Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Recruit, Reward & Retain Cybersecurity Experts
Newest First  |  Oldest First  |  Threaded View
CarricDooley
50%
50%
CarricDooley,
User Rank: Apprentice
1/22/2015 | 7:30:51 PM
Re: I have a fourth idea!

I would argue that the CISO often DOES pay - with his job. (A friend of mine once told me CISO actually stands for "career is so over"). 

As to the "cost benefit analysis of security", business is all about cost/benefit analysis. Should we get into building personal submarines? What will that require in terms of capex/opex? What are the risks? How do we keep them off Minnesota highways?

So, Infosec is hard to get right and largely misunderstood. It's also viewed as a "necessary evil", so yeah, most companies want to get away with spending as little as possible on it, and to most non-security geeks, it's "just another cost". The world is a fabric of compromise - nothing is ever ideal. A penny saved...

I had a fascinating chat with one of our clients recently that his efforts to improve his Secure SDLC process have netted savings in reduced bugs and better quality code due to how they addressed it. They educated their devs, and it has resulted in better apps as a bi-product of an effort to secure the environment.  Huzzah! 

I have seen cases where we presented a cleaning procedure for 23 infected servers, that rapidly became 17 servers when 6 were suddenly deemed non-critical and could just be turned off. While thoughtfully stroking my beard, I asked the secops lead the following: "You have like 30k servers, right? What if you could turn off 7k of them tomorrow?"  It's an unrealistic extrapolation, but illustrated my point.  Sometimes, doing things more securely could have long term savings ramifications (reduced power, cooling, rack space... Oh yeah! And attack surface).

That is what most people do not realize because they have never seen it (nor will they if they don't measure what they do). And who measures the positive impact of the security program on the business? We buy stuff - we deploy it. We MUST be more secure, right?

I get the outrage of having someone make bad  decisions that affect innocent customers and investors (the company also suffers for poor business decisions, btw, and I have seen the suffering of the IT team first-hand during a post-breach panicked recovery. But I would also say: "it depends on the circumstances", and I think the law does step in when its egregious negligence. But I'm not sure doing a blanket "go to jail for doing a bad job" is wise either. That has a high potential to get out of control. 

ODA155
50%
50%
ODA155,
User Rank: Ninja
1/22/2015 | 1:27:35 PM
Re: I have a fourth idea!
@CarricDooley... It would sure suck to be Biff, and maybe someone should have to explain to his family how he got hit by a submarine while on the highway, heck, living here in Minnesota I can tell that I have seen some weird stuff on the highway, no subs, at least not yet.

But my problem with how the decisions are made is the actual "HOW" part, Risk Analysis and Cost Benefit Analysis and while they both have their valid uses I believe they are being misused in the attempt to save money and or time. Too often these large corporations are worried about the bottom line and who might or who can sue them, but while they can and ofte do win most of their cases or settle out of court, what happens to their reputation?

When you look at some of the data breaches that happened last year, true enoughwe really do not know the true cause and we probably never will unless insiders tell the story, but when you hear about HOW Target was hacked or J.P. Morgan Chase, NOAA, Public School systems, NVIDIA, SONY, hospitals and other health related organizations, carwashes and other companies that use PCAnywhere for remote access with the default passwords hard coded, Jimmy Johns' because their were using POS equipment that should not have been used and their QSA was on a blacklist... some of them happened because of bad administrative\technical management, warnings that were ignored. Somebody made those decisions that cost real people money, but those real people and their money are not figured into those Risk Analysis and Cost Benefit Analysis.

So yeah, I'd like to see the responsibility placed at the feet of whoever that person is, if it's the CISO because he's not trying hard enough or the higher level folks who took that decision away from the CISO, or like Target (even though what they did was a cop out) did, they fired the top IT person, who when you look at her qualifications it can be argued she probably shouldn't have that job in the first place.

But in the end when that Risk Analysis or Cost Benefit Analysis is done, and the number work a certain way... is it worth the reputation of your company to to save the money versus doing what's right? If it's a publicaly traded company I already know the answer to that.
CarricDooley
50%
50%
CarricDooley,
User Rank: Apprentice
1/22/2015 | 11:32:55 AM
Re: I have a fourth idea!

I'll use a Risk Mgt analogy I like to share with clients:

At 42, 350 lbs, and 15+ years of a sedentary lifestyle, Biff has a big fat heart attack.  Realizing that his life choices have created this situation, and he doesn't want to leave his wife and kids behind, he gets on a program to get back down to 210. His lipids and blood pressure are AWESOME, and Biff looks like $1m! On his way from the CrossFit gym one day, Biff is tragically hit and killed by speeding submarine. 

Who's at fault, and who do we send to jail?  The submariner may have even had malicious intent, but he's Syrian, and was driving remote control (hence how the submarine got on the highway in the first place).

Biff, in this case, was doing everything he could to improve his odds, but his luck ran out.  Should we pin this on him?

And honestly – yes, most of us aren't like Biff.  We are still ordering the "4x4 animal style" at the local In & Out, and rushing back home with chocolate shake in-tow, ignoring the potential consequences, but I don't think "poor dietary choice/security" should necessarily be illegal.  How often does the CISO even get to call the shots?  He's a little like Spiderman, except he gets the responsibility with very little power...

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/21/2015 | 3:53:55 PM
Re: I have a fourth idea!
Idea 5. If the breach is a direct result of a bad decision, make that decision maker pay $$$. Although this is highly unlikely, just like ODA155, I would love to see that happen once.
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 1:01:30 PM
I have a fourth idea!
Idea 4. Send somebody to jail. SOMEBODY is responsible for the decisions that ultimatly led to what we saw in 2014... and before. Speaking as a 13 year security proffesional, I would love to see that happen if only once.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24613
PUBLISHED: 2021-09-20
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
CVE-2021-24618
PUBLISHED: 2021-09-20
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated us...
CVE-2021-24635
PUBLISHED: 2021-09-20
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, ...
CVE-2021-24636
PUBLISHED: 2021-09-20
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
CVE-2021-24637
PUBLISHED: 2021-09-20
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gu...