Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the RSA conference in Singapore a few weeks ago, RSA’s CTO Zulfikar Ramzan described several different C-level executives who could have direct responsibility for some portion of your security infrastructure: CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer. If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.
From the IT folks that I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to just pass the buck (or the token or packet) from one department to the next. Even something as simple as your firewalls could be an issue. You might think that they clearly are run by your network administrator. But this person could report to the CIO or the CTO or maybe there is that dreaded “dotted line” responsibility so the network admin needs to report to both of them. That can get messy.
What I am saying here is that security should be everyone’s responsibility, and not just the executives but the worker bees too. This is not a new idea. This post lists four reasons why:
- Humans are always going to be the weak link
- Tech is continually evolving, and everyone needs to stay on top of these changes
- Our hyper-connected world magnifies mistakes
- Our data privacy is under siege
But if the various execs can’t sort this out on their own, how do you expect your rank and file to get a clue?
Here is a short test to see how you have distributed your security responsibilities across your enterprise. Try to answer these questions truthfully.
- Who owns the breach response? When a breach happens, who is in charge, meaning who directs the deployment of resources and analyzes the investigation and mitigation?
- Taking the answer to the first question, is this the same person that owns a response to an accidental data leak? Or a leak that is done on purpose from a rogue employee? If they are two (or more) different execs, why?
- Who owns the day-to-day security operations, whether that be a SOC, NOC, SOC-as-a-Service, or some combination of those entities?
- If one of your C-level execs doesn’t follow best security practices, can you do something about it? What if it is the CEO who doesn’t ever change his default password?
- If you move a server out of your data center and spin it up in some cloud service, how many executives have to approve that move? And who takes ownership of the server afterwards?
- You probably have a few desktops that are running Windows 7 (or even older versions). Do you know how many outdated desktops you have? This isn’t completely a rhetorical question, given the research that shows that more than 800,000 XP endpoints are still unpatched and could be exploited by Bluekeep Whose budget pays for these updates? Whose budget pays for the endpoint protection software and keeps track of those PCs that haven’t been properly protected? If these are three different folks, how do they communicate in the time of a crisis, such as in the aftermath of a successful phishing attack?.
- Speaking of phishing, let’s say you want to establish a regular phishing awareness training effort. Who picks up that tab, and who handles the problems that are uncovered?
I hope you can see a pattern emerging: Chances are, the same person might not be involved in the problem and its resolution. That is what the bad actors count on: they can drive a wedge between these departments. This is how exploits can happen, and how your company can end up in trouble.
By now, you know that I don’t just raise issues, but try to provide some solid action items and offer a few practical suggestions on how to fix things. You mission, should you decide to accept it, is to try to align responsibilities to be more effective in managing your IT security.
First, develop a clear line of authority between different departments to handle breaches, leaks and exploits. Next, have a game plan when it comes to breach response, rehearse it regularly, and make sure that you update this plan as people or equipment change to keep it current. Third, security budgeting should be a joint exercise among the desktop, network, apps, data owners, legal and server department heads. It makes no sense to favor one over another: we all have to learn to share. Finally, in this spirit, identify where your information silos have been built and start thinking about ways to tear them down, encourage cooperation and collaboration to reduce your overall risk profile. That is a lot of work, to be sure, but it is needed, and there is no time like the present to start too.