Cyber security value
I wrote an article about it for Schade Magazine. (Dutch, Google translate)
Wednesday, November 11, 2020
Wednesday, October 21, 2020
Monday, October 5, 2020
We need Top Management awareness
Awareness training in cybersecurity is often the equivalent of telling road users to be careful. It is a good idea, but it will have limited impact. On the road, we have rules such as please keep driving on the right, give space to people coming from the right and do not go faster than 50 km/h. Next to that, we have infrastructure to support the safe usage, like traffic lights, pedestrian crossings, and guardrails. And finally, we have legislation and enforcement by the police. Our society is aware off the fact these measures are all necessities to support safe road usage. In cybersecurity we need this as well. I call it Top Management Awareness.
The standard way of addressing cybersecurity in your company is to organize it in accordance with the ISO27001. This standard makes it very clear top management is accountable for a proper functioning Information Security Management System. Top management should be aware of this accountability and should be aware of the implications. Similar to road users, top management needs to provide rules, infrastructure, enforcement etcetera. This is not always the case.
In my experience this lack of awareness is due to two reasons:
- Optimism bias
The risk is perceived lower than it is. Many security problems arise from technical problems, which are hard to explain to non-IT educated people. It is perceived to be so hard to misuse these technical imperfections that chances someone will misuse them is very low. Next to the idea that the company is an unlikely target is persisting. It leads to the idea cybersecurity is exaggerated by the specialists and does not need much management attention. - Fatalistic thinking
Cybersecurity is too hard to implement. The ISO27001 includes 114 controls. The NIST SP800-53, which is more detailed, contains 965 controls. Fatalistic thinking refers to the belief it is impossible to achieve a sufficient level of security.
The quickest way of creating awareness at the top of an organisation is a cybersecurity disaster. It immediately removes the optimism bias. The meme that circulated on Twitter a few weeks ago sums it up very well. Before the fact it is just a risk, which is perceived very low. After the event there is tangible damage. Not only the company is damaged, but personal reputation is also damaged. When the press is knocking on your door it is the CFO that needs to explain the situation, not the security manager.
The smarter way is to perform a realistic quantitative risk analysis. This method will make the risk more tangible. It makes the risk more actionable, because the effects of adding extra controls can be made visible. Quantitative risk analysis gives management control of the level of risk they are willing to take and removes the ground for fatalistic thinking. Once top management understands the need to act and have the means to act, we gained true top management awareness.
Tuesday, January 14, 2020
(re)Move the budget!
Are you expecting your IT department can work on a budget and keep things secure? Think again! But you could probably lift some weight of their shoulders, so they can do more with less.
A few weeks ago, I saw parallels with Expedition Robinson - a reality television program in which contestants are put into survival situations – and the cybersecurity industry. There was a challenge where contestants had to carry sand filled bags around their neck and run a course. The last one to finish had to leave the game and had to choose another contestant to hand over his sandbags. In the last race an unfortunate guy had to carry almost all of the bags and he lost from a girl who hat to carry only a few. The weight was so heavy he could barely walk, let alone run.
In IT it’s often the CIO who has to carry all the bags. Departments demand more and more new services, but won’t allow old ones to be removed. The IT department is expected to keep up with the latest technology AND to keep the old systems (often called ‘legacy’) running. The weight becomes heavier and heavier.
This is due to the fact that legacy is harder to maintain. Older applications may need older Operating Systems, older Databases and sometimes even older hardware to run on. Some of these components may run out of supplier support. At that point security patches are no longer available and extra mitigating measures must be put in place. For all the components you need to have expertise but since people want to move on with modern technology (they have a career too), it will become harder to find.
To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface or exposure. The more different systems in use, the bigger the exposure, the bigger the risk.
At the same time the departments usually only pay for the initial project implementing new systems, but don’t have to pay the maintenance costs. Maintenance is part of the IT budget. Leaving ‘old stuff’ running comes at no cost for them. It’s free shopping, while replacing the legacy will cost them. It is a kind of prisoner’s dilemma between the supplying IT department and the various consuming other departments. They can have an overall better, more secure, IT system if they cooperate and stop acting on individual interests.
Running Legacy is not only insecure, it’s also expensive. decreasing the cost will improve security, but the opposite is also true: Improving security will decrease the costs. Security can have a positive ROI.
As a CISO you could leverage the cost of IT to improve overall security by making the actual costs of your high- risk legacy applications clear. Analyse the dependencies and take into account that every component needs to be maintained. Then visualize which department is responsible for these hidden costs. In my experience this will trigger an important discussion: Why is the IT budget so unevenly spread? Why does IT carry all the load, while they don’t?
Subscribe to:
Comments (Atom)
