Are CSOs Operating Under the Ostrich Theory of Management?
This year’s Security 500 survey reveals some interesting results. Only 34 percent of the survey respondents stated they had responsibility for cybersecurity within their enterprise. Yet cybersecurity was listed as number two on their list of greatest concerns (edged out for the number one spot by workplace violence).
The Cyber Risk Landscape
Admiral Mike Rogers, the current Director of the National Security Agency, stated in testimony before Congress basically that there are two types of enterprises: those that have experienced and responded to a cyber breach and those that have not yet discovered that they have been breached. Former NSA Director General Keith Alexander stated in testimony to Congress that nation-state-sponsored cyber-based theft of intellectual property has resulted in the largest transfer of wealth in history.
In today’s hyper-connected world of the Internet of Things, no greater ubiquitous threat has ever existed than a cybersecurity-related incident impacting an enterprise. Cyber-based risks exist on all fronts. The intelligence community openly acknowledges that nation-state-sponsored cyber-attacks have risen dramatically, with more than 140 countries actively and aggressively stealing technology from American companies. Organized transnational crime, along with a host of other bad actors, accounts for hundreds of billions of dollars in cyber-related crime annually.
Another area of significant cyber risk is that hackers target the weakest link in networks to afford them access to the motherlode. Third-party connections create a significant opportunity to tunnel into networks that may otherwise have adequate perimeter protections. Many smaller companies do not maintain the robust level of protections that larger enterprises deploy and become myriad enticing targets for skilled hackers. And not to be forgotten or minimized is the ever present trusted insider, who presents one of the most pervasive and potentially damaging of all cyber risks. If one of our most secure agencies can suffer over 50 terabytes in losses of its most sensitive data perpetrated by trusted insiders like Martin and Snowden… how effective are corporate controls to prevent devastating losses that could result in a complete collapse of the enterprise?
Who’s Afraid of the Big Bad Cybersecurity Wolf?
I have spoken with a broad range of sitting CSOs who have told me that they were asked to take on cybersecurity as part of their role and they turned down the opportunity. The majority offered the excuse that they don’t have a technical background in information systems and don’t understand the environment enough to feel comfortable taking it on, REALLY! It’s time to get out of your comfort zone and take on the biggest security risk your enterprise is facing.
First and foremost, cybersecurity and the cyber arena is nothing more than a series of processes. I know few CSOs that are experts in the technical side of CCTV, access control systems and alarms, yet most of you hire experts to explain the key issues and concerns that you need to know to properly manage that environment. Managing cyber is really no different. The CISO should be reporting to the CSO to maintain an appropriate separation of duties for the CIO. If CSOs fail to step up to the plate, you risk getting stereotyped, marginalized or worse… booted out!
I look forward to hearing from CSOs who have cybersecurity under them about their experiences and also from those that don’t have it in their portfolio and would like to find ways to become more engaged.