Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/12/2016
12:30 PM
Tom Bowers
Tom Bowers
Commentary
50%
50%

Managing The Message Before The Breach

No leader wants to see their company exploited by creative cyber villains. Here's how CISOs can stay ahead of the game with a strategic plan.

Data breaches are costly, high-profile incidents. CEOs are more concerned today than ever before, and the threat is only getting worse. In fact, the number of records compromised as a result of hacking or malware attacks in 2015 grew by more than 128% over the previous year, according to information compiled by Privacy Rights Clearinghouse. 

Given the loss potential and headline-making nature of a major data breach, it’s no surprise that cybersecurity has become a boardroom topic. No leader wants to see their company exploited by creative cyber villains. As a result, senior executives are looking to CISOs for forward-looking insight and proactive action. For their influence to grow, CISOs must be prepared to articulate and to defend their strategic plan. And the best way to do that is to manage the message before the breach happens.

Beyond Compliance

Regulations play an important role in protecting information. HIPAA, PCI-DSS, FISMA, and other industry standards help to ensure appropriate measures are in place to handle, transmit, and store company and consumer data properly. Complying with standards is non-negotiable, but it’s only the beginning.

Compliance-based security models are presumptive and can give senior management an artificial sense of security. Controls are defined based on known issues and change slowly over time. But new malware variants are created almost daily. According to recent data from Symantec, there were 19.2 million new malware variants discovered just in the month of February 2016. 

While a control may protect against today’s threats, it may prove to be ineffective one month, six months, or a year from now. Meeting the requirements of standards is essential. But relying solely on compliance with a standard as the measure of your security program is risky, because compliance-based models are too rigid to address new threats as they emerge.

Risk and Reasonableness

Without question, cyberattacks pose a significant risk to every company, causing problems ranging anywhere from annoyance, lost productivity, and disrupted operations to stolen records, lost revenue, a tarnished brand image, and expensive lawsuits—as well as many points in between.

Last December, Reuters reported that so far Target had spent $290 million related to its well-publicized 2013 data breach, and more shareholder lawsuits were still pending. 

But business risk is gray and malleable, not black and white. It’s different for each business, which is one reason companies should not rely on compliance alone. Every organization must assess the risk of a data breach based on the nature of its business and industry requirements and implement “reasonable” security measures to protect its information assets.    

While the concept of reasonableness is somewhat subjective, the questions for CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry and would the legal system agree? If my company is breached, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company’s information assets?

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

 

To answer these questions, CISOs should establish an InfoSec program based on a proven framework, such as ISO 27001, COBIT, NIST, or COSO, and develop a clear implementation roadmap. Using a framework as a best practices guide, CISOs can implement effective internal controls and manage risk. And by developing a roadmap, CISOs are able to track activities over time, to adjust priorities and make course corrections as needed, and to report progress and status to senior management and the board with confidence. 

Communication

The cyber-threat map is always changing. New threats continue to emerge from both inside and outside organizations. And senior management must be apprised of the risks.

In order to manage the message before the breach, CISOs must communicate regularly with senior management and do so in business terms. By explaining threats in the context of business impact, CISOs are able to communicate more effectively with their senior counterparts.

But managing the message before the breach also means CISOs must take a hard look at their InfoSec program. Is it built on a proven framework? Does it address industry mandates for information security? Would it be considered reasonable if challenged? Is there a well-defined implementation plan and can it be articulated?

Answering these and other questions before a breach occurs could make all the difference.

Related Content:

 

With 30 years of experience in the field of computer technology and information systems Tom Bowers has served as the chief architect for information security structures and protections in numerous industries. He brings a real-world, pragmatic approach to the business of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18654
PUBLISHED: 2021-06-22
Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php".
CVE-2020-22168
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22169
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22170
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22171
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.