Why Executives need to be much ‘muchier’
- 30 November, 2015 08:52
“Off with their heads!”
If the Queen of Hearts became the arbiter of all cyber security failings, would we be in a poorer state than we are now? At least there would be decisive action, all be it potentially fatal, one people are likely to heed! But in all seriousness, are we at the stage where some form of appointed legislative body should investigate the perilous business of cyber security? Maybe it is time for individuals to be held accountable, rather than permitting farcical public resignations of senior executives to mitigate the bad news, focusing the blame elsewhere. After the initial shock of the exposed systemic failures and an organisation’s attempts to ‘come clean’ regarding the actual quantum of the breach or data loss, who should be held accountable? The CSO? The CEO? The entire board? Opinions differ, but all have been cited as probable candidates, either through negligence or ignorance, conscious or otherwise.
With executives such as the US Director of OPM falling somewhat messily on the mighty sword of public opinion, what is it that creates the huge disconnect between business leaders and their senior security officers, particularly where a CIO or CISOs have played a major part? Why are the executives of numerous organisations getting it so terribly wrong? Is it really down to them, or are we, the security community at large, playing a major role in the creation of this information gap? I suspect the answer will be a sizeable chunk of each. If we, as an industry can’t articulate the risks in terms that the business leaders understand, then we aren’t in a position to moan when our advice is poorly received, or no heeded. Conversely, if we’ve clearly articulated the risk, remediation and mitigation steps, and the board chooses to balance cost/risk in favour of profits, then you have two choices. 1. Continue to bang your head or 2. Seek alternative employment for a company not ‘paying lip service’ to security. As a wiser man than me once said, “It’s their train set, you can either join in and play, or find your own.”
“I wish I hadn't cried so much!” said Alice, as she swam about, trying to find her way out. “I shall be punished for it now, I suppose, by being drowned in my own tears!”
Don’t get me wrong, I appreciate that balancing cost and budget is no mean feat and often constraints prevent all but critical vulnerabilities being fixed in a timely fashion. In my opinion, the head of OPM deserved to go, for the arrogance of knowing the security failings of her enterprise and not bothering to raise the flag, combined with the pure ignorance of consciously not understanding the level of risk attributed to her organisation’s computer systems. At best, it could be said that conscious ignorance ultimately led to her demise.
This and other high profile breaches should stand as a warning. Business leaders don’t need to delve into the nitty gritty of cyber security, but the risk attributed to business activities by their ICT, and the impact, must be understood not ignored, especially where it's being raised as a concern, time after time. Equally, mad scrambling, pushed down usually from the very top, after a competitor is breached makes no sense economically. It’s an inefficient, kneejerk reaction that costs many times more in terms of resource, time and disruption than a planned programme of risk-based assessment, upgrade and enhancement.
“But I don’t want to go among mad people,” Alice remarked.
“Oh, you can’t help that,” said the Cat: “we’re all mad here. I’m mad. You’re mad.”
“How do you know I’m mad?” said Alice.
“You must be,” said the Cat, “or you wouldn’t have come here.”
Picking back up the stick of culpability, who within the security community believes that an individual who possesses a macro view of their organisation at best, could solely be held to account for such a detrimental loss of sensitive information? I’m relatively convinced that in many of the breaches, there are senior IT and security managers making odorous squeaks whilst moping their brows thinking, “Sheesh! Close call...” Of course, not all seniors got away with it, ask the CIO of Target! In the future, I doubt it’ll remain the same, so it’ll definitely be in all our interests to know that we’ve got our houses in order and offered appropriate and timely advice to our respective leaders, perhaps to the point that the board signs off that they have read and understood the risks, as they are presented.
“Speak English!' said the Eaglet. “I don't know the meaning of half those long words, and I don't believe you do either!”
Whether we like it or not, in the security profession, we need to understand why the message is misunderstood, or ignored and shoulder some of the responsibility. There is critical analysis required, distilling the information available from the many major breaches. That way, lessons will be learnt, or at least common mistakes, trends or misconceptions highlighted. Is it only the risk managers who truly understand the information they compile for the executives? Or perhaps, they don’t understand the relevance of the relatively new ICT based ones? Tongue in cheek, perhaps this assessment should be equated to a simpler “layman’s” version:
“Dear CEO, The level of risk we are ‘enjoying’ as an organisation is way past what you and the board understand. If you don’t sort out this big basket of ICT vulnerabilities, which will cost $xxk, we will be right, royally f@#$%d to the tune of $xxM. On the plus side, at that point, you’ll not have to worry about it because you’ll be looking for a new job! - the CISO.”
“Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”
I’ve been around a few blocks, hit by a few blocks and indeed built things with a few blocks, but I understand that in this ever moving, ever evolving world of ours, it takes an awful lot of time, resource and money to manage an enterprise’s risk profile, with ICT risks being only one of many juggled at board level. But, I’ll bet, that as far as risks go, there aren’t many that are quite as ‘juicy’ and eventually open to both the public and media’s scrutiny. There’s nothing like the loss of credit card information or personal sensitive data to get a mob stirred up! I’m still amazed, neigh dumbfounded, that large organisations spend a fortune on traditional controls (fences, guards, CCTV etc.) and yet, computer security is still seen as an expensive, complicated process. For many traditional organisations I don’t think the computer has evolved, it’s still seen to be a replacement for the calculator, physical mail and the typewriter (for the younger generation, that’s a mechanical device that helped write letters!). If you want to work out how critical computers are, work out whether business as usual can be conducted without the use of one – I’m struggling to think of many examples! Whilst I’m on a soapbox, let’s not forget the Human Factor! People are and will remain the weakest link in all security processes and without investment in training creating awareness, many organisations will remain at risk of unconscious ignorance.
One day Alice came to a fork in the road and saw a Cheshire cat in a tree.
“Which road do I take?’ she asked.
“Where do you want to go?” was his response.
“I don’t know,” Alice answered.
“Then,” said the cat, “it doesn’t matter.”
I believe that many organisations are at a fork. One way leading to the recognition of your threats and vulnerabilities, allowing time for an informed decision, based upon realistic strategies and an understanding of the risks that your organisation faces. The other direction, however, caters to those willing to travel the path of blissful ignorance, leading to the mire of public condemnation. Whether the later was chosen consciously or not, I offer these words:
“Turn back, it’s not too late!”
About the author
With over 18 years frontline cyber security experience, James Wootton, is a leader in his field of expertise. As the Technical Director at Protega, James continues to expertly display both his cyber and interpersonal/presentation skills. He embraces the reality of an ever-evolving threat and vulnerability landscape, making use of existing tools and techniques or developing new and innovative ones to mitigate them. With an endless list of cyber skills and experience, he finds himself equally at home in the boardroom, data centre, pen test lab or classroom.