We’ve seen high-profile breaches and the accompanying fallout at Target, Home Depot, and JPMorgan, among several others.
We’ve also seen an increase in the number (and in the complexity) of malicious actors who are making the lives of CEOs very difficult.
And we’ve seen CEOs respond to breaches in a number of ways. Some have created investigative task forces, some have increased their security budgets and some have simply asked questions like:
“Who could have anticipated an attack like this?”
One of the most important things for CEOs to understand is that information security is very much their responsibility. The CEO is not only in charge of managing risk but also making sure that everyone in the company is on board with a comprehensive security strategy.
1 – Know who is attacking you and why: Today, diverse, sophisticated attacks are coming from locations like Russia, China, the former Soviet Union, Iran and even North Korea. In these countries, arrests for hacking are extraordinarily rare and the cost to conduct an attack is very low.
Why are they hitting you? Chinese hackers are typically looking for information to gain a competitive advantage over Western companies while entities like Russia are looking to capture hard dollars. Cyber attacking is now an entirely separate industry. Treat it as such.
2 – Embrace the inevitability of breach and prepare to prevent, detect and respond to these breaches: Two-thirds of breached organizations find out they’ve been hacked from the FBI or the Secret Service (via the NSA) or from credit card companies. On average, breached companies don’t find out they’ve been hit for 279 days.
The failure in being breached is not when the perimeter has been penetrated, but when information is taken out. That is to say, you can let them in and still stop the information from getting out with the right plan.
It’s critical to move forward with the following understanding: someone has already penetrated your network. The perimeter is gone. It’s yesterday. It’s a part of the security equation (prevention) but detection and response are increasingly the critical components to protecting an organization.
3 – You are on your own to find a solution or solutions: The United States government currently does not have the resources to combat cyber threats against private institutions from malicious nation states. As a result, organizations, and their CEOs, must stitch together solutions from a number of security providers. And there is no one solution. There is no silver bullet. There is no longer one company to rely on, the way you used to call IBM in the 1960s or Symantec in the 1990s. Your organization must stitch together the best in breed technologies to create a layered security approach.
4 – Understand risks and constantly evolving threats: Unless we evolve the defense as rapidly as threats, our defense systems are not going to work. CISOs need to be able to articulate to the CEO and the board of directors what the risks are and keep that list up to date.
What I like to tell companies, at the CEO and board level, is to take identified risks and put them into three baskets. In basket one you put the risks that you’re willing to run. In basket two are the risks that you want to spend a little money on to reduce the problem – the mitigation risks. And then the third basket holds the risks you are not willing to tolerate. These are the risks that you would be betting the company on – the risks that are existential to the company. Look at these baskets and budget accordingly.
5 – The buck stops with the CEO: Ultimately, the CISO isn’t the person to determine what risks the company is willing to tolerate. While the CISO has recommendation power and is often critical in the decision process about existing risks, it’s most often the CEO’s job to tell the board what risks exist and what thresholds the company has for those risks.
Fonte: blog.bit9.com
