Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Rich Armour
Rich Armour
Connect Directly
E-Mail vvv

Are We Secure Yet? How to Build a 'Post-Breach' Culture

There are many ways to improve your organization's cybersecurity practices, but the most important principle is to start from the top.

Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it's never finished. So, are we secure yet? The answer is an emphatic "No!" And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges. 

The subject of this discussion is your organization's cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim's businesses (such as Maersk and the city government of Atlanta).

These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization's cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company's recent breach, required only a short call or quick meeting.

The value of a strong "post-breach" cybersecurity culture is material. According to the "2018 Cost of Data Breach Study: Impact of Business Continuity Management" from the Ponemon Institute, "The larger the data breach, the less likely the organization will have another breach in the next 24 months." In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.

Measuring Security Culture
How we measure and improve an enterprise's security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.

1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.

2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO's priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.

3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.

4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise's technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.

5. Awareness & Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I've used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.

6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.

7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization's cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.

Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don't wait for the threat actors to do it for you.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Rich Armour is currently an advisor to Nozomi Networks. Rich was most recently the chief information security officer (CISO) at General Motors. As a senior CISO and technology executive, Rich has deep experience in cybersecurity and information technology leadership and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.