Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
05:50 PM
Philip Lieberman
Philip Lieberman
News Analysis-Security Now

'Good Enough' Probably Isn't

Enterprise cyber defense needs to get better unless we want to see the executive revolving door spin even faster.

For several years now, I have advocated that CEOs must begin acting as the Commander-in-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.

But one after another, CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: If you provide poor IT security to your customers, you will soon be looking for a new job.

More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far... until that moment when the covers are pulled off of a company. The misdeeds and deceptions are not all that different from what's now publicly known about what was going on inside the largest financial institutions in the world leading up the financial meltdown in 2007/2008. ("Uh, we really didn't mean what we said about how those mortgages would perform over the next 30 years!")

The problem of poor internal security controls did not end with the financial meltdown. I will not forget speaking with a potential client from a company that had received numerous large fines for repeated IT security violations. As we discussed the pros and cons of one privileged identity management solution versus another, he became more and more agitated as I explained how one solution would help reduce the fines and breaches they've suffered (all public information).

In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out. Life is ironic: His company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy my suggested security solution. They went with another "solution" because of that product's pretty interface.

I don't blame the employee. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don't solve critical cybersecurity issues.

We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyberattacks. But there are few surprises -- nor are there long periods of time where hackers nest in the environment and extract data at will.

The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses. This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.

Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible. Leadership should test the mitigations regularly to confirm the problems found have been resolved and more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.

There is a clear lack of visibility to the CEO and Board of Directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes. From a leadership point of view, many companies are running companies and government agencies with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies are not building resiliency into their business operations when it comes to IT.

With more corporate board members now taking a hard look at information security, I predict we'll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don't "get it" when it comes to IT security.

Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyberattacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy. And while the concept of acceptable loss is not new for the CFO and CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they're ignoring at the peril of their careers.

Related posts:

Philip Lieberman, noted cybersecurity expert and founder of Lieberman Software, has more than 30 years of experience in the software industry. He is frequently quoted by international business and mainstream media as well as industry news organizations, and has published numerous books and articles. Lieberman taught at UCLA, and has authored many computer science courses.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file