We have two primary camps in 2024. Those who believe it is dangerous to hold CISOs accountable for poor security practices and those who think it’s about damn time. I am of the latter mindset. To hold security leaders responsible, we need to allow them to be effective.
On October 30th of last year, 20203, The Securities and Exchange Commission announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information secIn 2024, the debate about whether CISOs should be held accountable for poor security practices is still ongoing. There are two primary camps – those who believe it’s dangerous and those who think it’s about time. I firmly belong to the latter group. To hold security leaders responsible, we must allow them to be effective. Last year, SolarWinds Corporation and its chief information security officer, Timothy G. Brown, were charged by the Securities and Exchange Commission for fraud and internal control failures relating to known cybersecurity risks and vulnerabilities. The complaint alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating known risks. During this time, SolarWinds misled investors by only disclosing generic and hypothetical dangers while knowing of specific deficiencies in their cybersecurity practices and the increasing risks they faced.
The SolarWinds situation should not only serve as a cautionary tale but also become a catalyst for effective change. The “House of Blame” approach to security is unacceptable. We need to empower our security and risk leaders to effect positive change instead of pointing fingers in times of crisis. By holding our CISOs accountable and allowing them to be effective, we can create a culture of security that benefits everyone.
governance
Building Castles….
cybersecurity, security, technologyToday’s cybersecurity personnel come in all shapes and sizes and in many respects, their past experiences and effort play significant roles in their today and tomorrow.
What immediately comes to mind is the history of …..barbed wire.
Life in the American West was reshaped by a series of patents for a simple tool that helped ranchers tame the land: barbed wire. Nine patents for improvements to wire fencing were granted by the U.S. Patent Office to American inventors, beginning with Michael Kelly in November 1868 and ending with Joseph Glidden in November 1874. In much the same way, perimeter security technology fenced us in. Making us “secure” in our various Fortress of Solitude’s. Or as I like to call it Castle Building.
Forward thinking and agile organizations are quickly coming to the conclusion that in order to function effectively in today’s digital age, those long gone tried and true methods need to see revisions of a significant nature in order to address “border-less” work environments and technologies. Terms such as cloud, SaaS and PaaS either frighten them to no end, or they cinch their pants up and tackle the new and unknown.
As a consultant its one of the aspects of the job I enjoy most, demonstrating proven strategies that fit the requirements. Security should always seek to enable the business and frankly I find high enjoyment in fitting the puzzle together using the tools at hand to build something that works well. To that end…..
- Stop Castle Build – The day and age of physical containment via tech is no longer viable in a highly mobile digital society and requires forward thinking on an architects part.
- Requirements, requirements….did I mention requirements? – Requirements are a tricky business and its a cybersecurity practitioners goal to account for both business needs and security needs all in one well-balanced strategy. While security might want everything under lock and key and protected by dragons, this makes business agility near impossible if not extremely unfeasible.
- Security should ENABLE business – This is just as hard an adjustment for cybersecurity practitioners as Castle Building, but we need to apply just enough protection as to address the major compliance and regulatory requirements at hand while giving our business people the ability to do their jobs. Humans by nature will find the easiest way possible to get things done. Working with our vested business partners within an organization gives cybersecurity people a far better understanding of the daily aches and pains and the knowledge to be creative in protection of our organizations.
- Be Creative – Meld the old with the new. The hammer is still a viable tool used in construction for a reason, it works. Work with what you have at hand and add tech, people and process where applicable and makes the most sense. Sure, new technology can be exciting and shiny but don’t forget to consider carefully what you already have on hand in playing a major role in your “border-less” revisions.
It’s a new frontier out there!
EDIT: Timely? Yes, yes it is. Considering this original was posted over a year ago.
Is security really stuck in the Dark Ages?
“As advances are made by the good guys, the enemy will re-evaluate and re-deploy capabilities in a way that can circumvent their attack or defensive postures. The challenge with the cyberworld focus is that the battle moves much more quickly, and is even more multi-dimensional.”
But he agrees with Yoran that there is still too much reliance on defending perimeters. “Many organizations are still locked into the concept that the castle walls will protect the bad guys from getting in,” he said. “Most are not thinking about those who climbed over or tunneled under those walls.
GreenSecurity 