Mr. CISO: Tear Down These Legacy Cybersecurity Walls!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/article/2926794/cisco-subnet/mr-ciso-tear-down-these-legacy-cybersecurity-walls.html

Here’s a scenario we’ve all encountered:  You go to a nice restaurant to
enjoy a meal and the whole experience turns sour.  The service is terrible,
your entrée arrives before your salad and your food is overcooked and
virtually inedible.

When you explain all of these issues with the restaurant manager, she
apologizes and proceeds to respond with her own problems – a waiter quit
and the cook called in sick that day making it difficult to keep up with
business, and several big parties disrupted workflow in the kitchen.

Yes, you may be sympathetic but these issues really aren’t your problem.
You want to enjoy a good meal, you are willing to pay good money for fine
dining so that’s what you expected.  You really don’t care about the
restaurant’s internal problems and you absolutely don’t want them to
interfere with your experience.

So why am I writing about this culinary conundrum?  Unfortunately, my
dining experience example has a fair amount in common with the way
enterprises manage cybersecurity.  In too many cases, internal
organizational walls, problems, and legacy baggage actually interfere with
the efficacy of security defenses as well as security operations
efficiency.

The internal friction I’m referring manifests itself in several ways as
cybersecurity best practices are interrupted by:

1. Organizational turf battles.  Security teams are often seen as
counterproductive to application development, networking, and IT operations
teams.  Security and networking teams debate about which network security
technologies to buy and where network security controls should reside.  The
Infosec and applications development team each own little pieces of
Identity and Access Management (IAM) and don’t collaborate enough on an
end-to-end strategy.  Security teams inform IT operations about
vulnerabilities but have little say about when and how to address them.
Yup, disparate IT groups adhere to infosec requirements but may want carte
blanche with regard to selecting their own tools, prioritizing activities,
and balancing security needs against their own objectives.  When this
happens, cybersecurity best practices morph from a requirement to a
discretionary chore and IT risk escalates.
2. Security budget horse trading.  Security is about addressing risk across
the organization.  Alternatively, the cybersecurity budgeting process
translates organizational risk into budget dollars that are then
distributed into various technology group buckets.  This causes problems
when security needs cross organizational lines.  For example, preventing,
detecting, and responding to modern malware threats demands
cross-functional cooperative solutions that encompass endpoints, networks,
security analytics, and threat intelligence.  Because of legacy budgeting
processes however, too many companies address anti-malware on an a la carte
basis.  This is clearly a sub-optimal approach at best.
3. Risky Shadow IT.  Security vulnerabilities cascade every time business
managers make IT decisions on their own – without the right level of
cybersecurity consultation and oversight.  This happened over the past few
years with IT initiatives like server virtualization, BYOD, and cloud
computing.  When IT initiatives are thrown over the proverbial wall and the
security team is forced to play catch-up, everyone is at risk.

This situation is akin to some of the contributing factors leading to the
9/11 attacks; namely the lack of cooperation between various law
enforcement and intelligence agencies.  To break down these walls,
President Bush created the Department of Homeland Security (DHS),
established threat intelligence centers, and bolstered funding from cross
department education, training, and communications.

I realize that cybersecurity isn’t national security and this IT situation
is nothing new, but the fact remains that organizational intransigence
makes organizations far more vulnerable to cyber-attacks.  Like President
Bush, CEOs should no longer tolerate the tired old excuse of, “that’s the
way we’ve always done things around here.”  Alternatively, CEOs, CIOs, and
CISOs should aggressively identify areas where the organizational status
quo is getting in the way of strong cybersecurity hygiene and tear down
these legacy walls as soon as possible.

If you are like me, you really don’t care about a restaurant’s internal
woes when your dining experience turns into a customer service nightmare.
Similarly, regulators and customers won’t be very understanding when a
devastating data breach could have been averted with a more holistic
approach toward cybersecurity across budgets, processes, and the
organization.  Excuses are excuses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!