Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
05:50 PM
Philip Lieberman
Philip Lieberman
News Analysis-Security Now

'Good Enough' Probably Isn't

Enterprise cyber defense needs to get better unless we want to see the executive revolving door spin even faster.

For several years now, I have advocated that CEOs must begin acting as the Commander-in-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.

But one after another, CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: If you provide poor IT security to your customers, you will soon be looking for a new job.

More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far... until that moment when the covers are pulled off of a company. The misdeeds and deceptions are not all that different from what's now publicly known about what was going on inside the largest financial institutions in the world leading up the financial meltdown in 2007/2008. ("Uh, we really didn't mean what we said about how those mortgages would perform over the next 30 years!")

The problem of poor internal security controls did not end with the financial meltdown. I will not forget speaking with a potential client from a company that had received numerous large fines for repeated IT security violations. As we discussed the pros and cons of one privileged identity management solution versus another, he became more and more agitated as I explained how one solution would help reduce the fines and breaches they've suffered (all public information).

In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out. Life is ironic: His company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy my suggested security solution. They went with another "solution" because of that product's pretty interface.

I don't blame the employee. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don't solve critical cybersecurity issues.

We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyberattacks. But there are few surprises -- nor are there long periods of time where hackers nest in the environment and extract data at will.

The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses. This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.

Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible. Leadership should test the mitigations regularly to confirm the problems found have been resolved and more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.

There is a clear lack of visibility to the CEO and Board of Directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes. From a leadership point of view, many companies are running companies and government agencies with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies are not building resiliency into their business operations when it comes to IT.

With more corporate board members now taking a hard look at information security, I predict we'll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don't "get it" when it comes to IT security.

Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyberattacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy. And while the concept of acceptable loss is not new for the CFO and CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they're ignoring at the peril of their careers.

Related posts:

Philip Lieberman, noted cybersecurity expert and founder of Lieberman Software, has more than 30 years of experience in the software industry. He is frequently quoted by international business and mainstream media as well as industry news organizations, and has published numerous books and articles. Lieberman taught at UCLA, and has authored many computer science courses.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-28
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs...
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php.
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php.
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php.
PUBLISHED: 2022-06-27
rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. This is a s...