5 sins cybersecurity executives should avoid

With the advent of 2016, I was tempted to touch upon my thoughts on what the future of the cyber landscape will hold, prognosticating trends and shifts and what the next big threat would be. However, upon deeper reflection and further review of 2015, I’ve decided to focus on what we as cyber security executives have control of and can influence, as those have a direct and more profound impact on the organizations we steward. The “Five Sins” may seem hyperbolic but given the fact that organizations are continuing to make the same mistakes without trying to rectify them, I think it’s fitting particularly at the end of the year when we aspire to be better than we were yesterday, but not as good as we hope to be tomorrow.

With the advent of 2016, I was tempted to touch upon my thoughts on what the future of the cyberlandscape will hold, prognosticating trends and shifts and what the next big threat would be. However, upon deeper reflection and further review of 2015, I’ve decided to focus on what we as cybersecurity executives have control of and can influence, as those have a direct and more profound impact on the organizations we steward.

The “Five Sins” may seem hyperbolic but given the fact that organizations are continuing to make the same mistakes without trying to rectify them, I think it’s fitting particularly at the end of the year when we aspire to be better than we were yesterday, but not as good as we hope to be tomorrow.

Trying to be perfect. The one constant in cybersecurity is that the bad guys have a marked advantage over the good guys. Network defenders try to remain vigilant against an onslaught of automated and targeted attacks that seek to exploit vulnerabilities to gain unauthorized access into their networks.

The adage, “attackers have to be successful only once; defenders have to be successful all the time” holds true in cyberspace. This is our reality the current condition. However, trying to make our networks 100 percent impenetrable is an inconceivable path forward as myriad anecdotes have shown that even the most robust and layered security networks get penetrated sooner or later.

By shifting focus from trying to deter all attacks toward a more risk management focused approach allows organizations to understand their cyberthreat profiles to support a strategic cybersecure posture. Identifying, analyzing, and prioritizing threats will better position organizations to allocate material, fiscal, and personnel resources accordingly, the results of which should bolster resiliency and recovery capabilities when breaches occur.

Betting on cyberinsurance equaling security. By its definition, insurance is protection, in many times in the form of guaranteed compensation, provided to an organization against a possible eventuality. In 2015, cyberinsurance gained significant traction as a must-have for many organizations, particularly as more breaches were reported on and class action lawsuits were filed against organizations such as Target by those impacted by data losses.

Like most insurance, cyberinsurance will help organizations absorb some of the costs that may occur after a breach. Granted, the exact particulars and amounts of coverage will largely depend on the type of coverage purchased, but in a time when surreptitious theft of sensitive and personal information is increasing, organizations will need to balance that risk mitigation investment with other investments such as those supporting continuity of operations. But just because much of the expenses associated with a breach may be covered by an insurance policy doesn’t mean that’s the only security an organization needs.

With a proper policy in place that best meets the need of your organization, cyberinsurance can support an organization’s resiliency, integrate with a risk management focused cybersecurity strategy, and protect an organization’s brand by demonstrating its commitment to protecting its assets thereby promoting public confidence.

Thinking that cybersecurity is a one-and-done solution. Layering cyberdefenses and purchasing advanced technical solutions is a necessity for any organization. As technology continues to advance, cybersecurity tools and products develop with it enhancing organizations’ abilities to quickly identify threats, reduce their response time to them, and ensure that business operations do not suffer long periods of inoperability as a result. But buying the most sophisticated monitoring device or data loss protection solution is not a panacea to breaches, theft of sensitive information, or other forms of cybermalfeasance.

A capable cyberdefense strategy will include defense monitoring that occurs on a 24x7x365 basis. Considering that in 2014, there were approximately 143 million malware samples, roughly 12 million new variants a month, in addition to at least 24 previously unknown vulnerabilities for which detection would not have been possible, it’s easy to see why organizations cannot rely on the productivity of technology as their sole defense mechanism. Integration of technical solutions, proactive threat intelligence reporting, and an analyst team compromised of both technical and strategic threat analysts to communicate important information up the chain is a critical security reality for organizations in 2016.

Forgetting about getting employee buy in. It’s long been maintained that the weakest link in most cybersecurity apparatuses is not an unpatched or misconfigured device, but the human factor. This should come as little surprise given the fact that phishing and spearphishing attacks remain a favored tactic used by hacktivists, criminals, and cyberespionage actors alike. Most e-mail message-based attacks do not involve advanced malware, although certainly they can. What they seek to exploit most of all is the recipient – whether it’s his trust, his lackadaisical approach to security, his interest in specific topics, or any other human factor that can be manipulated.

Developing a cybersecurity culture starts with ensuring that an organization’s employees including senior-level officers understand their part to preserving the confidentiality, integrity, and accessibility of their information systems and the information resident on them. Training should not be a yearly event but an ongoing process educating all employees of the threat landscape, particularly as it applies to their organization or the business that it’s in, as well any significant developments that need to be socialized among the group.

In this paradigm, cybersecurity is a common denominator, bridging the gap between the C-Suite and the most junior employees. Getting organizational buy-in to commit to improving cybersecurity is best led from the top down with accountability shared equally among everyone.

Not having enough focus on an incident response plan. As the year of some of the most prolific breaches comes to a close, how organizations that were victimized handled the breaches is a direct reflection of the plans they had in place. Breach response is more than just a reaction to an infiltration; it needs to be a legitimate course of action that an organization had developed and tested in times of crisis. Perhaps more importantly, organizations need to have confidence in the plans they have developed.

In a 2015 study conducted by the Ponemon Institute, 81 percent of respondents said their company had a breach response plan, but only 34 percent believed they were effective. While there is no conclusive template in developing a breach response plan, a good breach response plan will include risk assessments, business impact assessments, disaster recovery and continuity of operations models, contact list of appropriate law enforcement entities, forensics companies, and a post breach communications strategy to provide transparent and updated information as necessary. The Target breach introduced the greater public to realities of large amounts of data theft, but it also provided a lesson in crisis communication. Sticking your head in the sand is not a viable option in 2016 and organizations need to be prepared.

With the New Year here, I was tempted to alter the title of this piece to reflect the cybersecurity resolutions that executives need to undertake. But to say that the above five areas should be “resolutions” would be a misnomer, as resolutions are often superfluous gestures that are soon forgotten. These are sins for executives as they cover areas that are well known and about which there is substantive literature. There is no excuse for not implementing them. We need to be better and we need to start now.

Join the CSO newsletter!

Error: Please check your email address.

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brian Contos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place