Business Journal Ask the Expert Column – June 2019

The inbox has been filled with fantastic questions over the past few weeks. And that means great information for everyone. Here are my top three questions for the month.

I just received added budget for an IT Risk Management Team. What’s the first thing you would have them address? If Management or your Board has given you the manpower and budget to address one issue, have your team target unpatched vulnerabilities with known exploits available and get them patched as quickly as possible.

A recent survey indicated that over a third of all breaches are the result of known unpatched vulnerabilities. In the large majority of cases patches had been available for months but were never installed.

It seems as if almost every vendor issues new patches every month… the sheer volume is overwhelming for most IT teams. Patching can become a full-time job in itself.

Final note: The 2017 WannaCry ransomware attack represents probably the best example of what can happen with unpatched vulnerabilities. The vulnerability that WannaCry exploited had a patch that had been available for months, but many organizations simply “hadn’t gotten around to installing the patch.” Now, we are seeing the same possibility with the latest BlueKeep vulnerability. If you haven’t heard of BlueKeep, then your IT team probably hasn’t either.

As a CISO, how can I better engage Board Members and impress upon them the need for improved cyber security? First of all, focus on providing a narrative rather than just providing numbers. Paint pictures with words and relate them to risk, stock value and consumer confidence. Make your data meaningful. Don’t overwhelm. If you can’t keep things simple, at least keep them simple-to-understand. Think of it this way: You’re marketing the value of cybersecurity to an audience with limited time and an unlimited number of current problems. You have to demonstrate that the potential cybersecurity risk is greater than any other current problems they are facing.

Most Board Members don’t have deep cyber security knowledge. The next generation will . . . but until then, you need to work on moving your function from an IT position to one that protects enterprise risk. Think of yourself as the liaison or conduit between the business and the Board when it comes to cyber risk management.

Work to create a more risk aware culture. Communicate with the Board about the types of risks and threat actors who are most likely targeting your organization before an event happens.

Bring the threat to life. Give the Board someone to fear, someone to hate, someone who means the company harm. Help them understand the context of the threat. This approach will motivate the room.

I’m planning and budgeting for 2020 right now. Is there a growing trend I should consider? Protecting endpoint security and securing data wherever it resides. If you’re focusing too much energy on devices and not enough on data, you are fighting a losing war.

We have so many devices storing data in so many places, we need to consider how we protect data throughout its lifecycle from the moment it enters the organization until it is retired and eventually deleted.

If you’re not protecting data when it’s in-transit, in-use, and when it’s at rest, you’re asking a bad actor to steal whatever that data is.

The focus on data stems from the fact that the cloud is changing everything we do. As more companies transition to hybrid infrastructure, it’s critical to evaluate endpoint security strategies as a whole to ensure data is protected where it resides at any given moment.

As part of your strategy, remember, if devices are secure but credentials are compromised, your data is wide open for the taking. Identity protection is key to threat protection on an enterprise level, yet, true identity protection and security is often overlooked at the expense of other measures . . . opening data to compromise at numerous points throughout the organization.

One final note when considering your end point security strategy: Don’t be too rigid. Flexibility is mandatory. Your needs, the sensitivity of data, and how processes and policies impact users are all critical to organizational efficiency and productivity, as well as security. Make your strategy and its implementation a living organism, that’s both adaptive and anticipatory. As you already know, in this field, change is more than constant, it’s immediate. So, develop strategies in advance of an actual breach, knowing you’ll to need to pivot quickly and often when an event happens.