Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2020
11:00 AM
Rich Armour
Rich Armour
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Are We Secure Yet? How to Build a 'Post-Breach' Culture

There are many ways to improve your organization's cybersecurity practices, but the most important principle is to start from the top.

Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it's never finished. So, are we secure yet? The answer is an emphatic "No!" And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges. 

The subject of this discussion is your organization's cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim's businesses (such as Maersk and the city government of Atlanta).

These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization's cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company's recent breach, required only a short call or quick meeting.

The value of a strong "post-breach" cybersecurity culture is material. According to the "2018 Cost of Data Breach Study: Impact of Business Continuity Management" from the Ponemon Institute, "The larger the data breach, the less likely the organization will have another breach in the next 24 months." In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.

Measuring Security Culture
How we measure and improve an enterprise's security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.

1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.

2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO's priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.

3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.

4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise's technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.

5. Awareness & Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I've used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.

6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.

7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization's cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.

Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don't wait for the threat actors to do it for you.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Rich Armour is currently an advisor to Nozomi Networks. Rich was most recently the chief information security officer (CISO) at General Motors. As a senior CISO and technology executive, Rich has deep experience in cybersecurity and information technology leadership and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9337
PUBLISHED: 2020-02-26
In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.