Each year, ISACA tracks the state of cybersecurity by surveying practitioners and leaders across the globe about emerging trends, issues and solutions. The results of this annual information-collection effort are then released in a report called, State of Cybersecurity 2019.
The most recent release is part two of the 2019 study, and it focuses on the threat landscape (part one considered workforce development). Among the part two findings:
- Security teams that report to a chief information security officer have the highest level of confidence in their work
- Phishing, malware and social engineering remain the top three attack vectors yielding results for the threat actors
- Cybercrime is underreported, even if that means ignoring a regulatory obligation to do so
As information security professionals, most of us likely know how to improve security. The core problem appears to be getting that message through to the C-suite and shareholders. What is going wrong, and more importantly, how do we fix it?
Install a CISO (Not Reporting to the CIO)
I have spoken on this topic for years. Having the security function reporting into a CIO is a clear conflict of interest. It would be similar to having financial auditors reporting into the very finance function they are auditing.
Having a CISO reporting to the technology department reveals a major organizational misunderstanding – that cybersecurity actually goes beyond technology into people, processes and information, and is most successful when it is at the heart of each organization’s strategy.
However, the worst sin of all is just not having a CISO at all. When I comment in the press on data breaches, the first thing I research is whether the compromised organization has a CISO and to whom he or she reports.
Fix the Fundamentals
Although we all love to talk about zero-day vulnerabilities – those items that nobody has seen before, that there may be no defense against – the truth is these have yet to score any major hits for cyber-criminals.
Some of you might argue that NotPetya used a zero-day vulnerability, but of course the tactics it used had been known for some time and therefore were no longer considered zero-day.
I examined and researched quite a few data mega-breaches, and they all end up in the same predictable place – there were three or more critical or major security controls that were not implemented or were not operating effectively.
We may only be able to minimize the impact from things like phishing, but given that we know that to be true, there is no excuse these days for allowing systems to grant sole authority to complete actions with enterprise-devastating consequences. Yet, from my auditing experience, this continues to be the case.
It may not be considered sophisticated to focus on and fix security fundamentals, but it does take considerable budget, resources and a change of philosophy to choose security by design. It is the right thing to do. You don’t want to treat security as an afterthought – like as a sort of sprinkle you might add to a donut!
Move on from Organizations that Hide Breaches
Have you ever seen organizational denial? I have. In fact, when it comes to cybersecurity, I have seen it in a majority of companies.
Ask any organization that has just suffered a devastating cyber-breach if they were doing a good enough job with their security, and if the problem was due to some excusable anomaly, and the answer is a universal “yes.”
However, as we know, that never is the case.
The more often the security failings of an organization receive attention, the less plausible it is that the problems are caused by really clever cyber-criminals. All organizations want to state that they are treating security seriously. They want to look as though they are doing the right thing, but their actions can tell a different story.
What can you do if you are stuck in a company that is burying risks and failing to report breaches? Alas, I cannot tell you anything other than the fact that, in the past, I have always treated that as an indication I should move on.
If enough of us only agreed to work in places with the right approach to security – with a CISO sitting on the C-suite, where security is adequately resourced and embedded by design and where all cybercrime is reported – I would hope that security would improve considerably.
However, if you read any cyber-job ad, or talk with your peers at infosec conferences, you will already know that, at present, these places rarely exist.