ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Cybersecurity: Failing the Fundamentals

Cybersecurity: Failing the Fundamentals

Raef Meeuwisse, CISM, CISA, ISACA expert speaker, and author of “Cybersecurity for Beginners”
| Posted at 6:28 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Raef MeeuwisseMy fellow information security professionals, you recently spoke, and ISACA listened. Now it is time to get all those commercial enterprises and other organizations to listen, too. What did you say?

According to the second part of ISACA’s State of Cybersecurity 2019 report:

  • Security teams that report to a chief information security officer have the highest level of confidence in their work.
  • Phishing, malware and social engineering remain the top three attack vectors yielding results for the threat actors.
  • … and cybercrime is underreported, even if that means ignoring a regulatory obligation to do so.

As information security professionals, it seems most of us already know how to improve security. The core problem appears to be getting that message through to the C-suite and shareholders. What is going wrong? And more importantly, how do we fix it?

1) We need a CISO (not reporting to the CIO).
I have spoken on this topic for years. Having the security function reporting into a CIO is a clear conflict of interest. It is the same as having the financial auditors reporting into the finance function they are checking on.

Having a CISO reporting to the technology department means the organization is failing to grasp that cybersecurity goes beyond technology into people, processes and information, and is most successful when it is at the heart of each organization’s strategy.

… But the worst sin of all is just not having a CISO at all. When I comment in the press on data breaches, the first thing I research is whether the compromised organization has a CISO and to whom he or she reports.

2) Fix the fundamentals.
Although we all love to talk about zero-day vulnerabilities, those items that nobody has seen before, that there may be no defense against – the truth is these have yet to score any major hits for cybercriminals.

Some of you might argue that “NotPetya” used a zero-day vulnerability – but of course the tactics it used had been known for some time and therefore were no longer considered zero-day.

I examine and research quite a few data mega-breaches and they all end up in the same predictable place – that there were three or more critical or major security controls that were not implemented or were not operating effectively.

We may only be able to minimize the impact from things like phishing, but given that we know that to be true, nobody these days should have sole authority to complete actions with enterprise-devastating consequences. Yet, from my auditing experience, this continues to be the case.

It may not be sophisticated to fix security fundamentals – but it does take considerable budget, resources and a change of philosophy to choose security by design – and not security as a sort of sprinkle you might add to a donut!

3) Move on from organizations that hide breaches.
Have you ever seen organizational denial? I have. In fact, when it comes to checking on cybersecurity, I see it in the majority of companies.

Ask any organization that has just suffered a devastating cyberbreach if they were doing a good enough job with its security, and if the problem was due to some excusable anomaly, and the answer is a universal “yes.”

But as we know, that never is the case.

And the more often the security failings of an organization receive attention, the less plausible it is that the problems are down to really clever cybercriminals.

All organizations want to state that they are treating security seriously. They want to look as though they are doing the right thing – but their actions can tell a different story.

What can you do if you are stuck in a company that is burying risks and failing to report breaches? Alas, I cannot tell you anything other than the fact that in the past, I have always treated that as an indication I should move on.

If enough of us only agreed to work in places with the right approach to security – where they had a CISO sitting on the C-suite; where security was adequately resourced and embedded by design; and where they reported all the cybercrime – I would hope that security would improve considerably.

However, if you read any cyber job ad, or talk with your peers at infosec conferences, you will already know that, at present, these places rarely exist.

Comments

Re: Cybersecurity: Failing the Fundamentals

With regards to having a CISO, would say that will be determined by the size of the company. It will also come down to cost/benefit.

In my experience, I would categorize companies by Sales volume.

Those below 50 million will always have all their security functions outsourced to a company, that also handles their web-site.
Security will fall 80% on the due diligence of the daily employees, reminded by their managers how not to act, when its too late.

Above 100 mil, that have an IT department beside the outsourced providers, where incidents are analyzed in more detail.
While computer based system controls like password change forcing policies are in place, the only prompt response from C's was when a dubious e-mail payment request was made.

For the next category lets say above 200 mill, I would say that as a department, IT will have more resources, but at the same time its access points are also increased. Probably the worker base is greater than 500 employees.
Will rest with IT to educate regarding security issues.

Not sure precisely what percentage of our economy is made up by either of the ones above, knowing it would paint a clearer picture of who applies the security prevention principles.
Frank321 at 6/9/2019 7:45 PM

Re: Cybersecurity: Failing the Fundamentals

With regards to having a CISO, would say that will be determined by the size of the company. It will also come down to cost/benefit.

In my experience, I would categorize companies by Sales volume.

Those below 50 million will always have all their security functions outsourced to a company, that also handles their web-site.
Security will fall 80% on the due diligence of the daily employees, reminded by their managers how not to act, when its too late.

Above 100 mil, that have an IT department beside the outsourced providers, where incidents are analyzed in more detail.
While computer based system controls like password change forcing policies are in place, the only prompt response from C's was when a dubious e-mail payment request was made.

For the next category lets say above 200 mill, I would say that as a department, IT will have more resources, but at the same time its access points are also increased. Probably the worker base is greater than 500 employees.
Will rest with IT to educate regarding security issues.

Not sure precisely what percentage of our economy is made up by either of the ones above, knowing it would paint a clearer picture of who applies the security prevention principles.
Frank321 at 6/9/2019 7:45 PM
You must be logged in and a member to post a comment to this blog.
Email