Corporate officers — security changes for 2015!

Board members, CEOs, CIOs, corporate officers: You trust your chief financial officers (CFOs). However, you still spend millions of dollars every quarter on outside experts to ensure that the CFOs have counted every penny properly, didn’t miss a trick and your stakeholders can be confident that your financial house is in order.

Why do you spend so much time and money on outside auditors every quarter? The short answer: financial regulations. It’s a condition of handling other people’s money, so you do it. You also do it because, as a corporate officer, you sign your 10Q quarterly reports stating that what the CFO told you is true, knowing that if mistakes were made, money missed or misfiled, or the wrong principles applied, that the fines, penalties, loss of equity and even loss of job would be yours as well.

 Welcome to 2015! Allow me to introduce you to your chief security officer (CSO). Despite the honorific, your CSO is rarely a “real” corporate officer like you. Typically, a CSO still reports to the CIO and thus is part of your enterprise’s I.T. branch.

 Trust but Verify

 Your CSO is the smartest security person in the company, but often talks in terms that you not only don’t understand, but in terms you don’t even want to understand. CSOs talk about needing more money for this countermeasure or that service, and all you think is, “Geez, we just gave you a budget last quarter!”

 CSOs rarely quantify a return on investment, as the rest of your department heads can. Instead, CSOs talk about threats to other companies, and deep down you’re wondering who would have both the inclination and capability to attack your company anyway? You have firewalls, and you’re forced to memorize (okay, write down in your secret place) longer and longer passwords that NOBODY could guess. You’re compliant with your industry standards, such as PCI (for payment cards) and HIPAA (health records), so you must be protected.

 In short, you need to trust your CSOs to do their jobs, just as you trust your CFOs — in the same way that President Reagan trusted the Soviet Union to disarm: “Trust but verify.”

 Officer Involved Security

 Security is no longer an IT problem, but rather a business issue. Corporate officers have to go the extra mile to ensure that their CSOs are equipped to protect the company from the risks aimed at your company today.

 It’s easy to point at other not-so-lucky executives and laugh — executive passwords such as “sony123”; malware inside networks for almost a year without discovery; sensitive emails saved in the open; hastily made software not checked for security; and no one noticing the exfiltration of enough data to fill the Library of Congress — who would allow such a thing?

 Reflecting Vulnerabilities

 It’s mirror time. Most of you allow some of these very same practices at your company and you don’t even know it. The only real difference between your company and others is the four-letter word for surviving a terrorist attack: LUCK.

 All of the old-school antivirus software you have won’t ever find today’s customized new-school attacks. Shelfware and unmonitored security systems are useless against them. Your old software can’t compete with them. And if your CSOs keep talking about needing more firewalls to defend, you should fire them.

 You should focus on three strategies today:

1)   Understand that attackers move around inside your networks for about a year before they strike. This means that they are inside your networks today! Use this one window, where you have the upper hand, before the malware explodes (yes, as ARAMCO, Sony and others can attest, malware can physically destroy systems), before it’s gained enough information and access to attack. This is your best chance to find the malware and kill it. But knowing how to look, where to look and what tools to use when looking is a pro’s game. It’s not just buying the latest magic quadrant winner, or media darling. It takes tools, skills, practice and experience — none of which you’re likely to have (or pay for) in house. Beware the false sense of security.

  2)   Collaborate the way the criminals do. Most of the defenses and investigations I’ve been part of over the years have had a common dominator — adversary collaboration. Regardless of whether your primary attacker is after money, revenge or critical disruption — groups such as organized crime, terrorists, state actors, nonstate actors, disgruntled insiders — all tend to work together sharing/trading/buying insight, tools, codes, weapons and even your intellectual property. You need to actively collaborate with good guys — law enforcement, security professionals, Information Sharing and Analysis Centers (ISACs), security associations and, yes, even your competitors.  

  3)   Respond as if your career depended on it. I get called by executives like you to help respond to major attacks all the time (usually at 2 a.m.!). Most of the time, the conversation starts like this: “Tom, I know you told me to prepare, but … You’ve got to help! What do I do?”

The answer? There are three very simple and cost-effective keys to a successful incident response (IR): planning, practice and people. Every public company should have a complete and current IR plan that has been built to expect an incident and provide training to respond effectively.

  Most of the plans I’ve worked on anticipate more than 80 percent of the actual event, so on that first night, you’re worried only about understanding that last 20 percent. Most IR is planned, scripted and preapproved by legal, communications and technology. You’ve already participated in realistic practice sessions each quarter to keep current, and you’ve identified your go-to IR team.

  Most companies don’t keep dozens of forensic investigators on staff just waiting for this night. No company buys all the latest tools and stays current with the latest techniques needed to discover today’s attacks. However, every public company should have an advance contract with a trusted global IR partner that does have these capabilities and has already been part and parcel of your quarterly practice sessions so it also can hit the ground running.

If your first call takes more than two minutes to get to the IR duty officer (yes, even at 2:00 a.m.), and the officer can’t activate your response plan during that first call, then you are at excessive risk. Those first few hours often make the difference between being judged successful in your response or being part of the problem that needs to be cleaned up.

The security of your company is part of your fiduciary responsibility as a corporate officer. The decisions you need to make are not technical; you don’t need to understand the difference between IPv4 and IPv6 (it’s not 2), or what SCADA stands for (supervisory control … oh, never mind).

You need security advice at the board and corporate officer level that speaks your language, and you either need new board members that are cyber savvy or outside expertise specific to this fast-paced world that can keep you up with your adversaries. Just as with your CFOs, you need to give your CSOs the expert support they need and hold them accountable for managing your risk as if the very survival of your company depends on it. It does.