These statements are the opinion/facts or otherwise of Michael T. Dent and NOT that of the County of Fairfax, Fairfax, Virginia describing his view of the general cyber issues across the Information Technology industry.
Cyber breaches have reached a record 5+ billion records thus far in 2019, and the year isn’t over yet. Financial, entertainment, healthcare, education and government industries or businesses have had data breaches in 2019. I am not sure there is an industry that hasn’t suffered a breach or exposure and I’m left to wonder how many more have suffered incidents and have not reported them.
When I peel back the onion, there is one commonality among all of them – LEADERSHIP FAILURE. This is where we turn-on the light and the roaches disperse, hide, build excuses, start pointing fingers and ultimately punish those that warned leadership in the first place.
Let’s try to break it down simply:
Problem: Elitist VIP/Culture (sometimes referred to as Elitist VIP/Culture POLICY) = CEOs, Board of Directors, Senior Executives/Leadership, Managers, Supervisors, Elected/Appointed Officials, CFOs, CIOs, CDO’s and CTOs or any other position/person who affects the budgets and policy. In the name of convenience, political survivability, professional perception, and the good-ole boy network, these individuals demand privileged treatment with regard to cyber security policies such as; passwords/passcodes, using personal devices to conduct organizational business, kowtowing to non-IT business leaders for unsecure IT solutions, exempting themselves from security awareness training, logins, multi factor authentication, and allowing legacy systems to exist in enterprise networks yet allowing them to become or remain critical systems, etc.…
The brief narrative is that these leaders see themselves above policy, rules and laws. They operate with a purpose to protect their organizational survivability and to ensure they are never inconvenienced to have to perform extra steps, such as typing in a code as second factor authentication. The perception or image of their leadership is so distracting to them that they refuse to admit legacy systems need to be replaced, which requires funding. Business leaders are suckered into buying untested point solutions simply because the salesperson did a great pitch or because the leader thinks it would gain them favor of some sort. If any IT or security staff object to the solution because of risk or vulnerability, they are characterized as crying “wolf”, the NO person, or being prohibitive to business.
If the IT and security personnel mentions replacing an end-of-life or end-of-support legacy systems, they are immediately accused of waste and abuse of budgets. If patches or security updates still exist for these systems, testing the impact of these patches are typically lengthy, which end up leaving the system vulnerable and based on the test results many of the patches never end up being installed.
As soon as IT and security ask the cloud or third-party providers questions on status, details of an incident, cyber insurance, and risk assessments, they inevitably are accused by the business of being prohibitive, versus the third-party or cloud provider being held accountable for supplying information to IT and security. In government of all levels, this is particularly true when elected officials make campaign promises to citizens, their back-room vendors/lobbyists, or when the CIO feels they may look bad if the business were to be delayed.
We can analyze simple incidents that have turned into major data breaches, such as Identity theft and/or loss of, say, government data of employees or citizens. For example, a user copies a protected document (which was created as shadow IT versus having something developed by professionals or a solution vetted through SDLCS or a Cyber review) and even though DLP tools exist, the Elitist/VIP Culture POLICY itself created the risk. Often risks are cited in the IT groups that allow the proliferation of administrative privileges because it’s easier and more convenient than setting up Least Privilege user roles in an organization. These users with admin rights notoriously get their accounts compromised and by that time it’s too late.
Not wanting to pontificate, I am going to call out a few risks and ask; How is your organization handling them? Ask yourself the question and then question your organization and leadership on when they allow you to prioritize the mitigation of these risks. What is the cyber security strategy? How many of these risks can be mitigated at little to no cost other than IT and Cyber teams performing simple configuration changes? How much of a culture change or shock is it to your organization, if these changes were to be implemented? To me, in this day and age of the breach, it shouldn’t be a shock but a common goal of leadership to reach the goal of Zero Trust and to always verify.
Password Policy – Multi Factor Authentication – Patch Management – Change Management – Least Privileged – Data Loss Prevention – Security Policy with Real Compliance Enforcement – Security Awareness Training – Email Security to include DMARC and Business Email Compromise protection – REAL Endpoint protection with AI and ML capabilities – Architecture Review – System Development Life Cycle – Data Classification – Data Retention Policy – SIEM – Vulnerability Management Program – Risk Assessments – Cloud Security Requirements and Standards – Exception to Policy Process.
It ultimately falls on the CISO to customize what fits their organizations Cyber Strategy. This cannot be half in, half out with leadership. Leadership must be a part of the accountability for any breaches that occur. This means they need to be informed in writing as to what the risks are, they must acknowledge those risks, and accept or allow them to be mitigated in writing.
Business leaders in organizations not directly connected to IT departments need to be accountable for cyber security when it comes to their data and solutions, even if they don’t directly support them. Performance reviews should start reflecting the accountability of the everyone. Users and ignorance cannot and should not be accepted excuses anymore.
If you are a CISO and you are a part of the old school “NO” team, you had better mature and figure out how to be a solution to secure your IT business solutions and to become a partner with your leadership and businesses.
Solution Providers, Technology manufacturers or anyone selling an IT software or service should be accountable for insecure solutions and systems services they sell. As I have said numerous times; “You can’t install light fixtures legally as a contractor, without the light fixture having the Underwriter Laboratory’s sticker of certification to safety standards attached to the fixture.” Why isn’t there a similar standard or regulation around IoT, IoE and technology?!?! If you comment back to this article that there is such a thing, then call it out.
Accountability is everyone’s responsibility, leadership should be in front of it all.