[BreachExchange] Knee-Jerk Reactions to Data Breaches Are Damaging the Case for Cyber Security

Mon Nov 7 18:56:28 EST 2016

https://technopreneurph.wordpress.com/2016/11/05/knee-
jerk-reactions-to-data-breaches-are-damaging-the-
case-for-cyber-security-by-jc-gaillard/

Anybody who has spent a few years in InfoSec management has seen this
happen: Following an internal near-miss or some high-profile security
incident widely publicised in the media (such as the TalkTalk data breach
in the UK), the same senior executives – who previously wouldn’t bat an
eyelid over information security issues – suddenly start panicking:
Priorities shift. Immediate solutions are demanded. Money appears out of
nowhere by the millions. Tech vendors are lined up. Some product is
purchased that will allegedly fix everything. A box is checked, then
normality returns.

Over the short-term, only the tech vendors win – shamelessly – in these
scenarios.

The CISO – if there is one – loses ground in most cases. Unless they’re
just a technology hobbyist and they get another pet project to play with.
Otherwise, they are likely to see their priorities turned upside down by
the arrival of the new initiative and ongoing projects deprioritised in its
favour.

This could be hugely demoralizing for the CISO and their team who might
have worked hard for years to get some projects started, that are now put
on hold while other topics, that were repeatedly proposed and refused, are
now pushed forward by the same executives who previously turned them down:

It damages the credibility of senior management with the cyber security
professionals.
It makes life more difficult for the cyber security team in their
day-to-day interaction with IT teams, as they are seen as constantly
“moving the goal post”.
It perpetuates the wrong idea amongst IT communities that cyber security is
just a topic you throw money at from time to time.
In the long run, it alienates talent away from cyber security roles.

Cyber security products – broadly speaking – tend to do what they are
supposed to do, so the chosen technology solution may provide a degree of
protection to the organization, but only if it gets implemented properly.
And that’s often the key issue. The product would have been selected in an
emergency to plug a technical hole, not necessarily on the basis of the
most thorough requirements analysis or market research:

It may not be suited to the company’s environment (e.g. deploying internal
security products while key IT assets are in the Cloud, or deploying
Internet security products if your Internet footprint is limited).
There may be competing products or solutions already in place internally
that could have been leveraged (e.g. in different geographies or business
lines). Ignoring those alienates and demotivates part of the organization
and may deprive the initiative of invaluable field experience around the
topic.
There may be considerable process issues when trying to embed the new
product into legacy practices (e.g. around identity and access management
or patch management) potentially leading to escalating costs, deployment
limitations or project failure.

Overall, the knee-jerk decision may end up being an expensive
“tick-in-a-box” exercise that achieves very little in practice.

Even for tech vendors, the situation may not be ideal in the longer-term.
As deployment fails or stalls due to technical issues, and value is limited
by the lack of compatibility with people and processes, vendors may face
dwindling revenue from subscriptions or cancellation of maintenance
charges, which may damage business models or investors confidence.

Senior executives need to understand the dynamics they create where they
demand instant solutions to problems that are in reality rooted in decades
of under-investment, adverse prioritization or complacency. And the CIO and
the CISO need to have the management gravitas and the backbone to stand up
to the Board – with the right arguments – on those matters.

The harsh reality is that there can be no miracle solution – technical or
otherwise – to such problems.

There may be a need for short-term tactical initiatives to demonstrate to
the Board, shareholders or regulators that a new dynamic is being created
around cyber security, but those have to be calibrated to the real maturity
of the organization around those matters, and the genuine threats it faces.
As importantly, it must be accompanied by a thorough examination of the
cultural roadblocks that have prevented progress in the past.

A genuine and lasting transformation around cyber security can only come
from the removal of those, and from the definition of a long-term
transformative vision for the function. A vision that must come from the
top and resonate across the whole organization, not just IT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161107/ec21b0b3/attachment.html>