What is the prioritized list of business risks that CIOs have explicitly identified as the focus of a company's cybersecurity program?

Security -

I know you were probably hoping for a simple or maybe a very technical list of risks, but the truth is that most of the risks that undermine a cybersecurity program are not technical.

We've been doing this for 10 years and hundreds of audits and assessments later, the findings on the technical side are still saying the same things. Companies need to do the basics of IT hygiene:

1.    Stop accumulating technology debt. In other words, update your stuff before it reaches end of life. Yes, it's expensive but that’s the new cost of doing business. Quit treating servers like production machinery that can be repaired over time and just replace it when it can't be supported.

2.    Patch your systems aggressively.

However, it’s also important to note that IT executives aren't the problem. Business executives are the problem. For ten years, they've said IT Security needs to speak the language of the business. Well, we now do, but they still don't teach IT Security Risk in MBA programs – it has to work both ways, leaders need to be technically oriented along with business focused. Unfortunately, most IT Executives are still underqualified for their role given that the pendulum has swung too much in the favor of business.

Compromised cybersecurity is one of the biggest reasons for a loss of shareholder value. It’s been reported that it has amounted to $600B in global loss, if not more. That’s 1% of global GDP and no one outside of IT Security knows what it takes to fix. Not even the IT execs.

When Target hit the news, the CEO, CIO and the CISO lost their jobs, but the CFO didn't. Why? They control the purse strings. They are the ones going after IT to cut budgets. If you treat IT poorly, there are security ramifications. But the impacts are hidden and impossible to predict. You cut staff and you fail to refresh hardware and security concerns will accumulate. But it’s a dynamic system and impossible to know what unintended consequences are to the security posture except that it's obvious it will be more vulnerable. 

You can get lists anywhere, but I think it’s important to talk about the macro reasons that IT departments should think about with regards to cybersecurity programs. 

4 comments

#cybersecurity,#security,#kpi,#risk https://www.pulse.qa

Pulse User

I know you were probably hoping for a simple or maybe a very technical list of risks, but the truth is that most of the risks that undermine a cybersecurity program are not technical.

We've been doing this for 10 years and hundreds of audits and assessments later, the findings on the technical side are still saying the same things. Companies need to do the basics of IT hygiene:

1.    Stop accumulating technology debt. In other words, update your stuff before it reaches end of life. Yes, it's expensive but that’s the new cost of doing business. Quit treating servers like production machinery that can be repaired over time and just replace it when it can't be supported.

2.    Patch your systems aggressively.

However, it’s also important to note that IT executives aren't the problem. Business executives are the problem. For ten years, they've said IT Security needs to speak the language of the business. Well, we now do, but they still don't teach IT Security Risk in MBA programs – it has to work both ways, leaders need to be technically oriented along with business focused. Unfortunately, most IT Executives are still underqualified for their role given that the pendulum has swung too much in the favor of business.

Compromised cybersecurity is one of the biggest reasons for a loss of shareholder value. It’s been reported that it has amounted to $600B in global loss, if not more. That’s 1% of global GDP and no one outside of IT Security knows what it takes to fix. Not even the IT execs.

When Target hit the news, the CEO, CIO and the CISO lost their jobs, but the CFO didn't. Why? They control the purse strings. They are the ones going after IT to cut budgets. If you treat IT poorly, there are security ramifications. But the impacts are hidden and impossible to predict. You cut staff and you fail to refresh hardware and security concerns will accumulate. But it’s a dynamic system and impossible to know what unintended consequences are to the security posture except that it's obvious it will be more vulnerable. 

You can get lists anywhere, but I think it’s important to talk about the macro reasons that IT departments should think about with regards to cybersecurity programs. 

Pulse User

To be direct, that list is completely dependent upon your business and associated exposure. Having said that, a common mistake is that CIOs/CISOs view risk as a static entity, but in fact it's really an "elastic state". To add to that, cybersecurity is about continually increasing resilience, not trying to reach a state of "secure or not". One method of establishing the base/starting level of risk is gaining visibility into all areas of exposure and what methods are being used to inject security into aspects of the business. Moving to a culture of 'DevSecOps' where security testing takes place during the software development lifecyle (SAST, SCA, DAST) is one approach that I recommend.

Pulse User

This question is a bit like DNA in that its unique for every organization. With security, security threats & compliance always changing, priorities are also subject to frequent change. That said, an organization needs to determine what their assets are (data, applications, networks, cloud, ....) and score how all of those assets are managed and protected. Some things will pop to the top (data is not encrypted in transit, no formal change management processes...). Once you get past the obvious, then you prioritize based on reducing risks of assets down to "Low", customer requirements etc... If you have a solid Risk scoring system ( I just made mine in-house) and deal with facts not assumptions you should be able to get a decent list of priorities. Depending how those priorities stack up, you may find your self doing things that seem less important but are easier to implement because they feed off of a higher priority. These layers are what gives you the extra cushion you need to lessen the likelihood of a successful attack or loss in services. Lastly, it may be best to fix 25 different little issues instead of spending all resources on addressing 1 larger issue but it all depends on your organizations DNA.

Pulse User

The biggest threat within an organization is the insider; and it can be intentional and unintentional. Based on my lived experience of this phenomenon, it's mostly unintentional. Give someone no more and no less privilege to perform their job. For example, a clerk should not have permission to download software within a workstation. Having all the security layers is not enough to keep your organization safe. Cyber crime syndication is a big threat. These days most malicious hacking attacks are the result of organized groups, many of which are professional and in many cases sponsored by the governments which are the enemies of this state. There are also malicious mom-and-pop operations that may steal identities and passwords, or they may cause nefarious redirection to get it. In the end, they want money. They initiate fraudulent credit card or banking transactions and convert their illegal gains into local currency using money mules, electronic cash distributions, electronic banking, or some other sort of money laundering such as cryptocurrencies, etc. Hackers and intellectual property theft and corporate espionage are also great risks to any organization. Botnets (used for IoT) and Malware continue to be big threats. Web operations has always been my concern. Common website vulnerabilities include poor passwords, cross-site scripting vulnerabilities, SQL injection, vulnerable software and insecure permissions. The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.