required to, as you mention, not be dimissed? Absolutely not. But can you imagine a successfuly business who is turning a blind eye to a financial perf business intelligence approach? I cant. Again, the approach outlined is designed to address one (I think, missing) part of a comprehensive, multi-layered and multi-dimensiional cyber strategy with many, many pieces and parts. It's a puzzle and each individual pieces is a little bit of the overall picture.

Lastly, Im not sure the logic you use below around the whole Target-HVAC supplier vector doesnt sorta throw the baby out with the bathwater, so to speak. Meaning, convincing the "CEO of the risk the effect would be hard to define" becomes more and more easy a proposiiton over time as a dedicated data and intell analysis approach proves its merit as part of solving the overall puzzle (as, for example,  financial performance, market intell, logistics, business intelligence does)


Good comments and thanks for the dialog!

 

Jason
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/1/2014 | 2:40:16 PM
Intriguing but I'm not yet convinced
Jason, I appreciate your article I think it's a start but I don't think you go far enough.

Take the Target breach, for example.  The idea of combining company operations with a third party HVAC system in the same network segment was obviously considered a great idea at the time for saving money but I'm sure we all agree that Target now seriously regrets this decision.

If I was the CISO at Target I'm sure my concerns, even express through the "Threat Categories" model you linked to would have been dismissed because the idea of data compromise seems so abstract.  CEO's obviously understand and can picture the risks of shoplifting, robbery, etc. but stealing money and personal information through an electronic means is far more abstract.  Many people simply have a hard time of understanding this concept.  Even if you could convince the CEO of the risk the effect would be hard to define.  An attacker could compromise the system through the HVAC network but what would be gained?  Customer data?  Proprietary information?  Security experts can theorize what can happen but evidence would be difficult without a thorough (and expensive) penetration test.  I'm sure you'll agree that CEO's would not be open to shelling out money for a pen test every time a network infrastructure modification is proposed.

I look forward to your response.  Thank you.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 9:09:44 AM
Re: Other Side Of The Coin
I wrote a column about the "geek gap" in 1997. Back then it wasn't focused on security, but general IT. I guess it shouldn't be suprising given the advances in technology in the past 17 years, that the chasm has not decreased (and it probably has increased). Your point is well taken about  the  attention paid in the cybersec market to "tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains." Never too late to start, though.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/30/2014 | 9:01:49 AM
Re: Other Side Of The Coin
Marilyn, this is purely based on my own experiences. for the better part of the last two decades ive spent a big portion of time in close querters meeting with, working for, building things for, consulting to and finally sitting on the same side of the table as leadership exectuvies. i can tell you that, in every role, the understanding gap is palpable on the exec side. they may well sense the danger and urgency around topics, but the level of understanding and grasp required to steer strategy and budget effectively is still shallow water at best. Part of the problem is there is so much attention paid in the cybersec market to tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 7:19:42 AM
Re: Other Side Of The Coin
Thanks, Jason. I find it interesting that you think that the C-suite has "the longest road to travel" in understanding the security domain. Why is that? Surely, today infosec issues are front and center. Is it merely because of the language barrier? Or is there something more fundamental? 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/29/2014 | 5:07:45 PM
Re: Other Side Of The Coin
Marilyn,

yes, ive used this approach a lot over the years, many times to convince organizations that expensive, complex, sophisticated approaches are not only often not necessary, they are noften ot even as effective as simple spreadsheets and a diligent data collection approach. it's actually what led me to start my latest company. where's the cyber business intelligence that typically brings org domains, at all levels top-to-bottom, together around plannign and managing success?



this all works especially well for connetcing the C-suite as they traditionally have the longest road to travel in not only understanding the domain, but in making informed decisions based on accurate, intuitive data. in other words, charts and graphs and simple analytics that come out of this type of data collection, when presented in clear, visual ways, leads often to immediate breakthroughs and encourages an ongoiing "closing of the gap" in communcations. vocabulary + data. The number one net result? much, much faster decision-making, whether it's incident reponse, budgeting, acquisition or any number of places where accuracy matters.

 

Jason
Page 1 / 2   >   >>


Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...