Despite the steady rise of security budgets, many security experts argue cybersecurity spending is either insufficient or misguided. The laundry list of catastrophic data breaches would seemingly give CISOs carte blanche for their companies’ information security, yet the politics and priorities of large businesses can influence and even limit the efficacy of IT programs. In this week’s CISO Beat, we explore what CISOs are saying on Twitter including the importance of understanding the big picture of how security impacts the business, the burden of security teams paying technical debt accumulated by the CTO/CIO, an insider threat at T-Mobile affecting 1.5 million subscribers, and a security breach at GoToMyPC.
Internal leadership may be the last place security executives expect to encounter resistance, but there’s a reason we call financial results the “bottom line.” Unless security executives translate their challenges into business terms, they will have difficulty influencing decision makers like the CEO, CFO, and even the CIO. Information security jargon and business risk metrics are almost different languages. To say a technology will reduce risk ignores the context of budget, financial impact of potential data loss, and ROI for the project. Every company and department has a certain risk appetite, so effective security leaders will learn to speak the language of business and translate risk into organizational impact.
Security amateurs consider how a control reduces risk. Security pros consider how a control helps the org. Big difference.
— Lance Spitzner (@lspitzner) June 15, 2016
Security is always more effective when baked into a project from the start. An open and ongoing dialogue with lines of business can help end users make more secure choices from the start, avoiding compliance violations, legal trouble, and even data breaches down the line. Industry experts argue the CISO should have independence from the IT organization, but in reality many CISOs still report to the CIO. The optimal structure will ultimately vary based on organization size and industry. Without a certain level of dependence, however, CISOs may struggle to influence department priorities and budget allocation. CISOs need to tailor the conversation to the metrics business leaders understand, but the board and CEO also need to give the CISO a platform and their attentive ears.
Also, security takes on a lot of responsibility for the CTO/CIO's unpaid technical debts.
— Justine Bone (@justinembone) June 16, 2016
Can't compare CFOs to CISOs until you give CISOs authority over info handling like CFOs own money. https://t.co/08h8WkRZCl
— Helen Patton (@OSUCISOHelen) June 14, 2016
The active black market for stolen personal information fuels a shadow economy with a complex ecosystem of cyber criminals performing different roles in executing data breaches. A dump of 272 million email credentials set a new precedent for the scale of these mega breaches. In one of the largest insider threats in recent memory, a T-Mobile employee walked out the door with 1.5 million customer credentials intending to sell the data, counting on a payday for stolen information that has become reliable.
— Gavin Millard (@gmillard) June 20, 2016
Rogue insiders keep security professionals up at night because the threats render many existing defenses ineffective. Passwords and VPNs help keep external hackers out, but are ineffective against employees with valid access. It can be extremely difficult to distinguish rogue behavior from normal work activity, especially at the scale of hundreds of thousands of employees. Clearly one employee accessing 1.5 million customer records should have raised an alarm, but the perpetrator may have used coworkers’ accounts or broken up the exfiltration over hundreds of days. In these cases, UEBA, or advanced user entity behavioral analytics, holds a huge advantage over manual monitoring with its ability to accurately detect threats.
I am going to lose sleep tonight thinking about Insider Threats. #ismgsummits
— Lee Abner (@BigonDis) June 21, 2016
The giant dump of compromised credentials online has had a far-reaching impact beyond the services directly impacted. People inevitably reuse passwords, reportedly nearly a third of the time. Today, data breaches from consumer email and social media services are likely to blame for various compromised accounts in other applications, including the remote access service GoToMyPC. A similar incident affected a similar service called TeamViewer. Both services responded by recommending users change their passwords and implement multi-factor authentication. The episodes are a reminder that security involves interconnected services, and that hackers will target the weakest access point. Mark Zuckerberg even fell victim to a similar attack, as his Pinterest and Twitter accounts were hacked using a stolen LinkedIn password.
Security breach lets bad guys GoToMyPC… https://t.co/D3FsgHewTI
— Al Berg (@alberg) June 19, 2016