Page 134 - Cyber Defense eMagazine April 2023
P. 134

threats truly exist in their environment, what needs to be fixed and how, and this puts them in an even
            weaker position to present accurate information to those holding the purse strings. I don’t blame them,
            either—IT has a huge span of control, and even security-focused staff can quickly lose pace with current
            threat actor techniques when in their single corporate environment for a length of time.


            Finally, while this model has provided a layer of culpability to shield the CEO and boards in the event of
            a catastrophic breach, so what? Who cares about blame (aside of the hapless, blamed CISO) when the
            organization’s finances, reputation, and market position are a pile of ruin? Blame is a pointless game.
            Class action lawsuits are still likely to be undeterred anyway if the organization was found to be negligent
            in  proper  security  practices,  regardless  of  how  compliant  they  are  with  frameworks  and  statutory
            requirements. CISOs and their associated teams must be focused on preventing this destruction so
            businesses, jobs, and industry can continue unabated by focusing on where the real risk lies—not in their
            written policies, regulations, and frameworks, but in the underlying tech stack and its configuration and
            orchestration.

            This  can  be  done  by  leveraging  external,  rigorous,  and  regular  assessments  of  all  key  systems,
            applications,  and  controls.  Threat  intelligence  must  be  applied  to  an  organization’s  technology
            orchestration,  and  this  can  only  be  accomplished  by  a  CISO  operationalizing  a  risk  register  on  the
            principle  of  Zero  Trust.  Zero  Trust  is  not  a  single  or  set  of  processes,  people, or  products;  it  is  an
            orchestration of all three. These activities, along with internal/external penetration tests and internal and
            external vulnerability scans (no less than monthly), must be leveraged as feeders to the operationalized
            risk register, which can then be presented to executive leadership in terms understood by them (dollars
            and potential damages). Executive leadership operating as a team, not just the CISO or any group or
            individual in IT, should be responsible for accepting discovered risks for the organization.



            IT Teams Need Support: Top Down, and Outside In

            It’s time for CEOs, boards, and even private equity firms to enter the stage again and get educated. It’s
            essential that they truly understand what it at stake—who is to blame isn’t the core issue. They must be
            involved and provide the leadership and resources that CISOs and technical teams need to secure the
            organization.


            It’s true that CEOs and boards have many competing priorities. But when the business is decimated by
            a catastrophic breach, there is no greater priority than that—and by then, it is often too late to shine a
            spotlight on it.
















                                                                                                             134
   129   130   131   132   133   134   135   136   137   138   139