On Cybersecurity, Execs Are Burying Their Heads In the Sand (bizjournals.com) 45
An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"
You want the simple answer? (Score:3)
Re:You want the simple answer? (Score:4, Insightful)
Wouldn't help until there's a breach of security anyway.
Way too many don't see the need for improvements in security until it's too late.
Re: (Score:2)
Re:You want the simple answer? (Score:4, Interesting)
No, but the other persons on the board will just say STFU, we got this and kick him out.
That's because they don't think that they will suffer the "pants down" situation when the shit hits the fan.
And that's why the IT department is held off from the board of directors, and why IT departments are outsourced.
Re:You want the simple answer? (Score:4, Insightful)
As long as he still doesn't get any power, he's still just the scapegoat. It's like sitting on an ejector seat, and some asshole on another continent you don't even know has the button to shoot you out.
You don't have to put the CISO on the board. He only needs two powers: First, the power to put his foot down and stop a project if it becomes dangerous. And second to fully put the weight of the responsibility onto the shoulders of whoever overrules him.
Cybersecurity IS a C-level problem (Score:3)
Yes, the technical analysis and implementation of security fixes/updates for hardware and software within a company is a set of IT tasks, but the task of budgeting for that is/should be a finance task, with oversight from C-level legal representation.
If the CEO doesn't know how to handle it, that is fine - as long as he/she understands that they are the ones who will ultimately be left holding the can for a data breach, they will have the incentive to get somebody in place who does know how to handle it - the role of the CEO is to be the figurehead and "big picture" source, not subject-matter expert in all areas.
So the CEO needs to think "this is an IT problem, but I will be carrying the can for a problem, so I need to talk to the head of IT and see what they need to help me save my job", and work from there.
CEOs Aren't Paid to Care About Cybersecurity (Score:1)
From the standpoint of the CEO, cybersecurity is costly, unlikely to improve earnings or boost the stock price and possibly disruptive to existing business operations. It's much cheaper and easier to purchase insurance against the costs of an attack or breach, should one occur, than it is to be proactive and throw lots of money into techs, consultants and the ongoing costs to deploy, train people and maintain it all. American CEOs are mostly concerned with the stock price in the short term because that is w
Re: (Score:2)
...right, which'll result in an Insurance Institute for Cyber Security (ugh) which'll mandate certain precautions in order to reduce losses. Insurance will be the driving factor in determining which controls work, and any CISO would be an idiot to buy insurance and not implement the controls the insurers want.
Re: (Score:2)
The "IT problem" (Score:5, Insightful)
The summary says that many view security as an "IT problem", but it probably fits into the category of IT problems where the real problem is the company's management.
As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management. The first task is persuading management that security is important enough to even consider. The second is persuading them that it's worth spending any amount of money on, rather than asking IT to do what they can without additional resources of any kind. The next challenge is getting management to listen to security experts rather than going off the CEO's half-baked misunderstandings of how security works. The fourth is convincing them to enforce security policies even in cases when the employees don't like them. Finally, you need to get management to follow the security policies themselves, rather than requiring IT to carve massive holes in the security policy for the CEO's convenience.
In my experience, it's pretty rare that IT departments can make it past the second hurdle-- being able to allocate money/resources to security. Even when they do, the security that gets implemented is often porous and full of security theater.
Re: (Score:2)
IMHO, this story (I'll assume it's true, and not just boasting or wishful thinking) deserves to be told in a much wider forum (like the Wall Street Journal), with the X, Y and Z replaced by real names, and especially with your company's name.
Re:The "IT problem" (Score:5, Insightful)
I agree, but I'd say those are rare. We have so many "Mordac" problems more due to perception and lack of accountability.
At my last job, we didn't have dev servers, never mind someone in security. Several services were lacking in failover because there only was one machine, which would typically be 1-4 years behind in patches and updates. We had 1/3 of the IT staff that other comparable organizations would have. I left last year, and they still haven't replaced me. Most of us on the team were capable of doing a lot better - if only we had had the resources and were allowed to do what we do best.
The IT manager was treated like Mordac of IT services because forcing their computers to have passwords and not being able to install any crapware they felt like was "preventing them from doing their work". The token argument when people weren't getting their way was "But I NEED this". I NEED to install some sketchy tool I found on the internet. I NEED to install this cute bubbly font I found for free on the internet (well the web page said it was free and it didn't cost me anything, so that means it's legit, right?). What do you mean you won't help me with this personal project that has nothing to do with the business? I NEED dropbox because how can I back up my stuff if I don't... no, no, I'm not interested in listening in how stuff is backed up already, I would much prefer to store sensitive data wherever and copy it to my non-password protected malware-infected devices at home. YOU'RE PREVENTING ME FROM DOING MY JOB! WAAAAAAA!
If crying to the other IT members separately doesn't work, then they cry to upper management.
Every IT person who is just trying to do their job is a Mordac to a large group of people. Ignorance or unwillingness to learn the tools of a job is no excuse for sabotaging it or blaming others, and we need to call bullshit on it.
There's been a big focus on security recently that if users are doing the wrong thing, then it's actually the security team's responsibility to make sure that you find a way to make it easy for people to do the right thing. It's a step in the right direction. But there are still some basic standards where we need to say "It's a basic requirement of the job. It's 2016. Get over it, or go a job that's not in an office environment."
Re: (Score:3)
The kind that enforces mandatory password changes every 30 business days...
That's the sort of thing I mean by "security theater" actually. Overly strict password policies can actually worsen security. I've seen a company where some management guy insisted that everyone reset their password every 30 days (but it would start warning you 2 weeks early, so it would actually prompt you to reset your password every 16 days or so), then password had to be 14 characters long, can't be any of your last 14 passwords, and needs to have a capital letter, lower-case, number, and symbol. Hal
Re: (Score:3)
I'm always blown away by how much work it is to do this with IT. Do they tell accountants to not use basic accounting principles and resources?
(Well. Maybe sometimes they do.)
Re: (Score:3)
As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management.
I work for a government IT security initiative hat has national and regional support to get the job done. Local support is almost nonexistent since fixing security issues means a local tech will have to track down a computer, persuade the user to surrender it, and then re-image the system to bring it back into compliance. They don't want to touch a system unless a user reports a problem. Security is proactive and not reactive. Since I'm the regional rep assigned to the facility, the local management wants m
What is the approprate course of action (Score:2)
The question that I always have when reading essays of this type is, what is the appropriate course of action? Setting up business information systems to be thoroughly and deeply secure would take 100% of the financial resources of a good-sized organization and would render the business tools virtually unusable by ordinary human beings. OTOH it is becoming increasingly clear that all of our interconnected systems are penetrated to some degree, including those of the organizations banks, trading partners,
Re: (Score:2)
The key word is risk management. You needn't be 100% secure. The cutoff is no later than where the cost of security trumps the possible damage of a breach (obviously), but it is usually far, far lower.
What you have to aim for is sensible security. And we're far from even picking the low hanging fruits, there is a lot of quick wins in ITsec most companies simply still didn't go for.
Endless audits, very little actual work. (Score:5, Interesting)
Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants
Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.
Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.
What should I be looking for? (Score:2)
How about a competent IT staff that are happy with what they do and don't feel like they're working for bottom dollar.
Market Solution (Score:2)
Re: (Score:2)
Penalizing the victims leads to a bad outcome. It will discourage companies from being open about security problems that they've experienced so that they can be fixed everywhere.
Sounds cliche but... (Score:1, Interesting)
Windows is the problem. Always has been, always will be. They've done nothing to address their broken auth system. Every APT and pentest since the widespread adoption of NT 4.0 has been: Own any one workstation or server on a network, dump the cached credentials or crack the local admin account, dump the domain controller, crack everyone's password, lulz, repeat lulz until satistified.
Now, why do businesses run Windows? Office. Seriously the only reason. All other software could just as easily have b
Seriously? (Score:2)
Do you think that the companies who are outsourcing their IT jobs and network management to companies in India care about security? Anybody have numbers on what percent of breaches are either inside jobs or recently laid-off workers?
CISO role (Score:2)
If not on the board, answering to the CFO is a good alternative. The CFO ultimately cares about all things that cost money, and should consider things besides uptime. That was a conflict I'd seen before, where security reports to an operations director, who tends to care about little besides 100% uptime.
It IS an IT problem (Score:3)
IT people need to take their heads OUT of the sand, and realize that what they do, while important, isn't any more important than any other pieces of large organizations.
Re: (Score:2)
Re: (Score:2)
That makes no sense, whatsoever.
Re: (Score:2)
Easy (Score:3)
Drone The Bohemian Grove 2016! (Score:1)