Some of the biggest breaches have come down to small mistakes.
Hackers used a compromised password to access the company network via a virtual private network in the May 2021 Colonial Pipeline attack. A widely known vulnerability that hadn’t yet been patched was the entry point for the 2017 Equifax attack. And a bitcoin scam on Twitter started with spear phishing attacks on Twitter employees.
Of course, there’s no such thing as a perfect security program, but such events show that cybersecurity teams can’t afford to overlook anything.
Here, security leaders warn of eight easy-to-overlook pitfalls that can undermine an otherwise successful security strategy:
Talking about security risk, rather than business risk
Cybersecurity has become a board-level topic of concern, yet too often CISOs, as well as their C-suite colleagues, continue to position security as a technology issue rather than a business risk, says Niel Harper, CISO for the United Nations Office for Project Services (UNOPS) and a board member with the IT governance association ISACA.
That may seem like pure semantics, but Harper says there are indeed negative consequences when enterprise leaders view cybersecurity so narrowly.
“When they don’t see information security as a business risk, when they see it only as a technology risk, then they don’t see how it’s fully embedded into all aspects of the business,” he explains. “As a result, CISOs don’t have a full seat at the table; they don’t report to an executive and instead they’re reporting two or three layers down. And they don’t have the input into strategy at the executive level.”
Harper says he has seen CISOs turn that around by building relationships with stakeholders; they engage with them to understand their risks as well as their objectives and then show them how security plans address both those points.
The typical organisation must meet multiple industry, regulatory, and legal standards in order to do business. The most well-known of those include the Payment Card Industry Data Security Standard, or PCI DSS, for organisations that process credit cards; the U.S. Health Insurance Portability and Accountability Act, or HIPAA, for anyone handling medical records; and the European Union’s General Data Protection Regulation (GDPR). There are standards and frameworks specific to security, such as ISO/IEC 27001, too.
CISOs can’t ignore the compliance standards that they must meet, but neither they nor their executive colleagues should assume that meeting required standards confirms that they’re safe and secure, Harper says.
“Compliance presents a false sense of security,” he adds. “In fact, breaches are rising despite the adherence to compliance at many organisations.”
Harper doesn’t discount the importance of compliance standards, but he says CISOs must always remember—and get others in the C-suite to understand—that such requirements aren’t dynamic and thus may not address emerging threats or accurately gauge an organisation’s readiness as its circumstances (i.e., staffing, technology stack, risks) change over time.
“They’re a tick-the-box-type exercise and they don’t really give businesses a true picture of where their risks and exposures exist,” he says.
Failing to move fast (enough)
Companies are speeding up their digital transformations with moves to the cloud, more agile software development, and rapid responses to customer requirements. Not all CISOs are keeping pace and that has led to gaps in the overall enterprise security posture, according to multiple security advisors.
Enterprise teams express similar concerns. Take, for instance, the findings in GitLab’s most recent Global DevSecOps Survey, released May 2021. Some 84 per cent of the 4,300 responding developers said they’re releasing code faster than ever before, but almost half (42 per cent) said security testing happens too late in the process with nearly the same percentage saying it was difficult to identify and address vulnerabilities. Moreover, 37 per cent said tracking the status of the bug fixes was challenging and 33 per cent found remediation prioritisation difficult.
“Security needs to be more agile and CISOs need to fundamentally think differently about how they approach cybersecurity,” says Tony Velleca, CISO of UST and CEO of CyberProof, a UST company.
A number of CISOs seem to be getting that message. The GitLab report found that 70 per cent of teams have moved security considerations earlier in development, following the push to “shift left.” That’s up slightly from the prior year, when 65 per cent said they had embedded security earlier in the process.
Always focusing on the urgent
One of the greatest threats to a successful security program is being ensnared by “the tyranny of the urgent,” says Andrew Morrison, a principal at Deloitte and the firm’s Cyber Risk Services Strategy, Defense & Response leader.
He says CISOs and their teams can become so consumed dealing with the most immediate needs they face—even if they’re low-level issues—that they have no capacity to address strategic priorities; they spend their days chasing those minor issues that pop up instead of strengthening security for the more critical elements of the organisation.
“It’s then that security stops being a program, and it’s just a tactical reaction to what’s happening. The urgent replaces what’s important,” Morrison adds.
Although challenging to extricate a security team from such a scenario, Morrison says CISOs can do so by identifying the greatest risks and focusing on counteracting those, thereby aligning security work with enterprise priorities. That in turn will allow them and their teams to become less reactive and more strategic in how they handle issues that come up. “They’re then managing events, not just reacting to them,” Morrison says.
Focusing too much on tools and technologies instead of stakeholders and their needs
On a similar note, Jinan Budge, a principal analyst at Forrester, says failing to prioritise stakeholder engagement can hinder the implementation of a strong security program.
Read more on the next page...