Cyber Reality

Michael T. Dent, Chief Information Security Officer, Fairfax County Government

Michael T. Dent, Chief Information Security Officer, Fairfax County Government

How many more breaches must occur before anyone in a leadership position wakes up, looks in the mirror and asks themselves, am I responsible for this?  Can they break down the facts about how they run their organization, or push products that are inherently insecure out of the box? Any leader in IT today knows they have an almost insurmountable mission when they must depend on leadership above them to allow them to do their mission without politics or as I have affectionately called it, elitist VIP culture.  By VIP Culture I mean the leadership who constantly demand exceptions to the Security Policy, those who want to use their personal devices to do their elected work versus having a secured organizationally owned device or those who rush to market the next greatest/coolest solution or product without thoroughly going through a risk assessment thereby forcing years of updates and patches to secure it.  By virtue, this type of culture sets you up for failure immediately.  Why, because we as consumers, citizens or organizations must go to extremes to secure these products and environments through budget requests, constantly having to convince leadership who allowed this to happen to fund our efforts to protect.

We have many solutions to secure our data and systems yet when we try implement what we as Cyber SMEs know will work, we must go through the political ladder of approvals.  Approvals we really shouldn’t have to have.  Why you ask, because when we do that, we allow the politicians and political appointees to make our cyber decisions for us, WITH NO ACCOUNTABILITY to those that make the decision.

I am not just asking about deciding what we need for endpoint protection or what firewalls and internet filters or web application security tools etc. (just name something you need for the protection of your systems?). I’m talking about enforcing compliance with security policy (amazes me still today that some organizations still don’t have them), security awareness training for all levels in the organization to include executive leadership and boards. I’m talking about basic cyber and system maintenance and hygiene. I’m talking about holding business leaders accountable for forcing or purchasing insecure products.  I’m talking about the companies still selling products that can’t meet any standards.  The third-party cloud providers or cloud solution providers who think we have no right to ask them what they are doing to ensure our data they will have is going to be protected to our same standards and when we insist, they must do so, they complain to the leadership that we are being uncooperative and causing the solution or service to cost more.  I could go on and on.

“We have many solutions to secure our data and systems yet when we try implement what we as Cyber SMEs know will work, we must go through the political ladder of approvals.  Approvals we really shouldn’t have to have.”

If CISOs don’t start getting the same level of respect and the same level of decision-making responsibility as CIOs, then we are going to continue to see these breaches.  If we don’t start holding everyone accountable for making decisions when it comes to regular users use of IT systems along with leadership making decisions on what measures are going to be funded, then the pain will continue.

Have a Formal Risk Acceptance Program.  If you’re a CISO, document your risks and make sure your leadership acknowledges the risks and most importantly document what you recommend as mitigation for those risks.  Most CIOs will tell you not to do so for fear of public disclosure.  In today’s day and age, when you are breached it will become public one way or the other through reporting or whistleblower. The excuse of FOIA exposing risk from a government perspective is a moot point as FOIA laws have an exception for anything related to Cyber or IT configurations that could expose the systems and data to an attack. What they are worried about is the leadership or worse finding out that there are risks and they need to be dealt with.  This means they must find budgets to mitigate risks or give the bad news to business leaders that they can no longer operate their solutions in the manner they are that is causing or exacerbating the risk. If they are serious about supporting you and protecting the organization, they will understand that you can manage sensitive data and how or if that information where to be become public.

If you are a CISO and you have the privilege of having leadership that gets it as I do, then we should make it our mission to keep calling out the leadership who doesn't get it.  The leadership that continuously tells the CIO and CISO that cyber is too expensive, either doesn't understand what they are preventing you from doing (this is ignorance and may require to you to do a better job of educating the leadership, if you have direct access to them) or they don’t believe that the investment is needed to mitigate the risk (this is arrogance) must accept accountability for those decisions.  

Let’s stop allowing these excuses.  It stops now by documenting your risks, notifying leadership of these risks, mitigations, and cost to mitigate, and more importantly, the potential cost of inaction - quantitative and qualitative - to the organization.

Read Also

Leveraging Effective Communications for Strengthening Cybersecurity

Leveraging Effective Communications for Strengthening Cybersecurity

Grant McKechnie, Chief Information Security Officer, Endeavour Group
How To Think Digitally And Transform Your Organization To Win The Digital Customer

How To Think Digitally And Transform Your Organization To Win The...

Dobyl Malubane, CX Business Dev & Strategy Director, Oracle Africa
The Future Of Cloud Is Mobile

The Future Of Cloud Is Mobile

Rudi Strydom, Head of IT Operations, Technology and Architecture, Imperial South Africa
Exploring New Technological Impacts

Exploring New Technological Impacts

Melissa Orchard, Digital Hub & PDC Director, Marketing; CMI, Unilever Africa
The Human Reality Of Cyber Security

The Human Reality Of Cyber Security

Henry Denner, ICT Security Officer, Gautrain Management Agency
Zelle Fraud! Or is it?

Zelle Fraud! Or is it?

Karen Boyer, Vice President Fraud, People's United Bank, N.A.