The annual security report from ISACA on the state of readiness and maturity makes for slightly uncomfortable reading. What is depressing is that the problems and weaknesses seem to have changed little over the past few years.
It still remains the case that the more robust the processes around cyber security, the more prepared companies are for an attack.
According to an article in InfoSecurity magazine, companies that acknowledge and address the weaknesses are the ones that have most confidence in their security processes and protection.
One key recommendation is to have a CISO who sits alongside the CIO, CEO and CTO on the Board. A common mistake is (still) to have a security executive who reports to the CIO. This is, according to the article’s author Raef Meeuwisse, misguided and he makes the point that reporting to the CIO on security is similar to having an audit group reporting to the finance function that they are auditing.
One key finding is that security breaches are still under-reported, despite new regulations coming into effect that mandate the reporting of breaches.
This probably owes more to embarrassment than anything, Meeuwisse believes and goes back to the fundamental failings of the process of security protection. Everyone who has suffered a serious attack will insist that they were doing a good job. The truth is that the process was almost certainly flawed somewhere along the line.
It is, of course, easy to blame ‘zero day’ vulnerabilities, attack techniques that no-one has seen before. Some would say that NotPetya was zero day attack but Meeuwisse argues that the technique had been around for a while and anyway the number of successful zero day attacks is actually quite low.
The main thing, of course, is to make security everyone’s responsibility and it has to be built in to the culture to be truly effective. It is no coincidence that the current alarm about the BlueKeep vulnerability relates to ‘older versions’ of Microsoft Windows and it is no secret that many large companies are running old versions of software because it easier than updating it.
Security will always be a game of catch up and it will be won or lost on how fast you can catch up. The message that still holds true and needs to be fixed, fast, is to make sure that you have a CISO on the board, a dedicated executive responsible for the processes and protections against cyber criminals.