Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Its Time to Treat Your Cyber Strategy Like a Business
Newest First  |  Oldest First  |  Threaded View
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/9/2015 | 10:08:12 AM
Re: Sample mission statement
So, a friend of mine has a business providing mobile medical portal applications for helathcare chains...Here's a paraphrase:

We strive to deliver the most convenient, private and secure ways to manage your personal health information on the most widely-used mobile devices available. We are committed to building and budgeting security into every thing we do, whether it be software development, data handling, our internal people processes and our customer relationships so that you, our customers, can be assured that every employee at _______ considers your security part of his or her job.

 

It continues to discuss forthrightness in cases of incidents, etc.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/9/2015 | 9:50:03 AM
Re: Sample mission statement
By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense.)


Couldn't agree more. but I'd still like to see a cybersecurity mission statement boiled down to the essential 25 (50, 100?) words..
PZav
50%
50%
PZav,
User Rank: Author
1/8/2015 | 5:56:34 PM
Technical Challenge
Based on this post it seems like in your experience, most businesses look at information security in the same way they look at maintance or even infrastructure. If I do/fix A then I will solve problem B. However, cyber security really isn't that simple is it? I think most leaders will be better off treating security as a desired but impossible state. The focus should shift towards damage control.

Limiting damage is a partnership between security, executive leadership and marketing. There are of course technical requirenments, but there is also a need for proper spin control. For instance, Sony having the FBI and FireEye claim that the attack was unique and could've breached 9 out of 10 companies (when we all know it was a standard attack) was good spin. Of course its true, but nothing about this attack was so unique that such a statement was used for any other reason than to let Sony off the hook. The key is to limit the damages and demonstrate pro-active responsibility. In that area there is still a gap to be filled.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/8/2015 | 3:42:04 PM
Re: Sample mission statement
Marilyn,
Well, cyber mission statements (or mission statements that weave in cybersecurity objectives) are, as I point out, largely nonexistent for most companies I have encountered. I am beginning to see folks assert their commitment to security and safety in some nascent companies who get it (and for whom security is part of the identity), but for the most part we're still dealing with the much larger cyber-related disease in corporate America we all know as "Ostrich Security."

That said, as we're seeing in retail and banking and even healthcare, daily cyber security concerns are actually becoming intertwined with a company's core offerings and products. These concerns are linked in real ways to the things that make the business fail or succeed. The point to make from this Part 1 (there's more in my second part of this post that expands on what's here around mission statement) is that cyber is become so pervasive a concern to organizations that is deserves to be elevated into the very core mission of the company itself alongside what makes them "them" as far as their products, services, delivery, discriminators and - most importantly - their employees go. There's a bank out there with the mission statement of becoming, and Im paraphrasing to protect the innocent, the most respected provider of financial transaction services. It would seem to me to make sense that "secure" and other words setting serious security objectives be rolled into that too to drive home for their customer and employees that "secure" is who they are.

For example, let's take the mission statement of a very well known national retail chain:

Guided by relentless focus on our five imperatives, we will constantly strive to implement the critical initiatives required to achieve our vision. In doing this, we will deliver operational excellence in every corner of the Company and meet or exceed our commitments to the many constituencies we serve. All of our long-term strategies and short-term actions will be molded by a set of core values that are shared by each and every associate.



I wont say who that is, but let's just say cybercrime is not their friend of late.

For the most part, it's high-level, vague and could apply to almost any organization, selling or offering almost anything. Do the leaders and employees take this kind of mission statement to heart? Does it make them more diligent or more responsible as far as the performance of their daily routines? Does it make them care about product or service delivery by imbuing their daily routine with any extra reflection on what make them better, different or, in the case if cyber security, more safe? Does it even drive to their employees any ideal in particular? Our sense of quality? I say no.

What I'm getting at here is that all companies in this day and age must begin to really appreciate the risks they face each day in this hyper-connoted world of constant cyber attack and cybercrime. By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense). That it is a part of everything they do and, hopefully, it even seeps, in small ways, into their subconscious routine each and every day when carrying out their work.

One thing is clear today. Business leadership may not get it yet, but customers are starting to.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:26:56 AM
Sample mission statement
Interesting idea, Jason. But I'd like to hear some real word examples of cybersecurity mission statements. Do you have any you can share?
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/8/2015 | 9:23:00 AM
Risk Management
So basically we just continue to work on risk management as we have always done.

Jack was great at leading people, lets just leave it at that.


How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.