Cybersecurity: Failing the fundamentals
My fellow information security professionals, you recently spoke, and ISACA listened. Now it is time to get all those commercial enterprises and other organizations to listen, too. What did you say?
According to the second part of ISACA’s State of Cybersecurity 2019 report:
- Security teams that report to a chief information security officer have the highest level of confidence in their work.
- Phishing, malware and social engineering remain the top three attack vectors yielding results for the threat actors.
- … and cybercrime is underreported, even if that means ignoring a regulatory obligation to do so.
As information security professionals, it seems most of us already know how to improve security. The core problem appears to be getting that message through to the C-suite and shareholders. What is going wrong? And more importantly, how do we fix it?
1) We need a CISO (not reporting to the CIO)
I have spoken on this topic for years. Having the security function reporting into a CIO is a clear conflict of interest. It is the same as having the financial auditors reporting into the finance function they are checking on.
Having a CISO reporting to the technology department means the organization is failing to grasp that cybersecurity goes beyond technology into people, processes and information, and is most successful when it is at the heart of each organization’s strategy.
… But the worst sin of all is just not having a CISO at all. When I comment in the press on data breaches, the first thing I research is whether the compromised organization has a CISO and to whom he or she reports.
2) Fix the fundamentals
Although we all love to talk about zero-day vulnerabilities, those items that nobody has seen before, that there may be no defense against – the truth is these have yet to score any major hits for cybercriminals.
Some of you might argue that “NotPetya” used a zero-day vulnerability – but of course the tactics it used had been known for some time and therefore were no longer considered zero-day.
I examine and research quite a few data mega-breaches and they all end up in the same predictable place – that there were three or more critical or major security controls that were not implemented or were not operating effectively.
We may only be able to minimize the impact from things like phishing, but given that we know that to be true, nobody these days should have sole authority to complete actions with enterprise-devastating consequences. Yet, from my auditing experience, this continues to be the case.
It may not be sophisticated to fix security fundamentals – but it does take considerable budget, resources and a change of philosophy to choose security by design – and not security as a sort of sprinkle you might add to a donut!
3) Move on from organizations that hide breaches
Have you ever seen organizational denial? I have. In fact, when it comes to checking on cybersecurity, I see it in the majority of companies.
Ask any organization that has just suffered a devastating cyberbreach if they were doing a good enough job with its security, and if the problem was due to some excusable anomaly, and the answer is a universal “yes.”
But as we know, that never is the case.
And the more often the security failings of an organization receive attention, the less plausible it is that the problems are down to really clever cybercriminals.
All organizations want to state that they are treating security seriously. They want to look as though they are doing the right thing – but their actions can tell a different story.
What can you do if you are stuck in a company that is burying risks and failing to report breaches? Alas, I cannot tell you anything other than the fact that in the past, I have always treated that as an indication I should move on.
If enough of us only agreed to work in places with the right approach to security – where they had a CISO sitting on the C-suite; where security was adequately resourced and embedded by design; and where they reported all the cybercrime – I would hope that security would improve considerably.
However, if you read any cyber job ad, or talk with your peers at infosec conferences, you will already know that, at present, these places rarely exist.
(This post originally appeared on the ISACA blog, which can be viewed here).