Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
It’s Time to Treat Your Cyber Strategy Like a Business
Newest First  |  Oldest First  |  Threaded View
kevinbear
kevinbear,
 User Rank: Apprentice
7/22/2020 | 3:17:15 AM
Re: Risk Management
What a wonderful article post you have done a great job such a brilliant information post i really impress this stuff i love it dear 

John Dutton Jacket
JasonPolancich
JasonPolancich,
 User Rank: Author
1/9/2015 | 10:08:12 AM
Re: Sample mission statement
So, a friend of mine has a business providing mobile medical portal applications for helathcare chains...Here's a paraphrase:

We strive to deliver the most convenient, private and secure ways to manage your personal health information on the most widely-used mobile devices available. We are committed to building and budgeting security into every thing we do, whether it be software development, data handling, our internal people processes and our customer relationships so that you, our customers, can be assured that every employee at _______ considers your security part of his or her job.

 

It continues to discuss forthrightness in cases of incidents, etc.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/9/2015 | 9:50:03 AM
Re: Sample mission statement
By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense.)


Couldn't agree more. but I'd still like to see a cybersecurity mission statement boiled down to the essential 25 (50, 100?) words..
PZav
PZav,
 User Rank: Author
1/8/2015 | 5:56:34 PM
Technical Challenge
Based on this post it seems like in your experience, most businesses look at information security in the same way they look at maintance or even infrastructure. If I do/fix A then I will solve problem B. However, cyber security really isn't that simple is it? I think most leaders will be better off treating security as a desired but impossible state. The focus should shift towards damage control.

Limiting damage is a partnership between security, executive leadership and marketing. There are of course technical requirenments, but there is also a need for proper spin control. For instance, Sony having the FBI and FireEye claim that the attack was unique and could've breached 9 out of 10 companies (when we all know it was a standard attack) was good spin. Of course its true, but nothing about this attack was so unique that such a statement was used for any other reason than to let Sony off the hook. The key is to limit the damages and demonstrate pro-active responsibility. In that area there is still a gap to be filled.
JasonPolancich
JasonPolancich,
 User Rank: Author
1/8/2015 | 3:42:04 PM
Re: Sample mission statement
Marilyn,
Well, cyber mission statements (or mission statements that weave in cybersecurity objectives) are, as I point out, largely nonexistent for most companies I have encountered. I am beginning to see folks assert their commitment to security and safety in some nascent companies who get it (and for whom security is part of the identity), but for the most part we're still dealing with the much larger cyber-related disease in corporate America we all know as "Ostrich Security."

That said, as we're seeing in retail and banking and even healthcare, daily cyber security concerns are actually becoming intertwined with a company's core offerings and products. These concerns are linked in real ways to the things that make the business fail or succeed. The point to make from this Part 1 (there's more in my second part of this post that expands on what's here around mission statement) is that cyber is become so pervasive a concern to organizations that is deserves to be elevated into the very core mission of the company itself alongside what makes them "them" as far as their products, services, delivery, discriminators and - most importantly - their employees go. There's a bank out there with the mission statement of becoming, and Im paraphrasing to protect the innocent, the most respected provider of financial transaction services. It would seem to me to make sense that "secure" and other words setting serious security objectives be rolled into that too to drive home for their customer and employees that "secure" is who they are.

For example, let's take the mission statement of a very well known national retail chain:

Guided by relentless focus on our five imperatives, we will constantly strive to implement the critical initiatives required to achieve our vision. In doing this, we will deliver operational excellence in every corner of the Company and meet or exceed our commitments to the many constituencies we serve. All of our long-term strategies and short-term actions will be molded by a set of core values that are shared by each and every associate.



I wont say who that is, but let's just say cybercrime is not their friend of late.

For the most part, it's high-level, vague and could apply to almost any organization, selling or offering almost anything. Do the leaders and employees take this kind of mission statement to heart? Does it make them more diligent or more responsible as far as the performance of their daily routines? Does it make them care about product or service delivery by imbuing their daily routine with any extra reflection on what make them better, different or, in the case if cyber security, more safe? Does it even drive to their employees any ideal in particular? Our sense of quality? I say no.

What I'm getting at here is that all companies in this day and age must begin to really appreciate the risks they face each day in this hyper-connoted world of constant cyber attack and cybercrime. By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense). That it is a part of everything they do and, hopefully, it even seeps, in small ways, into their subconscious routine each and every day when carrying out their work.

One thing is clear today. Business leadership may not get it yet, but customers are starting to.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/8/2015 | 9:26:56 AM
Sample mission statement
Interesting idea, Jason. But I'd like to hear some real word examples of cybersecurity mission statements. Do you have any you can share?
SgS125
SgS125,
 User Rank: Ninja
1/8/2015 | 9:23:00 AM
Risk Management
So basically we just continue to work on risk management as we have always done.

Jack was great at leading people, lets just leave it at that.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...