As October is Cybersecurity Awareness Month, I’d wish to share what I think are some significant cybersecurity issues that don’t always make it into today’s headlines.
Limited Standards for Technology Infrastructure Are Problematic
The companies that develop the underlying information technology infrastructure are rarely held in charge of creating secure operating systems, cloud technology, website servers, and network infrastructure. Yet the planning and implementation of those products are crucial for creating secure systems.
Aside from a couple of highly regulated environments, the U.S. government’s cybersecurity regulations are for the foremost part reliant on voluntary adherence to “industry best practices,” instead of a group of mandatory security requirements. For instance, the federal produces airplane and automobile safety requirements like seatbelts and airbags but has no such cybersecurity equivalents.
As a result, CISOs are constantly plugging holes in both legacy and newly acquired information technology components that never should have existed within the first place. This is often not optimal. Ideally, CISOs should instead be concentrating on the mixing of security capabilities to realize business objectives while operating during a risk-acceptable environment.
For example, there's an ongoing push to adopt blockchain technology within the financial sector. While blockchain offers enticing improvements in financial processing and knowledge security, it runs on existing infrastructure. As we've seen, sophisticated cyber adversaries are adept at exploiting infrastructure vulnerabilities in order that the safety of the appliance is rendered less meaningful.
This is like constructing a fortress on top of a foundation of sand. We’d like cybersecurity across the whole technology stack. Equivalent principles apply to cloud technology, as we've seen with recent samples of the Spectre and Meltdown process layer vulnerabilities.
Consumer Trust Is Misplaced
A related challenge is the issue of misplaced trust. Many of us both at work and reception erroneously assume technology vendors, social media providers, retailers, medical providers, and financial institutions are going to be ready to protect their most personal information. Ceding trust during this way can harm the typical consumer or business.
“CISOs should instead be concentrating on the mixing of security capabilities to realize business objectives while operating during a risk-acceptable environment “
For example, Facebook was recently exploited by attackers partially because the corporate lacked an in-depth understanding of its own business processes, potentially making consumer information vulnerable. Or, with the Equifax data breach, people trusted the corporate to guard their tip, yet Equifax was lax in patching known security vulnerability.
Considering the increasingly digital world we sleep in, reliance on technology has become a necessity. Data breaches may become more common, with people accepting them as a price of doing business or living within the digital world.
Cyber-Attacks Not Seen as an Every-Day Occurrence
Part of the high consumer trust could also be associated with reporting on cyber-attacks.
While the media rightfully reports on the Department of Justice and FBI indictments of domestic and foreign adversaries (Russia, China, North Korea, alongside recent CIA and NSA employees), this emphasis leaves the mistaken impression that cyber-attacks are rare occurrences perpetrated by a little number of state-sponsored actors that are a part of the worldwide geopolitical landscape.
In fact, organizations face constant cyber-attacks, sometimes on a day today. Most newsreaders don’t realize this. And, this paradigm shift has yet to succeed in many companies. within the business world, the cyber risk remains assessed and thought of as an independent risk factor and has yet to be fully integrated into the general corporate risk assessment acceptance process. It must be factored in with business, financial, operational, and other regulatory risks.
As a CISO for the world’s largest equity derivatives clearing organization, I do know that it's important to effectively measure the effectiveness of your security program and calculate the residual risk, especially within the context of dollars, as best understood by your board of directors. Too repeatedly we establish metrics that specialize in what we will measure versus what we should always be measuring.
The challenge is that the metrics must be inevitably linked to the complex business process and operations. A broad scope of testing at multiple levels is key; it provides empirical data and demonstrates some independence for the general security program.
A Proper Fix Requires a correct Identification of the matter
As was well-documented within the annual Verizon Data Breach Investigations Report, about 85 percent of the safety vulnerabilities being exploited are known vulnerabilities with an issued vendor patch. So our largest and most vital problem is basic security hygiene—blocking and tackling.
These are the foremost common sorts of attacks. And cybersecurity professionals across many industries affect them frequently.
The more widely this fact is known, the earlier we will address the basis of the matter and build a solid foundation for safer technology.