Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/16/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Security Needs to Start Speaking the Language of Business

At the Gartner Symposium/ITXPO, upcoming security trends for the next year include learning to speak the language of business.

ORLANDO, Fla. -- Gartner Symposium/ITXPO -- The good news for enterprise security teams is that executives and board members are starting to pay attention to a range of issues, from cyberattacks to data leaks to privacy.

The bad news is that executives and company board members are starting to pay attention to security and want answers.

What can security pros, InfoSec teams and CISOs do? For starters, they can learn the language of business to communicate better with C-Suite executives. Through a better understanding of the enterprise, security can learn how tolerant executives are to risk and how security can help the organization achieve its financial goals.

At the start of the show here on October 15, Gartner analyst Peter Firstbrook looked at several security trends that enterprises of all sizes will face in the next several years. Better communication between security and company executives topped the list.

Gartner analyst Peter Firstbrook\r\n(Source: Scott Ferguson for Security Now)\r\n
Gartner analyst Peter Firstbrook
\r\n(Source: Scott Ferguson for Security Now)\r\n

"Security teams have to change in order to respond to this trend," Firstbrook said.

What's driving this new-found interest in security are the daily headlines about the latest breach or attack. Firstbrook used examples ranging from the Equifax breach last year, to Verizon getting a $350 million discount on its acquisition of Yahoo thanks to data leaks at the company. (See Second Equifax Employee Facing Insider Trading Charges.)

Then there's ransomware, especially WannaCry, which cost businesses between $1.5 billion and $4 billion to recover from in 2017. (See WannaCry: How the Notorious Worm Changed Ransomware.)

Taken together, all these incidents have enterprises thinking more about security, but all parts of the business need to communicate to better respond to cyberthreats.

"Part of the problem is that security doesn't really speak the language of business, and the business doesn't speak the language of security, and so the security organization needs to change the way they talk to the business," Firstbrook said. "They need to understand the business risk appetite and that it's OK for the business to take risks -- that's what they do all the time. They just need to understand from security what risk they are taking, and accept that risk. Our job as security practitioners is to explain to them what can possibly go wrong, what can we do to fix it, how much it might cost to fix it and then let them decide what to do."

There are several different ways to improve communication between security and the executive team. These can include hiring consults to help bridge the communication gap, and explaining why investing in better and more secure technology can help the bottom line.

An example Firstbrook used is one company wanting to upgrade to Windows 10, which offers better security, but would require a major investment. The security team explained to the CEO how the newer version of Windows could protect against ransomware that could affect the sales cycle. In the end, the company upgraded.

Firstbrook also encouraged security teams to expand by using a combination of internal recruitment and training, investment in cloud-based security tools and automation, and outsourcing some security tasks when needed.

In addition to improved communication, Firstbrook noted in his presentation that security faces a host of other challenges in the coming years. These include:

  • Legal and other compliance and regulatory rules that are affecting digital transformation plans, as well as increasing liability as enterprises are under more pressure to protect their data.
  • Security services and tools increasingly moving to the cloud, and how enterprises can take advantage of these new services.
  • Advancements in machine learning that are helping with some tasks but still require humans to make final decisions about security.
  • Security decisions that are being made against a backdrop of geopolitical uncertainty.
  • The centralization and concentration of businesses into a handful of companies. This requires a decentralized approach for security that includes technology such as blockchain and peer-to-peer networks.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5669
PUBLISHED: 2021-10-26
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
CVE-2021-40343
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.
CVE-2021-40344
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
CVE-2021-40345
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
CVE-2021-42343
PUBLISHED: 2021-10-26
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (ty...