According to ITRC (Identity Theft Resource Center), in 2015 thus far there have been over 450 breaches with over 135 million records exposed.
They define a breach as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.
As a CISO, or a person in a position with CISO powers, your organization looks up to you to help protect its most important data. It’s a powerful position for certain. But with such power comes great responsibilities. Sometimes politics gets in the way and hinders proper data protection. Sometimes complacency gets in the way too, even an inability to form real partnerships with stakeholders.
Well, for starters, you should have that innate knack to identify past failures, current gaps, and be able to forecast issues. We all commit sins, we all make mistakes. We ask for forgiveness each of us in our own ways. But how many of us actually try to figure out what we need to do to reduce the risk to commit that same sin again?
Below I have chosen 10 common issues we face over and over again. Whether you are in a CISO or CISO-like position, I urge you to take note, ponder, revise your plans, strategize, and finally implement solutions that will reduce the risks to your organization and most importantly, reduce risks towards your career.
1. I do not know which are my critical vendors
This is one area, even with developed third party programs, that is still not well defined. How do you define a critical vendor? How do you arrive at an inherent risk? Uncertainty can lead to an endless number of gaps, improper residual risks, and remediation failures. How do you know what vendors you should conduct an onsite assessment on? The regulators are looking for your critical vendors. Hackers may be looking for them too. Are you?
2. I don’t know where all my sensitive data is and how to properly classify it
How do you define sensitive data? Can you spell it out to actual data elements? Does the business understand this? Yes, you define different classes of data, provide examples – and then you leave it up to the business to take the data and throw it into whatever bucket they feel? Who assures your organization that the data elements are properly categorized and protected? You’re hired to protect the organization’s crown jewels. Are you doing so?
3. My message doesn’t get to the Board Room
Do you feel that your vision, your wisdom, your accomplishments and challenges don’t get up to the board? Is your organization structured in such a way that prevents you from being properly represented/heard at the board level, the executive and highest level of management? In many organizations, security is part of IT, “security and IT working hand in hand”– even that sounds like conflicts of interest. Are the first, second, and third line of defense properly aligned and with the proper oversight? All of this begins at the top. The top folks need to be educated, i.e. very well educated on risks, not just on a quarterly basis, or “need to know” – but on an ongoing basis. They have got to start feeling that heat as that heat can easily burn through dollars and reputation rather quickly. So you can’t change the organizational structure overnight. What plans then do you have to tunnel your way into the boardroom?
4. I struggle getting my patches in on a regular schedule
You’ve got a whole lot of off the shelf software, in-house developed software, some of it with the help of vendors within the US and overseas. How do you keep up with patches? Do you know what needs to be patched and when? What is your zero day patch plan? At least Microsoft and Apple are now keeping on top of their OS patches. Do you?
5 .I should be conducting more vulnerability assessments and penetration tests
Regular vulnerability assessments, penetration tests – network and application– are the way to go. These are very important to conduct on a regular basis. In fact pen testers are now among the most valued InfoSec professionals. Auditors and regulators find comfort in vulnerability assessment and pen test reports. Do you?
6. I still struggle with what I need to encrypt
Encryption is one of those things that can take the back seat. If sensitive data is not identified and classified correctly, you could be leaving the back door open if that data is not encrypted properly. If identified and classified correctly, you could still believe that there are enough controls around to properly protect that data without encrypting. Perhaps you do not wantto suffer from performance hits. What about encrypting only some fields in the database instead? Well, at the very least, let’s hope all your end computing devices have encryption where your sensitive data exist. How about data in motion and data at rest behind your firewalls? A lot to consider, and not cheap, when you’re considering encryption. But do you have a choice succumbing to the direction to keep costs down?
7. I gotta get my arms around this access control monster
We all need some level of access to get our jobs done. Some more than others. Some have permissions that are under the radar. Not being monitored. No alerts. Administrators may have open access to your sensitive data. And if their credentials are compromised? Do you get your users re-certified periodically? Do you know who has access to your sensitive data? And don’t say your users, or some users have admin access to end user devices. Do you believe improper access control can lead to a breach at your enterprise? Do you check if your doors are locked before you retire at night?
8. I need to get into the Risk business and figure out all my high risks at the very least
We should be periodically assessing the security of our hardware and software, of our vendors – all on an ongoing basis. We discover risks and very often fail to properly document and centralize in some sort of a risk register, rank the risks, and hence, properly remediate in a timely manner. Yes, you say you don’t have the resources, time, and money. Maybe you don’t have auditors or regulators on your back to make you do it. Excuses, excuses, excuses. How long are you going to make excuses?
9. I don’t pay attention to what security provisions are in the vendor contracts
So you think you’ve got all your vendors figured out. You control them well. Monitor them well. You are Information Security, maybe part of Information Technology. You’ve done your job. But have you partnered well with your legal department in making sure the proper security provisions are in the vendor contracts? That the proper templates are being used? And these templates are being revised annually? How do you include vendor risks in contracts? You need to develop partnerships that last, partnerships that are fruitful for all involved. Maybe you don’t like to deal with lawyers and contracts. But can you avoid it for too much longer?
10. I am up night after night thinking about the inevitable data breach
You read about all the security breaches that occur across industry and size. Breaches don’t discriminate. Sure, it will happen one day. But you do want to be prepared if one should happen. You have to have the script ready – the incident response plan that works almost flawlessly. A plan that you need to test on a regular basis, to keep all employees in tune with, aware of such a possibility if it should ever occur, and what they need to do in a timely manner. Of course, you do participate in frequent fire drills, don’t you? You’re not the one who ignores the test alarm to gather at the nearest exit because you’re too busy?
Don’t keep making excuses. Elevate your game, regardless of your resources, time, and money. Put your plan together – start with the board, present your case. Don’t keep on sinning! Forgiveness starts with you!