Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:30 PM
Tom Bowers
Tom Bowers

Managing The Message Before The Breach

No leader wants to see their company exploited by creative cyber villains. Here's how CISOs can stay ahead of the game with a strategic plan.

Data breaches are costly, high-profile incidents. CEOs are more concerned today than ever before, and the threat is only getting worse. In fact, the number of records compromised as a result of hacking or malware attacks in 2015 grew by more than 128% over the previous year, according to information compiled by Privacy Rights Clearinghouse. 

Given the loss potential and headline-making nature of a major data breach, it’s no surprise that cybersecurity has become a boardroom topic. No leader wants to see their company exploited by creative cyber villains. As a result, senior executives are looking to CISOs for forward-looking insight and proactive action. For their influence to grow, CISOs must be prepared to articulate and to defend their strategic plan. And the best way to do that is to manage the message before the breach happens.

Beyond Compliance

Regulations play an important role in protecting information. HIPAA, PCI-DSS, FISMA, and other industry standards help to ensure appropriate measures are in place to handle, transmit, and store company and consumer data properly. Complying with standards is non-negotiable, but it’s only the beginning.

Compliance-based security models are presumptive and can give senior management an artificial sense of security. Controls are defined based on known issues and change slowly over time. But new malware variants are created almost daily. According to recent data from Symantec, there were 19.2 million new malware variants discovered just in the month of February 2016. 

While a control may protect against today’s threats, it may prove to be ineffective one month, six months, or a year from now. Meeting the requirements of standards is essential. But relying solely on compliance with a standard as the measure of your security program is risky, because compliance-based models are too rigid to address new threats as they emerge.

Risk and Reasonableness

Without question, cyberattacks pose a significant risk to every company, causing problems ranging anywhere from annoyance, lost productivity, and disrupted operations to stolen records, lost revenue, a tarnished brand image, and expensive lawsuits—as well as many points in between.

Last December, Reuters reported that so far Target had spent $290 million related to its well-publicized 2013 data breach, and more shareholder lawsuits were still pending. 

But business risk is gray and malleable, not black and white. It’s different for each business, which is one reason companies should not rely on compliance alone. Every organization must assess the risk of a data breach based on the nature of its business and industry requirements and implement “reasonable” security measures to protect its information assets.    

While the concept of reasonableness is somewhat subjective, the questions for CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry and would the legal system agree? If my company is breached, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company’s information assets?

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!


To answer these questions, CISOs should establish an InfoSec program based on a proven framework, such as ISO 27001, COBIT, NIST, or COSO, and develop a clear implementation roadmap. Using a framework as a best practices guide, CISOs can implement effective internal controls and manage risk. And by developing a roadmap, CISOs are able to track activities over time, to adjust priorities and make course corrections as needed, and to report progress and status to senior management and the board with confidence. 


The cyber-threat map is always changing. New threats continue to emerge from both inside and outside organizations. And senior management must be apprised of the risks.

In order to manage the message before the breach, CISOs must communicate regularly with senior management and do so in business terms. By explaining threats in the context of business impact, CISOs are able to communicate more effectively with their senior counterparts.

But managing the message before the breach also means CISOs must take a hard look at their InfoSec program. Is it built on a proven framework? Does it address industry mandates for information security? Would it be considered reasonable if challenged? Is there a well-defined implementation plan and can it be articulated?

Answering these and other questions before a breach occurs could make all the difference.

Related Content:


With 30 years of experience in the field of computer technology and information systems Tom Bowers has served as the chief architect for information security structures and protections in numerous industries. He brings a real-world, pragmatic approach to the business of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...
PUBLISHED: 2021-05-06
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
PUBLISHED: 2021-05-06
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
PUBLISHED: 2021-05-06
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.