There is a popular saying that goes, “A Prophet is without honor in his own country.” I can attest to the veracity of this statement as a Security Evangelist. Rodney Dangerfield stated it in another way: “I don’t get no respect!”. This sentiment is felt by many professionals within the cybersecurity profession seeking senior management buy-in and support for establishing robust information security programs within their enterprises. Consequently, leadership often dismisses the recommendations made by their CISOs for hardening their networks in order to make them more secure due to financial considerations.
By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
The CISO serves as a trusted steward of the enterprise, charged with the responsibility to safeguard the confidentiality, integrity, and availability of all data that is processed, stored, or transmitted over the company’s technological network, whether it is in transit or at rest. Therefore, management must view the role that they play as a guardian of the network rather than just a consultant. Senior leaders have not kept pace with the need to equip the CISO with the tools necessary to be successful in properly securing their networks by allocating appropriate budgets to security programs. Those that try to keep up sometimes fall short of fully understanding the threat landscape and security issues they are facing.
Senior corporate management tends to use security industry terms interchangeably without knowing that they have subtle differences. It is important to use precise terms especially when it relates to identifying various breaches that occur within our organizations. I submit to you that no matter how secure an organization considers itself to be, a security breach occurs within their environment almost every day. If there is a virus or other malware found within one of the endpoints operating on the network, then a security breach has taken place. The rationale being, if the user did not place the variant on the system then how did it get there? On the other hand, data breaches don’t happen nearly as often. A data breach or compromise is specifically that: definitive proof or evidence that data has been exfiltrated, modified, damaged, pilfered, or the like. This article focuses on the latter.
Leadership, no matter what the industry, tends to be tone-deaf when it comes to the matter of allowing the CISO to implement the information security controls necessary to keep their data secure – until, that is, they find themselves engulfed in a catastrophic circumstance like a data breach. Afterward, they tend to be all ears and willing to provide the money and resources necessary to remedy the problem. However, this is not until after the initial panic and media attention that sends heads rolling.
All too often information security officers are viewed as “Chicken Little” screaming that the sky is falling or Peter, as in “Peter and the Wolf,” that always cried wolf when in actuality, there was no one. For this reason, as information security officers, we should never abuse our ability to influence organization leadership and decision-makers by requesting unnecessary security controls for the systems that we oversee. Conversely, the aforementioned stereotypes shouldn’t absolve senior leadership from acting on valid recommendations rendered to them by their CISO with respect to information security requirements necessary to secure their data.
The NIST 800-61 special publication (SP), Computer Security Incident Handling Guide outlines a detailed, pragmatic approach to actions organizations should conduct before, during, and after security incidents. It is incumbent upon every organization to develop their own Computer Security Incident Response Plan tailor-fitted for their needs after the data breach. Additionally, beyond the data breach, the organization must focus its attention on developing a culture of security that is pervasive throughout the enterprise concentrating its efforts on the following areas:
1. Institutional Reputation Repair and Restoration – Consumer confidence in an enterprise’s ability to safeguard its data is of paramount importance. Retention of the customer base is imperative and necessary for the continued existence of any company. The repair and restoration of a company’s reputation can be a very costly endeavor depending on the size and type of organization it is. It may be necessary for an organization to retain the services of a public relations firm to assist with this effort.
2. IT Enterprise Risk Management Program – This element of the institution’s strategic plan allows the enterprise to effectively manage IT risks utilizing a standard framework like ISO 27005 and NIST 800-30. The risk analysis process must be integrated into every facet of the organization’s operations in order to reduce the possibility of unexpected losses as a result of administrative oversight.
3. Information Security Awareness and Training – There are six basic components that make up an information system. You have people, data, hardware, software, policies, and network communications. The majority of security threats that exist on the network are a direct result of insider threats caused by humans, no matter if they are unintentional or deliberate. The most effective way an organization can mitigate the damage caused by insider threats is to develop effective security awareness and training program that is ongoing and mandatory.
4. Governance and Information Security Strategic Planning – A serious information security program is instituted from a top-down perspective. It must have the support and buy-in of every subordinate unit within the organization. The governance of the program must include representation of senior leadership from all the mission-essential areas of the company in order to embed the mission of data security throughout the strategic planning process.
It is always a good idea to have a fresh set of eyes on security consulting engagements and assessments, however not at the expense of disregarding the input provided to you by the individual that you hired to safeguard that network. Listen and support your own internal enterprise information security subject matter expert. They are your information security evangelist, before the breach.
This story first appeared in the June 2020 issue of CISO MAG. Subscribe now!
About the Author
Zachery S. Mitcham, MSA, CCISO, CSIH is the VP and Chief Information Security Officer at SURGE Professional Services-Group. He is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer UniversityEugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.
CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.