Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2020
11:00 AM
Rich Armour
Rich Armour
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Are We Secure Yet? How to Build a 'Post-Breach' Culture

There are many ways to improve your organization's cybersecurity practices, but the most important principle is to start from the top.

Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it's never finished. So, are we secure yet? The answer is an emphatic "No!" And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges. 

The subject of this discussion is your organization's cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim's businesses (such as Maersk and the city government of Atlanta).

These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization's cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company's recent breach, required only a short call or quick meeting.

The value of a strong "post-breach" cybersecurity culture is material. According to the "2018 Cost of Data Breach Study: Impact of Business Continuity Management" from the Ponemon Institute, "The larger the data breach, the less likely the organization will have another breach in the next 24 months." In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.

Measuring Security Culture
How we measure and improve an enterprise's security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.

1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.

2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO's priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.

3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.

4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise's technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.

5. Awareness & Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I've used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.

6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.

7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization's cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.

Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don't wait for the threat actors to do it for you.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Rich Armour is currently an advisor to Nozomi Networks. Rich was most recently the chief information security officer (CISO) at General Motors. As a senior CISO and technology executive, Rich has deep experience in cybersecurity and information technology leadership and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...