Despite the steady rise of security budgets, many security experts argue cybersecurity spending is either insufficient or misguided. The laundry list of catastrophic data breaches would seemingly give CISOs carte blanche for their companies’ information security, yet the politics and priorities of large businesses can influence and even limit the efficacy of IT programs. In this week’s CISO Beat, we explore what CISOs are saying on Twitter including the importance of understanding the big picture of how security impacts the business, the burden of security teams paying technical debt accumulated by the CTO/CIO, an insider threat at T-Mobile affecting 1.5 million subscribers, and a security breach at GoToMyPC.

Internal leadership may be the last place security executives expect to encounter resistance, but there’s a reason we call financial results the “bottom line.” Unless security executives translate their challenges into business terms, they will have difficulty influencing decision makers like the CEO, CFO, and even the CIO. Information security jargon and business risk metrics are almost different languages. To say a technology will reduce risk ignores the context of budget, financial impact of potential data loss, and ROI for the project. Every company and department has a certain risk appetite, so effective security leaders will learn to speak the language of business and translate risk into organizational impact.

Security is always more effective when baked into a project from the start. An open and ongoing dialogue with lines of business can help end users make more secure choices from the start, avoiding compliance violations, legal trouble, and even data breaches down the line. Industry experts argue the CISO should have independence from the IT organization, but in reality many CISOs still report to the CIO. The optimal structure will ultimately vary based on organization size and industry. Without a certain level of dependence, however, CISOs may struggle to influence department priorities and budget allocation. CISOs need to tailor the conversation to the metrics business leaders understand, but the board and CEO also need to give the CISO a platform and their attentive ears.

Want to conduct better interviews?

Get a list of the 200 most commonly asked IT security interview questions.

Download Now

The active black market for stolen personal information fuels a shadow economy with a complex ecosystem of cyber criminals performing different roles in executing data breaches. A dump of 272 million email credentials set a new precedent for the scale of these mega breaches. In one of the largest insider threats in recent memory, a T-Mobile employee walked out the door with 1.5 million customer credentials intending to sell the data, counting on a payday for stolen information that has become reliable.

Rogue insiders keep security professionals up at night because the threats render many existing defenses ineffective. Passwords and VPNs help keep external hackers out, but are ineffective against employees with valid access. It can be extremely difficult to distinguish rogue behavior from normal work activity, especially at the scale of hundreds of thousands of employees. Clearly one employee accessing 1.5 million customer records should have raised an alarm, but the perpetrator may have used coworkers’ accounts or broken up the exfiltration over hundreds of days. In these cases, UEBA, or advanced user entity behavioral analytics, holds a huge advantage over manual monitoring with its ability to accurately detect threats.

The giant dump of compromised credentials online has had a far-reaching impact beyond the services directly impacted. People inevitably reuse passwords, reportedly nearly a third of the time. Today, data breaches from consumer email and social media services are likely to blame for various compromised accounts in other applications, including the remote access service GoToMyPC. A similar incident affected a similar service called TeamViewer. Both services responded by recommending users change their passwords and implement multi-factor authentication. The episodes are a reminder that security involves interconnected services, and that hackers will target the weakest access point. Mark Zuckerberg even fell victim to a similar attack, as his Pinterest and Twitter accounts were hacked using a stolen LinkedIn password.