​Why Executives need to be much ‘muchier’

“Off with their heads!”

If the Queen of Hearts became the arbiter of all cyber security failings, would we be in a poorer state than we are now? At least there would be decisive action, all be it potentially fatal, one people are likely to heed! But in all seriousness, are we at the stage where some form of appointed legislative body should investigate the perilous business of cyber security? Maybe it is time for individuals to be held accountable, rather than permitting farcical public resignations of senior executives to mitigate the bad news, focusing the blame elsewhere. After the initial shock of the exposed systemic failures and an organisation’s attempts to ‘come clean’ regarding the actual quantum of the breach or data loss, who should be held accountable? The CSO? The CEO? The entire board? Opinions differ, but all have been cited as probable candidates, either through negligence or ignorance, conscious or otherwise.

With executives such as the US Director of OPM falling somewhat messily on the mighty sword of public opinion, what is it that creates the huge disconnect between business leaders and their senior security officers, particularly where a CIO or CISOs have played a major part? Why are the executives of numerous organisations getting it so terribly wrong? Is it really down to them, or are we, the security community at large, playing a major role in the creation of this information gap? I suspect the answer will be a sizeable chunk of each. If we, as an industry can’t articulate the risks in terms that the business leaders understand, then we aren’t in a position to moan when our advice is poorly received, or no heeded. Conversely, if we’ve clearly articulated the risk, remediation and mitigation steps, and the board chooses to balance cost/risk in favour of profits, then you have two choices. 1. Continue to bang your head or 2. Seek alternative employment for a company not ‘paying lip service’ to security. As a wiser man than me once said, “It’s their train set, you can either join in and play, or find your own.”

“I wish I hadn't cried so much!” said Alice, as she swam about, trying to find her way out. “I shall be punished for it now, I suppose, by being drowned in my own tears!”

Don’t get me wrong, I appreciate that balancing cost and budget is no mean feat and often constraints prevent all but critical vulnerabilities being fixed in a timely fashion. In my opinion, the head of OPM deserved to go, for the arrogance of knowing the security failings of her enterprise and not bothering to raise the flag, combined with the pure ignorance of consciously not understanding the level of risk attributed to her organisation’s computer systems. At best, it could be said that conscious ignorance ultimately led to her demise.

This and other high profile breaches should stand as a warning. Business leaders don’t need to delve into the nitty gritty of cyber security, but the risk attributed to business activities by their ICT, and the impact, must be understood not ignored, especially where it's being raised as a concern, time after time. Equally, mad scrambling, pushed down usually from the very top, after a competitor is breached makes no sense economically. It’s an inefficient, kneejerk reaction that costs many times more in terms of resource, time and disruption than a planned programme of risk-based assessment, upgrade and enhancement.

“But I don’t want to go among mad people,” Alice remarked.

“Oh, you can’t help that,” said the Cat: “we’re all mad here. I’m mad. You’re mad.”

“How do you know I’m mad?” said Alice.

You must be,” said the Cat, “or you wouldn’t have come here.”

Picking back up the stick of culpability, who within the security community believes that an individual who possesses a macro view of their organisation at best, could solely be held to account for such a detrimental loss of sensitive information? I’m relatively convinced that in many of the breaches, there are senior IT and security managers making odorous squeaks whilst moping their brows thinking, “Sheesh! Close call...” Of course, not all seniors got away with it, ask the CIO of Target! In the future, I doubt it’ll remain the same, so it’ll definitely be in all our interests to know that we’ve got our houses in order and offered appropriate and timely advice to our respective leaders, perhaps to the point that the board signs off that they have read and understood the risks, as they are presented.

“Speak English!' said the Eaglet. “I don't know the meaning of half those long words, and I don't believe you do either!”

Whether we like it or not, in the security profession, we need to understand why the message is misunderstood, or ignored and shoulder some of the responsibility. There is critical analysis required, distilling the information available from the many major breaches. That way, lessons will be learnt, or at least common mistakes, trends or misconceptions highlighted. Is it only the risk managers who truly understand the information they compile for the executives? Or perhaps, they don’t understand the relevance of the relatively new ICT based ones? Tongue in cheek, perhaps this assessment should be equated to a simpler “layman’s” version:

“Dear CEO, The level of risk we are ‘enjoying’ as an organisation is way past what you and the board understand. If you don’t sort out this big basket of ICT vulnerabilities, which will cost $xxk, we will be right, royally f@#$%d to the tune of $xxM. On the plus side, at that point, you’ll not have to worry about it because you’ll be looking for a new job! - the CISO.”

“Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”

I’ve been around a few blocks, hit by a few blocks and indeed built things with a few blocks, but I understand that in this ever moving, ever evolving world of ours, it takes an awful lot of time, resource and money to manage an enterprise’s risk profile, with ICT risks being only one of many juggled at board level. But, I’ll bet, that as far as risks go, there aren’t many that are quite as ‘juicy’ and eventually open to both the public and media’s scrutiny. There’s nothing like the loss of credit card information or personal sensitive data to get a mob stirred up! I’m still amazed, neigh dumbfounded, that large organisations spend a fortune on traditional controls (fences, guards, CCTV etc.) and yet, computer security is still seen as an expensive, complicated process. For many traditional organisations I don’t think the computer has evolved, it’s still seen to be a replacement for the calculator, physical mail and the typewriter (for the younger generation, that’s a mechanical device that helped write letters!). If you want to work out how critical computers are, work out whether business as usual can be conducted without the use of one – I’m struggling to think of many examples! Whilst I’m on a soapbox, let’s not forget the Human Factor! People are and will remain the weakest link in all security processes and without investment in training creating awareness, many organisations will remain at risk of unconscious ignorance.

One day Alice came to a fork in the road and saw a Cheshire cat in a tree.

“Which road do I take?’ she asked.

“Where do you want to go?” was his response.

“I don’t know,” Alice answered.

Read more: National cybersecurity capability needs decades of “fresh thinking” on skills, private-sector partnerships: ACCS

“Then,” said the cat, “it doesn’t matter.”

I believe that many organisations are at a fork. One way leading to the recognition of your threats and vulnerabilities, allowing time for an informed decision, based upon realistic strategies and an understanding of the risks that your organisation faces. The other direction, however, caters to those willing to travel the path of blissful ignorance, leading to the mire of public condemnation. Whether the later was chosen consciously or not, I offer these words:

“Turn back, it’s not too late!”

About the author

With over 18 years frontline cyber security experience, James Wootton, is a leader in his field of expertise. As the Technical Director at Protega, James continues to expertly display both his cyber and interpersonal/presentation skills. He embraces the reality of an ever-evolving threat and vulnerability landscape, making use of existing tools and techniques or developing new and innovative ones to mitigate them. With an endless list of cyber skills and experience, he finds himself equally at home in the boardroom, data centre, pen test lab or classroom.

Join the CSO newsletter!

Error: Please check your email address.

Tags CEOrisk managementriskboard directorsCSOAlice in WonderlandCSO Australiacyber security

More about CSOindeedSeek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Wootton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts