technology

Crisis or Our Professions Opportunity?

Uncategorized

We have two primary camps in 2024. Those who believe it is dangerous to hold CISOs accountable for poor security practices and those who think it’s about damn time. I am of the latter mindset. To hold security leaders responsible, we need to allow them to be effective.

On October 30th of last year, 20203, The Securities and Exchange Commission announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information secIn 2024, the debate about whether CISOs should be held accountable for poor security practices is still ongoing. There are two primary camps – those who believe it’s dangerous and those who think it’s about time. I firmly belong to the latter group. To hold security leaders responsible, we must allow them to be effective. Last year, SolarWinds Corporation and its chief information security officer, Timothy G. Brown, were charged by the Securities and Exchange Commission for fraud and internal control failures relating to known cybersecurity risks and vulnerabilities. The complaint alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating known risks. During this time, SolarWinds misled investors by only disclosing generic and hypothetical dangers while knowing of specific deficiencies in their cybersecurity practices and the increasing risks they faced.

The SolarWinds situation should not only serve as a cautionary tale but also become a catalyst for effective change. The “House of Blame” approach to security is unacceptable. We need to empower our security and risk leaders to effect positive change instead of pointing fingers in times of crisis. By holding our CISOs accountable and allowing them to be effective, we can create a culture of security that benefits everyone.

When did the bank vault door, become more important than what the vault is protecting?

cybersecurity, security, technology

 

Tool Fixation

“Tool fixation” is a common occurrence in the cybersecurity realm and plagues everyone from the CEO right down to the mail clerk. “That silver bullet piece of technology will cure all our ills and make us the company we were always meant to be!”

Sound like a pipe dream? Well, it is.

One of my favorite quotes is attributed to one of the most ingenious American forefathers, Benjamin Franklin….

“If you fail to plan, you are planning to fail!”

Reaching End State, have a Plan

A plan is the foundation of any successful enterprise and understanding what we are attempting to protect (or restrict access to) may sound simplistic but it goes a long way in addressing our objectives as cybersecurity practitioners. This in turn breeds clear line of sight back to business requirements creating a plan that fits best the mission and business strategy at hand. From a framework standpoint, see the CERT Resilience Management Model and appropriate topic, Technology Management. For those unfamiliar with CERT-RMM, CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations manage operational resilience and risk.

TM_Capture

Tools and technology are important tools in any organizations toolbox but utilizing the right tool for the job effectively, is key. Just ask Sony, Anthem, Target or Home Depot.

 

Having a tool or technology does not equate to appropriate utilization.

 

Once solid business requirements and a plan have been created, tool selection becomes a cinch. Proof of Concepts, establishing what our selected candidates and toolsets can actually address. Proof positive that the tool or tool suite can actually accomplish what the enterprise set out to accomplish.

Late to the party? Very little is “unfix-able”

I’ve lost count of the clients I have had the privilege in assisting who inherited or were saddled with a product that just wasn’t a great fit. By hook or crook, it ended up in their enterprise. A product bought for a unique widget and tragically under utilized or bolted onto several other products in an attempt to address the overall mission. Being a glass half full type of personality, I consider this a step up from the budget battle and getting products approved and an opportunity to properly field and utilize what the organization already owns and has.

 

The three legged stool, balance it. People, process and technology.