Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/12/2016
12:30 PM
Tom Bowers
Tom Bowers
Commentary
50%
50%

Managing The Message Before The Breach

No leader wants to see their company exploited by creative cyber villains. Here's how CISOs can stay ahead of the game with a strategic plan.

Data breaches are costly, high-profile incidents. CEOs are more concerned today than ever before, and the threat is only getting worse. In fact, the number of records compromised as a result of hacking or malware attacks in 2015 grew by more than 128% over the previous year, according to information compiled by Privacy Rights Clearinghouse. 

Given the loss potential and headline-making nature of a major data breach, it’s no surprise that cybersecurity has become a boardroom topic. No leader wants to see their company exploited by creative cyber villains. As a result, senior executives are looking to CISOs for forward-looking insight and proactive action. For their influence to grow, CISOs must be prepared to articulate and to defend their strategic plan. And the best way to do that is to manage the message before the breach happens.

Beyond Compliance

Regulations play an important role in protecting information. HIPAA, PCI-DSS, FISMA, and other industry standards help to ensure appropriate measures are in place to handle, transmit, and store company and consumer data properly. Complying with standards is non-negotiable, but it’s only the beginning.

Compliance-based security models are presumptive and can give senior management an artificial sense of security. Controls are defined based on known issues and change slowly over time. But new malware variants are created almost daily. According to recent data from Symantec, there were 19.2 million new malware variants discovered just in the month of February 2016. 

While a control may protect against today’s threats, it may prove to be ineffective one month, six months, or a year from now. Meeting the requirements of standards is essential. But relying solely on compliance with a standard as the measure of your security program is risky, because compliance-based models are too rigid to address new threats as they emerge.

Risk and Reasonableness

Without question, cyberattacks pose a significant risk to every company, causing problems ranging anywhere from annoyance, lost productivity, and disrupted operations to stolen records, lost revenue, a tarnished brand image, and expensive lawsuits—as well as many points in between.

Last December, Reuters reported that so far Target had spent $290 million related to its well-publicized 2013 data breach, and more shareholder lawsuits were still pending. 

But business risk is gray and malleable, not black and white. It’s different for each business, which is one reason companies should not rely on compliance alone. Every organization must assess the risk of a data breach based on the nature of its business and industry requirements and implement “reasonable” security measures to protect its information assets.    

While the concept of reasonableness is somewhat subjective, the questions for CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry and would the legal system agree? If my company is breached, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company’s information assets?

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

 

To answer these questions, CISOs should establish an InfoSec program based on a proven framework, such as ISO 27001, COBIT, NIST, or COSO, and develop a clear implementation roadmap. Using a framework as a best practices guide, CISOs can implement effective internal controls and manage risk. And by developing a roadmap, CISOs are able to track activities over time, to adjust priorities and make course corrections as needed, and to report progress and status to senior management and the board with confidence. 

Communication

The cyber-threat map is always changing. New threats continue to emerge from both inside and outside organizations. And senior management must be apprised of the risks.

In order to manage the message before the breach, CISOs must communicate regularly with senior management and do so in business terms. By explaining threats in the context of business impact, CISOs are able to communicate more effectively with their senior counterparts.

But managing the message before the breach also means CISOs must take a hard look at their InfoSec program. Is it built on a proven framework? Does it address industry mandates for information security? Would it be considered reasonable if challenged? Is there a well-defined implementation plan and can it be articulated?

Answering these and other questions before a breach occurs could make all the difference.

Related Content:

 

With 30 years of experience in the field of computer technology and information systems Tom Bowers has served as the chief architect for information security structures and protections in numerous industries. He brings a real-world, pragmatic approach to the business of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...