Friday, September 28, 2018

GAO Report on Equifax Breach

The GAO Report on Equifax Breach is a good read and although I've read a number of articles, etc. on the subject, I wanted to see if there was anything new.  Most interesting and new to me was that prior to the breach Equifax didn't have a Chief Information Security Officer (CISO).  Footnote 29 outlines the evolution of their Information Security leadership and reporting structure.

"Prior to the 2017 data breach, the Chief Information Officer reported to the Chief
Executive Officer and the Chief Security Officer reported to the company's Chief Legal Officer. Following the breach, Equifax created the position of Chief Information Security Officer, who reports to the Chief Executive Officer."

Statistics of CISO reporting structures are all over the place, with “Global State of Information Security Survey, indicating 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO).  In contrast the Ponemon Institute's “The Evolving Role of CISOs and Their Importance to the Business” found that 50 percent of CISOs report to the CIO. In addition, 9 percent report to the chief technology officer (CTO), 9 percent to the chief financial officer (CFO), 8 percent to the general counsel, 6 percent to the chief operating officer (COO) and 6 percent to the risk management leader. Only 4 percent indicated that they report to the CEO.

I've advocated for some time that in order to be effective at managing risks to an organization's business mission and objectives, executive leadership and CISOs need to have a functioning and direct relationship.  In the context of a reporting structure where the CISO reports to the CEO, it is a tremendous and overt demonstration of how important and foundational Information Security is to organizational success.  To be successful Information Security has to be seen not as a cost center, but as an integrated part of every product or service a company endeavors to sell or provide.

Saturday, September 15, 2018

Where to Start with Cybersecurity

"There are so many systems, networks, and security vulnerabilities I don't know where to start".

This is a common statement we hear from clients, their organizations have deployed systems and established connectivity to support the business' mission and objectives.  In many cases the priority was on establishing the necessary capabilities as soon as possible with little thought about maintaining the confidentiality, integrity, and availability of these now critical systems.  Once systems become critical to an organization's mission, adding the necessary layers of security poses a challenge, not only from the standpoint of potentially impacting performance and availability, but also, how to prioritize remediation efforts, both at the system and control levels.

McGARY CONSULTING (MC) can assist organizations in determining how and where to begin their Cybersecurity efforts.  We often see organizations engaged in a tactical only or bottom up remediation approach, including continuous vulnerability scans, endless patching cycles, and the implementation of security point solutions.  Although important Cybersecurity activities, they need to be performed in the context of a program informed by risk management with appropriate governance, and prioritization.  In contrast to the tactical only approach, MC focuses on a more strategic or top down approach, first understanding an organization's mission and business objectives as well as the processes and assets critical to business operations.

MC uses the NIST Cybersecurity Framework (CSF) as the foundation of our methodology to assist organizations with building Cybersecurity programs and also to evaluate the effectiveness of existing programs. Since the framework provides for a high level of customization, it can be used to support any organization's security requirements, regardless of size, industry, or compliance responsibilities.  Leveraging the NIST CSF to assess an organization's Cybersecurity posture provides a leading practice approach to answering questions like where and how to start.