Let’s speculate

by Richard Berkley
Contributing Editor

Let’s speculate wildly on the year(s) ahead in cyber…

Do you want to hear something freaky? The US Navy has a weapons system with destructive powers so great Dr. Doom and Lex Luthor would both find themselves blushing. Ok, that isn’t news but what may be of interest is the rumor that such a system runs on Windows XP. (note to the US Government; this is just a corroborated rumor I have heard and nothing more) …

For those not following the RSS feed from Microsoft Corp, they stopped supporting that operating system many years ago, meaning any new vulnerabilities won’t have a prompt patch released as we have become so accustomed to seeing.

Ok so this is just a rumor but it is early in the year, and we are asked all too often; “So what is the big thing in cyber I should be thinking about this year?” I thought I would use it as a basis for my educated guess on the year ahead. The name of the game in cyber this year will be “governance”.  Just as patching, ports, and edge protection have been defining terms for years past, 2020 will see more organizations struggling to place accountability for cybersecurity with the right people.

Global consulting firms continue to push huge pools of capital toward automation and digitization across industries. Organizations are wising up and recognizing they don’t need a Digital Road Map. They need a Secure Digital Transformation. Glad to see this shift, but now the question becomes, “With technology owned by operations and IT systems largely up (or quickly climbing) the security-maturity curve, who owns cybersecurity as a whole? For that matter, how are decisions being made around what to secure and at what levels protections must be set?”

Let me bring it back to the US Navy’s weapons system to illustrate. Somebody, somewhere, hopefully with some logic, decided that the cost to upgrade the software was not worth the additional risk of that system being hijacked. Is this the right choice? There is no telling for certain; however, it requires quite a bit of faith that the decision-making process was rock solid. Companies, academic institutions, municipalities, and non-profits face the same challenges when it comes to digitization decisions. The COO may want sensors on all the factory machines, but are they really the right person to determine a patching program for said sensors? Are they capable of doing the research necessary to ensure they aren’t taking an inordinately large risk by selecting a certain vendor over another?

Enter the Chief Information Security Officer (CISO). This is typically a person trained and experienced in cybersecurity and who holds ultimate responsibility for policies, procedures, and all things security related when it comes to potential hacks. But… is the CISO really in a position to make necessary business decisions? They may be skilled in security protocols, but do they truly understand the operation well enough to calculate the risks being taken and make the necessary tradeoffs? For that matter, to whom does the CISO report? The CIO? The CFO?

The answer is, of course, it depends. A good CISO will take the time to really understand the organization’s goals and processes so they can appropriately secure tasks, data, and work products. They won’t necessarily be interchangeable with a CIO or a CTO who may be more technically proficient in IT systems and/or network technology. Oh… and good CISOs aren’t cheap! Many organizations simply bolt the role of cybersecurity onto an existing job, like IT or even somewhere in the office of the CFO (figuring the bulk of risks will be financial in nature). Unfortunately, this seldom works at providing additional security, as whoever is tasked with making important risk tradeoffs is often conflicted in their role. E.G. a CFO may not invest in upgraded firewalls because the cost is prohibitive and not weighed properly against the potential loss from an intruder on the network. Likewise, a COO may not force workstation updates as it delays the operators’ ability to execute.

Ultimately the governance of cybersecurity sits with the Board of Directors, the Council, or a Board of Trustees. The responsibility for executing will then fall to the CEO or one of her deputies. This, however, does not absolve the board and managers from considering this very real and evolving risk to their organization.

2020 is sure to see several groups breached. Some will be breached by professional hackers and others by script-kitties just looking to ransom some bitcoin out of an unsuspecting IT director. As various groups across industries and with varying structures react to the changing landscape that is cybersecurity, I believe governance will be the single largest point of frustration.

If you don’t have a CISO in your organization today, or if the role is split by a manager with other duties, start there. Even if a full-time CISO is not necessary or is not affordable for you, there are fractional options available which provide the services of true cybersecurity professionals at 1/3 or less the cost of an FTE with equivalent skills. This person should work closely with the IT department but report regularly to the executive committee or board in a succinct account of current threats, vulnerabilities and impacts, along with what actions are being taken to secure systems and mitigate potential risks.