Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

End of Bibblio RCM includes -->
8/21/2017
05:50 PM
Philip Lieberman
Philip Lieberman
News Analysis-Security Now

'Good Enough' Probably Isn't

Enterprise cyber defense needs to get better unless we want to see the executive revolving door spin even faster.

For several years now, I have advocated that CEOs must begin acting as the Commander-in-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.

But one after another, CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: If you provide poor IT security to your customers, you will soon be looking for a new job.

More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far... until that moment when the covers are pulled off of a company. The misdeeds and deceptions are not all that different from what's now publicly known about what was going on inside the largest financial institutions in the world leading up the financial meltdown in 2007/2008. ("Uh, we really didn't mean what we said about how those mortgages would perform over the next 30 years!")

The problem of poor internal security controls did not end with the financial meltdown. I will not forget speaking with a potential client from a company that had received numerous large fines for repeated IT security violations. As we discussed the pros and cons of one privileged identity management solution versus another, he became more and more agitated as I explained how one solution would help reduce the fines and breaches they've suffered (all public information).

In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out. Life is ironic: His company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy my suggested security solution. They went with another "solution" because of that product's pretty interface.

I don't blame the employee. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don't solve critical cybersecurity issues.

We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyberattacks. But there are few surprises -- nor are there long periods of time where hackers nest in the environment and extract data at will.

The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses. This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.

Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible. Leadership should test the mitigations regularly to confirm the problems found have been resolved and more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.

There is a clear lack of visibility to the CEO and Board of Directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes. From a leadership point of view, many companies are running companies and government agencies with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies are not building resiliency into their business operations when it comes to IT.

With more corporate board members now taking a hard look at information security, I predict we'll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don't "get it" when it comes to IT security.

Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyberattacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy. And while the concept of acceptable loss is not new for the CFO and CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they're ignoring at the peril of their careers.

Related posts:

Philip Lieberman, noted cybersecurity expert and founder of Lieberman Software, has more than 30 years of experience in the software industry. He is frequently quoted by international business and mainstream media as well as industry news organizations, and has published numerous books and articles. Lieberman taught at UCLA, and has authored many computer science courses.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1678
PUBLISHED: 2022-05-25
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
CVE-2021-32966
PUBLISHED: 2022-05-25
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP s...
CVE-2021-32989
PUBLISHED: 2022-05-25
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.
CVE-2021-32997
PUBLISHED: 2022-05-25
The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 ver...
CVE-2021-35487
PUBLISHED: 2022-05-25
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, dat...