Maybe it really does matter who the CISO reports to

More like this

• 
  Target top security officer reporting to CIO seen as a mistake
• 
  CISOs taking a leap of faith
• Target finally gets its first CISO

The debate over CISO reporting structure reared its head again in the wake of Target's hiring of former GM CISO Brad Maiorino.

CSO |Jun 20, 2014 4:40 AM

• leadership
• reporting structure
• CISO
• Target breach
• CIO

Target’s recent appointment of Brad Maiorino was received with great fanfare this past week, an indication that Target was willing to bring in the “big guns” to address security in the wake of last Fall’s massive data breach at the big box retailer. But the disclosure that the position will report to Target’s CIO has rekindled the debate about what the most effective reporting structure should be for the CISO to deliver better overall security.

Featured Resource

Presented by Citrix Systems

10 essential elements for a secure enterprise mobility strategy

Best practices for protecting sensitive business information while making people productive from
Learn More

In last week’s ‘SANS Newsbites’ newsletter, Stephen Northcutt, Shawn Henry and John Pescatore debated the wisdom of this reporting structure with Northcutt and Henry arguing that it diminishes the effectiveness of the CISO. Pescatore, on the other hand, claimed, “there is zero real-world correlation that security goes up - or down (when the CISO reports to the CIO)”. While I agree with John that the relationship between the CISO and his/her boss is critically important to the CISO’s success, I am compelled to point out that there actually is empirical data supporting the argument that having the CISO reporting outside of the CIO’s office does improve the organization’s security when measured against downtime and financial losses.
This finding comes from the 2014 Global State of Information Security Survey, conducted each year, for more than a decade, by PwC, CSO and CIO magazine. I’ve not previously called-out this data because I thought this argument had been put-to-bed…apparently I was wrong. So here it is:

• with more than 9,000 respondents from around the globe, the survey found that those organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO
• and, when the CISO reported to the CIO, financial losses were 46% higher than when the CISO reported to the CEO. In fact, having the CISO report to almost any position in senior management other than the CIO (Board of Directors, CFO, etc.), reduced financial losses from cyber incidents

I also examined the findings from the 2013 survey and found the same basic conclusion: reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.
I’ve always believed that not every organization is the same and that no one model will work everywhere. However, there’s a lot to be said for having IT security leadership report to the top of the house, but not to the CIO: the reduction in conflict of interest between the CIO’s objectives and the CISO’s objectives, the ability to escalate issues to the top of the house, as well as, the opportunity it provides for security to influence corporate leadership. It's critical that the CISO and the CIO work together towards the common goal of aligning security with the business objectives and risk appetite of the organization, but it's clearly best done when they are peers with an equal voice in the discussion.

previous Previous Post When leadership gets on board

Bob Bragdon — Publisher

DEALING WITH UNKNOWNS

Skip main navigation

• Client Service
• Insights & Publications
• About Us
• Alumni
• Careers
• Global Locations

• Register
• Log in

Insights & Publications

• Latest thinking
• Industries
• Functions
• Regions
• Themes

Article

Why senior leaders are the front line against cyberattacks

All companies are aware of the growing risk of cyberattacks, yet few are taking the steps necessary to protect critical information. The key? Senior managers need to lead.

June 2014 | byTucker Bailey, James Kaplan, and Chris Rezek

Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020.¹ They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.

Video

 

Getting cybersecurity right: An interview with James Kaplan

McKinsey’s James Kaplan explains what executives can do to protect their companies against cyberattacks.

Play video

The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.

Structural hurdles to addressing cybersecurity

There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.
Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
Third, cybersecurity risk is difficult to quantify. There’s no single quantitative metric such as value at risk for cybersecurity, making it much harder to communicate the urgency to senior managers and engage them in required decisions. As one chief financial officer told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
Finally, it’s hard to change user behavior. For many institutions, the biggest vulnerability lies not with the company but with its customers. How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure? Breaking through the noise at most institutions to communicate with frontline managers about cybersecurity risks is tough enough, let alone mitigating risks that are ostensibly beyond your control.

Senior managers must lead

Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team.
As part of research we undertook with the World Economic Forum on cybersecurity,² we had the opportunity to interview executives from more than 200 institutions and perform deep dives on cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies. Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided. Our research also found that senior-management engagement varies dramatically. In some companies, the CISO meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.
So what does senior management need to do? Among those companies that are making the most progress toward developing cyberresiliency, we identified four actions common among senior managers:

• Actively engaging in strategic decision making. Just as with other types of enterprise risk, CEOs and the rest of the senior-management team must provide input on the organization’s overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations. Subsequent to that, business-unit heads—and their management teams—must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact.
• Driving consideration of cybersecurity implications across business functions. Senior managers at leading companies ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions. In addition, they make sure that the disclosure of cybersecurity priorities is incorporated into the company’s public-affairs agenda.
• Pushing changes in user behavior. Given how much sensitive data senior managers interact with, they have the chance to change and model their own behavior for the next level of managers. This can begin with simple steps, such as becoming more judicious about forwarding documents from corporate to personal e-mail accounts. In addition, senior management can and should provide the communications “airtime” and reinforcement required to help frontline employees understand what they need to do to protect critical information assets.
• Ensuring effective governance and reporting is in place. No matter how thoughtful a set of cybersecurity policies and controls may be, some managers will seek to circumvent them. Senior management obviously needs to make sure that policies and controls make sense from a business standpoint. If they do, senior managers then need to backstop the cybersecurity team to help with enforcement. In addition, senior management should put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program.

Pervasive digitization, open and interconnected technology environments, and sophisticated attackers make cybersecurity a critical social and business issue. If inadequately addressed, it could materially slow the pace of technology and business innovation in the years to come. That’s why companies must make rapid progress toward cyberresiliency, and only sustained focus and support from top management can overcome myriad structural and organizational hurdles. We know it’s possible—at some companies, this process is already under way. But it must take place on a broader scale if companies are to protect their critical information assets while retaining the ability to innovate and grow.

About the authors

Tucker Bailey is a principal in McKinsey’s Washington, DC, office; James Kaplan is a principal in the New York office; and Chris Rezek is a consultant in the Boston office

InfoSec shake-up in full swing

Dave Waterson on Security

Thoughts on Information Security

• Home
• About

InfoSec shake-up in full swing

May 19, 2014 Leave a comment

Big changes are happening. When the dust settles, the information security industry will be a completely different shape. Last week, Brian Dye, VP of Information Security at Symantec, announced that anti-virus software is dead – it only stops 45% of malware. This is not news for most of us in the industry – many say that AV detection rates are closer to 5%.

After the Symantec “bombshell”, the rest of the AV industry spent the past week scurrying around trying to stop a total erosion of confidence in their products. The reaction of Kaspersky was typical of the industry – they said that although signature scanning is now pretty hopeless, AV products comprise several more layers which provide protection. The reality however, is that it does not matter how many layers AV has – it simply does not stop nearly enough malware. Symantec have pulled their fingers out the dyke – pressures to change are fast becoming a flood. AV is based on an outdated premise of attempting to prevent malware infections.
The recent AV debate is indicative of fundamental structural changes which are taking place throughout InfoSec. Any visitor to an InfoSec trade show over the past decade would clearly have seen the dominance of the AV companies. The shake-up happening now is a fundamental paradigm shift.
Elements now coming to the fore in information security include:
1. End device protection must include technology that protects data even when the device is infected with malware. Examples are more proactive anti-key logging and anti-phishing end point solutions.
2. Security derived from data analytics of big data. Our ability to analyse big data to make our systems more secure is evolving fast.
3. Increased use of cloud-based, real-time analysis of electronic transactions. This creates more sophisticated risk-based authentication. More and more security analysis will be performed in the cloud.
4. Realisation that mobile security is totally different to PC security. Threats on mobile stem primarily from the installation of “legitimate” apps approved and downloaded from the official app stores, many with improper permissions. Techniques successful on mobile, such as sandboxing and whitelisting, are being used more in non-mobile environments. Encryption is utilised more and more.
5. Solutions addressing the need for privacy alongside government’s national security needs. This includes inter alia, off-shore cloud hosting and homomorphic encryption.
The move away from the dominating dependence on AV, will drive a flurry of M&A activity over the next year or two. Traditionally, leading InfoSec firms enlarge their technology and drive growth through acquisitions – this will become even more prevalent. A dance of musical chairs is playing out, while leading firms jostle, acquire, and re-align. The moves made now will determine who will dominate a more lucrative information security industry over the next decade.
Clearly companies such as Symantec realise the urgency to morph and have been aggressively buying new technology for a while. Others who cling to outdated technology will wither and die. With such high stakes up for grabs, many organisations, not traditionally in core AV, are also part of the infosec musical chairs, such as FireEye, IBM, Akamai, Cisco, Intel, etc. There will be spectacular returns for the winners of this restructuring – global spending on information security is going to escalate way above current (already high) levels.
Patents and intellectual property in the new security paradigm are incredibly valuable. Security M&A prices are based less on revenues but on the strategic positioning of the technology and IP – and what it can leverage for the acquirer. We look forward to seeing how this shake-up plays out. When the new landscape settles, the cross pollination of different technologies and expertise will produce the next wave of innovative solutions. And some of the new breed will rise – while others, once mighty, will fall.

Share this:

• 
  
• 2
• 
  
• 
  

Loading...

Post navigation

← Compliance won’t safeguard your organisation from disaster

Symantec Mitigation for Oil Company DOS/DDOS  6/23/2014

Symantec said it has detection measures in place regarding the recent threat and also issued the following recommendations:

· Use a layered approach to securing your environment, including enterprise-wide security monitoring.

· Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity.

· Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.

· Ensure all web servers are patched, configured to minimise the impact of DoS/DDoS attacks, and hardened against external threats.

· Utilise web application firewalls as a front-line defense against attacks.

· Ensure your IT and IT security staff are prepared and know what they need to do in the event of attack.

· Discuss DoS/DDoS mitigation strategies with your upstream provider and ensure they are aware of this threat.

· Ensure relevant third party vendors are also aware and accessible.

· Utilise DDoS protection services.

· For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.

· Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.

· To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

· Do not follow links or open email attachments provided by unknown or untrusted sources.

· Ensure staff is educated on social engineering and phishing techniques

After several years of planning, the Pentagon’s Cyber Command is finally beginning to conduct operations such as tracking adversaries overseas to detect attacks against critical computer networks in the United States, according to a senior defense official.
The Pentagon’s “national mission” cyber teams over the past year have begun monitoring servers used by “high value” adversaries, said the official, alluding to countries such as Iran and China.
When authorized, the national mission teams — the most prominent element of the military’s growing Cyber Command — can block or counter a foreign cyber attack, the official, who was not authorized to speak on the record, said in a recent interview.
But the teams’ focus is “strategic defense of the nation,” not offense, the official said. The command is slightly less than one-third of the way toward its full capacity, with almost 2,000 personnel in place out of a goal of 6,000 by the end of 2016.
Sequestration slowed the effort, but “solid progress” is being made, the official said. The command is led by Adm. Michael S. Rogers, who took up the job in April when he became director of the National Security Agency. It was launched in 2009 under then-NSA Director Keith Alexander.
All told, there will be 13 national mission teams out of a total of 133 teams. Twenty-seven combat mission teams will assist combatant commands around the world. They might, for instance, disrupt an enemy’s computerized air defense systems before an airstrike.
There will be 68 cyber protection teams to help with defense of the department networks, the official said. The remaining 25 teams will provide support to the national and combat mission teams.

The national mission teams will not operate on private sector networks or inside the United States. “The national mission teams are not designed to sit on Wall Street and protect Wall Street’s networks or the power grid’s networks,” he said. “They want to catch an incoming round before it [hits].”
Part of their job is to do reconnaissance work on foreign networks to watch traffic in servers used by adversaries that the military has gained lawful access to, he said.
“We need to be inside the bad guy’s head and network,” he said. “That’s the mission of the national mission teams: to be inside the bad guy’s head and his network.”
Getting inside the bad guy’s network means monitoring the “hop points” or servers commandeered around the world by adversaries to route and disguise their computer traffic, not necessarily hacking into their command and control computers, he said. “Whatever these bad guys are using in order to do their work, that’s what we’re interested in.”
The teams can do that reconnaissance work under a variety of authorities, including intelligence and military, he said. If asked, they could also help the FBI in a criminal investigation, he said.
The national teams will deploy only when there is a strategic attack, or one, he said, that “is going to cause, death, public health and safety issues on a serious magnitude…[something] with significant implications to our national security or to our national economic security.”
Part of the decision-making process is a consideration of the consequences of any action, to include diplomatic blowback and counterstrikes, he said. “We don’t want to make the situation worse by the use of military cyber capabilities,” he said.

 

Top of Form

•  

Internet of Things

August 3, 2013 Posted in   Internet of Things – Smart Systems and Dumb Policy could be a Dangerous Combination in a Dynamic Global Arena

Steve Bell, President, KeySo Global LLC

 Introduction

As a result of a recent C-PET Internet of Things (IoT) round table teleconference and the recent 3rd Annual Internet of Things Europe 2011 conference in Brussels it was thought appropriate to share the following paper. This report is a summary extract of the key points discussed at a C-PET IoT conference held in December 2009. It is based on a comprehensive report developed by KeySo Global (available on request) of the meeting that examined these points in light of a number of trends and developments of the IoT during 2010.  In order to keep this document fresh and relevant, the opportunity was taken to carry out a hindsight/foresight review of the material and to test the temperature of the conclusions in the light of IoT developments in Europe, and the progress being made.

Hindsight & Foresight

Two years ago, the consensus appeared to be that the EU had first mover advantage on IoT but now it appears that China is clearly in the forefront of the countries developing the Internet of Things. Some of the issues that this observation surfaces are the cultural and philosophical differences between and amongst the eastern and western societies and governments.

The goal for IoT & Internet in the EU by 2020 is “smart, sustainable, inclusive” with values like privacy built in from the start on the assumption that it will fail otherwise. Peter Hustinx, European Data Protection Supervisor makes the point that “fundamental to the successful deployment is trust”. Privacy of data and trust of the consumer will be critical components to success of the Internet of Things. While the rhetoric on “right to silence” may be “hyperbole” it starts the global conversation on privacy by design.

Does an equivalent statement exist for the US and should it? Does Washington even understand the profound implications that the IoT will have on the U.S and global economy? These were some of the areas touched upon in the recent roundtable where Michael Nelson identified 3 Tech Cultures: W. Coast, Prototype Principle; E. Coast, Profit Principle; Europe, Precautionary Principle. As Dan Caprio & Mike concluded, the issue is not which is the right principle but how to embrace all 3 in a horizontal approach across the EU and the US, and at the same time recognize that China and Asia are moving at a rapid pace of development as well. There are a lot of moving parts and players involved in assessing multiple international policy issues but it is essential to start addressing them.

The paradox is about protecting a fragile and evolving Internet and those who want control over this and the emerging IoT technology. Today’s Internet policy framework is “elegant in its restraint” and has enabled extraordinary innovation, according to the OECD, but they see trends that threaten to balkanize the Internet, creating mini national Internets that will destroy economic and social potential.

M2M communications only become the true IoT when interfaces & data open up & everything talks globally. The sensors are the means not the end; they are ambient and do not need “modal” interfaces that require human attention. The Internet of Things is really about data management and the privacy implications that arise from this built environment. The IoT will indirectly enable the observation and understanding of human behavior in buildings and places. Where this information can be mashed together to create swarm behavior analysis, it raises the interesting issue of who owns the data and knowledge.

Open data will drive the Internet of Things. As Meglena Kuneva, European Consumer Commissioner, said in March 2009 “personal data is the new oil of the Internet & the new currency of the digital world.” It seems reasonable to anticipate that this complex global environment will spawn many different privacy solutions rather than a single “privacy by design” solution and that the focus should be on the transparency of the systems that hold the data, not necessarily on the transparency of the data itself.

This is why, instead of the Internet of Things, it should potentially be renamed the “Cloud of Everything”. This would be comprised of billions of people controlling the use of open data generated by billions of devices for millions of apps & services, which in turn utilize the data made available by the Cloud for the purposes of sharing and analysis.

The “Cloud of Everything” is the classic double power conundrum; it is the biggest opportunity and the biggest challenge to everything that individual societies and cultures hold absolute.

Impact of the Internet of Things

In December 2009 the Center for Policy on Emerging Technologies (C-PET), a non partisan think tank for the 21st century, held a roundtable discussion in Washington DC hosted at the offices of McKenna Long & Aldridge. The small but broad cross section of participants and experts brought a wealth of knowledge and perspectives. They facilitated a better understanding of the potential, the impact and the implications of the Internet of Things (IoT), both in the U.S.A and globally. One general conclusion arising from the C-PET panel was that competing visions exist for the IoT and that the general public does not yet have a clear and compelling sense of what it is or of the benefits that it could potentially provide. The C-PET panel recommended definition was much simpler and attempted to address the need for a clear, compelling, benefit-driven definition that could be understood by consumers. The C-PET panel’s vision emphasizes “connecting the things that matter to make life better”.

The Internet of Things (IoT) is the ultimate paradox; by definition its lineage is clear (Moore’s Law, Internet, cellular, RFID and the web) but the implications of what it yields or unleashes are truly unknown at this time.

Elements grounded in science are predictable but as you move up the software and services stack, second and third order derivatives are more difficult to predict, and their implications on society even less so.

A recent article in the Economist magazine on the Internet of Things highlights four main areas of concern for society

Privacy: an increasing number of sensors will mean that offline data can be mixed with online data, creating enhanced digital footprints

Control: the risk of abuse by a malevolent government using Orwellian ways to keep people under control

Security: the fear that smart systems might be vulnerable to malfunctioning or attacks by hackers – the Stuxnet scenario

Elitism: the concern that those with access to smart systems could be vastly better informed than those without, which could lead to control by a few

One challenge identified by the C-PET panel was how to unlock the latent value of the Internet of Things in order to unleash human creativity; specifically to ensure that it truly remains an Internet of Things and that, through policy, its potential is not limited to an “internet of fewer things”.

Enabling the Internet of Things

During the C-PET session consideration was given to what was needed to enable the Internet of Things to flourish.

The following enabling elements were explored and discussed during the meeting:

• IT and broadband networks for backhaul, coupled with robust layers of wireless data networks, are essential for the provision of ubiquitous access anywhere, any time

• These networks need to be scalable globally and have the ability for communicating with billions of billions of addresses (IPV6 adoption) and a domain name standard that allows devices to be traced
• Spectrum management needs to address the future requirements of networks of smart systems, with billions of devices continuously refreshing their status and needing control guidance
• The networks need to be robust, resilient, flexible and probably redundant if they are to interface, link and service utility and health systems. Denial of service and threat of cyber attack cannot be acceptable on critical infrastructure
• Architectural and policy recognition that, unlike the Internet, the IoT is not a singular or totally open system but is in fact comprised of overlapping networks of open, closed and partially open systems. Standards and interfaces will be needed to ensure companies can protect proprietary supply chain information, but on the other hand have the ability to track and recall goods (food & drugs) across multiple systems when necessary
• With the ability to gather data 24/7 from potentially billions and billions of devices, there is a need for heuristic software capability and deterministic rules
• New data storage concepts need to be considered: despite the continually lowering cost of this, there is a distinct possibility of running out of storage
• New capabilities in smart pattern recognition will be required to handle current and historic data, and to then determine how best to use this data effectively
• Business processes need to adapt, and companies need to be able to see the economic benefit of investing in IoT. The lesson from RFID is that, even if the cost of sensors and chips continues to fall to extremely low levels, the issue becomes the total cost of the system as a whole
• Equally, if the overall proposition is not attractive, easy to use and can be seamlessly adopted into consumers’ lives, they too will reject it
• Provision needs to be made for security, privacy policy and mechanisms that address a new set of paradigms; where access, storage, usage and ownership of data related to someone or something are not necessarily under the control of an individual or corporate entity, and where national boundaries have little meaning
• Consideration for regulation of smart grids where there is more than one owner, the owner is outside the national border or the grid is part of an international network

• Global collaboration between governments and industry on consumer security and privacy service level agreements, and opt in rules regarding silent chips and surveillance
• Policing and enforcement to address the federated crime syndicates that are already emerging and that recognize no borders, generating a shadow economy that is already more than a trillion dollars
• The consideration of industry partnerships and stimulus funding to accelerate development of technical, economic and social capabilities; to ensure that IoT based structural change positions the U.S. to take a leadership role in what could be the next industrial revolution

Concluding comment

During this last 12 months C-PET has consistently raised the concern that Washington has not cultivated an innovation mindset. In this environment where will the cradle of innovation be for the IoT in the U.S. and how will it be encouraged? In fact, with the increasing emphasis on short term results, can it really be nurtured in the U.S. and can these enabling elements be addressed?