STE WILLIAMS

CISOs today are challenged to report, measure, and demonstrate return on investment to the C-suite and board. CISOs must address these success enablers, because if they don’t, they become silent killers. The lack of ability to report, measure, and demonstrate ROI has been keeping CISOs from a strong and enduring relationship with the C-suite.

The following is a high-level cycle of five success enablers. The first, if successfully set up, enables the second, and onward, with the last reinforcing the first.

1. Security Goals That Don’t Resonate with the C-Suite and Board
We often hear: “Security is a journey, not a destination.” That’s a real problem for business executives because they’re driven by results. They have a fiduciary duty to shareholders to get the most value from an investment. If CISOs have not established security goals that resonate with executives, there isn’t a destination to showcase. In this way, security becomes a journey without a destination. Unfortunately, for CISOs that’s often a journey to C-suite discontent and onward to a new organization.

CISOs should align their cyber resilience goals around business crown jewels. These are top-of-mind business assets that have executive and board-level significance and are clearly critical to business success. This way, it is crystal clear the value that security can provide and doesn’t need to be supported with a regulatory and complex probabilistic impact argument.

2. A Strategy That Doesn’t Clearly Interlink Height, Depth, and Breadth of Cyber Resilience
Most security strategies weakly establish the height, depth, and width of what we might call the “cyber resilience wall.” This is an oversimplification in security terms but an easy way to connect with business leadership to agree on key concepts to frame impact control expectations and security costs.

Threat sophistication covers a full spectrum of capabilities — from accidental to nation-state. Commensurately, the sophistication necessary to counter them varies — as do the costs. Controls and control groups can calibrate costs to defend to various levels. And the CISO should be able to pitch cost levels of cyber resilience. Let’s call this the height of the cyber resilience wall.

Not all security controls act in the same way. Some controls predict to help prioritize defences, prevent to stop/divert attacks, detect to alert responders, respond to handle attacks and impacts, and recovery to learn, recoup, and mitigate. Let’s call this the depth of the wall.

The width of the cyber resilience wall is scope and coverage. Controls often don’t have a firm grasp of scope (e.g., do I know where all the important data is?) and rarely achieve full coverage of known scope.

These three dimensions directly influence the business plan.

3. A Business Plan That Doesn’t Provide the C-Suite with Clear Risk Appetite Choices
You buy “security” to protect against impact. You can do that by preventing the breach that leads to impact, or by handling the breach such that impact doesn’t cross a line of “unacceptable” quantity. CISOs are poorly armed today to robustly justify the quantity of impact control that specific budgets can buy. And that’s very frustrating for executives. Because there isn’t a strong correlation between security investment and control of impact, it’s easy to executives to cut budgets, or to under-budget, and not feel repercussions. This’s why “risk appetite” has been so elusive.

4. Inconsistent SecOps KPIs, Metrics, and Reporting
Because most control leads and security frameworks largely focus on the technical side of security controls, they don’t effectively run it like a business.

Consequently, security controls aren’t measured to a core set of KPIs that accurately predict performance results. Security control KPIs are often inconsistently chosen and measured, and that leads to poorly calibrated, ineffective, inefficient controls, which often set a false sense of security, deliver weak cyber resilience results, and burn a lot of cash.

5. Inability to Show Results That Matter in a Convincing Manner
One of the best and clearest ways to show results is a well-structured set of red-team exercises.

Red teams can be particularly valuable because they can variably emulate threat sophistications and tactics, they can be multimodal (that is, cyber, physical, social), and be pace-throttled.

More importantly, they should aim at strategic security goals (with the ability to act variably and evaluate SecOps performance), robustly evaluate strategic priorities, and prove SecOps performance — down to the control and specific resources levels. In this way, red teams can be the objective rudder on the security program.

The Rodney Dangerfield Effect
If CISOs don’t address these success enablers, they will have a difficult time propelling themselves to a position of appropriate influence or maintaining their position. They will then experience poor perception and traction, and frustration from executives. They may not receive the funding or resources they need, or executives won’t be convinced they’re delivering satisfactory results.

Related Content:

• Why Cyber-Risk Is a C-Suite Issue
• Security Leaders Share Tips for Boardroom Chats
• The Real Reasons Why the C-Suite Isn’t Complying with Security
• Cybersecurity Accountability Spread Thin in the C-Suite

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized … View Full Bio

Article source: https://www.darkreading.com/risk/success-enablers-or-silent-killers/a/d-id/1336502?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The cause of breaches has been well-known since the landmark “2017 Verizon Data Breach Investigations Report,” which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Not much has changed in the past couple of years. Verizon’s 2019 report confirms the stolen and/or weak passwords number still comes in at around 80%, with 29% of breaches caused by stolen credentials.

So once again we ask: What will it take to get the industry to move off of passwords? And what’s stopping organizations from moving forward?

‘Our Best Bet’ for Ending Passwords  
“Organizations know that too many people use the same passwords over and over again. It’s a bad practice, but much of it is because of inertia. There are just too many other things to do,” says Rik Turner, a principal analyst at Ovum. “Moving forward, FIDO [Fast Identity Online authetication] is worth a look since it’s got many of the big consumer brand names behind it. It’s really become the best bet for the future of passwordless authentication.”

While it’s true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.

On the consumer side, companies such as eBay have had their developers build their sites with the WebAuthn FIDO2 spec, which allows for passwordless authentication using biometrics, adds Andrew Shikiar, executive director and CMO of the FIDO Alliance. As of now, Android users running Google Chrome 75 can access eBay by authenticating with either a fingerprint or facial scan, whichever the device supports.  

Intuit, which also deployed FIDO passwordless authentication for its mobile services, found its customers successfully authenticated 99.9% of the time, compared to 80% to 85% for text messages. Sign-in time was also reduced by 78%. Shikiar says many more companies will offer passwordless authentication on their websites in the months ahead.

“We’re seeing that organizations are realizing that passwords are a liability,” he says. “With FIDO, organizations can improve the user experience, increase security, and reduce risk as well as time to authentication.”  

Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don’t want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.

“Customers are pushing back,” Ulery says. “It’s now so easy to do fingerprint-reading or facial recognition on a smartphone that customers will want to know why they can’t move to a passwordless solution.”

There’s also an economic argument for moving to passwordless authentication. According to Frank Dickson, a program vice president at IDC who covers security issues, employees, on average, call the corporate help desk to reset their passwords up to twice a year. Each call costs between $30 and $40, so right off the bat passwordless authentication can help cut down on costs. In addition, because users are authenticating to applications and not the corporate network with passwordless authentication, companies can reduce calls related to help with their VPNs — and even eliminate their costs of managing a corporate VPN.

“Companies know they need to go passwordless, but they also need to find the money to do it,” Dickson says. “When they realize they can eliminate cost and add security by going passwordless, things will start to move. I expect that 2020 will be a year that much of this comes together.”

(Continued on next page) 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/theedge/mega-breaches-are-forcing-us-to-a-passwordless-world-are-we-finally-ready/b/d-id/1336538?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The cause of breaches has been well-known since the landmark “2017 Verizon Data Breach Investigations Report,” which revealed that 81% of hacking-related breaches leveraged either stolen and/or weak passwords.

Not much has changed in the past couple of years. Verizon’s 2019 report confirms the stolen and/or weak passwords number still comes in at around 80%, with 29% of breaches caused by stolen credentials.

So once again we ask: What will it take to get the industry to move off of passwords? And what’s stopping organizations from moving forward?

‘Our Best Bet’ for Ending Passwords  
“Organizations know that too many people use the same passwords over and over again. It’s a bad practice, but much of it is because of inertia. There are just too many other things to do,” says Rik Turner, a principal analyst at Ovum. “Moving forward, FIDO [Fast Identity Online authetication] is worth a look since it’s got many of the big consumer brand names behind it. It’s really become the best bet for the future of passwordless authentication.”

While it’s true the industry has been slow to change, a closer look reveals that much progress has been made in 2019. For example, Microsoft and Google now support passwordless standard FIDO2, and Apple made it clear it intends to support FIDO2 for its Safari browser. In another important move, Apple says iOS 13.3 (likely available early in 2020) will support popular FIDO-compliant authentication devices like the YubiKey.

On the consumer side, companies such as eBay have had their developers build their sites with the WebAuthn FIDO2 spec, which allows for passwordless authentication using biometrics, adds Andrew Shikiar, executive director and CMO of the FIDO Alliance. As of now, Android users running Google Chrome 75 can access eBay by authenticating with either a fingerprint or facial scan, whichever the device supports.  

Intuit, which also deployed FIDO passwordless authentication for its mobile services, found its customers successfully authenticated 99.9% of the time, compared to 80% to 85% for text messages. Sign-in time was also reduced by 78%. Shikiar says many more companies will offer passwordless authentication on their websites in the months ahead.

“We’re seeing that organizations are realizing that passwords are a liability,” he says. “With FIDO, organizations can improve the user experience, increase security, and reduce risk as well as time to authentication.”  

Matthew Ulery, chief product officer at SecureAuth, says organizations will change based on a combination of four important factors: an important industry peer (i.e., a bank or insurance company) gets breached and they don’t want to be the next victim; a new CEO or top executive comes into the organization and dictates that the company will move toward passwordless authentication; an organization realizes it finally has to do something to stop the ability of synthetic IDs to steal passwords; and, finally, customers push for change.

“Customers are pushing back,” Ulery says. “It’s now so easy to do fingerprint-reading or facial recognition on a smartphone that customers will want to know why they can’t move to a passwordless solution.”

There’s also an economic argument for moving to passwordless authentication. According to Frank Dickson, a program vice president at IDC who covers security issues, employees, on average, call the corporate help desk to reset their passwords up to twice a year. Each call costs between $30 and $40, so right off the bat passwordless authentication can help cut down on costs. In addition, because users are authenticating to applications and not the corporate network with passwordless authentication, companies can reduce calls related to help with their VPNs — and even eliminate their costs of managing a corporate VPN.

“Companies know they need to go passwordless, but they also need to find the money to do it,” Dickson says. “When they realize they can eliminate cost and add security by going passwordless, things will start to move. I expect that 2020 will be a year that much of this comes together.”

(Continued on next page) 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/theedge/mega-breaches-are-forcing-us-to-a-passwordless-world-are-we-finally-ready/b/d-id/1336538?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Republicans and Democrats in Congress have come together to support ending one of the National Security Agency’s more controversial surveillance programs. The call-detail records program, which collects metadata on every telephone call to, from, or within the US, would end under a bill introduced by Sen. Richard Burr (R) of North Carolina and Sen. Mark Warner (D) of Virginia, the ranking members on the Senate Intelligence Committee.

According to senators, the program, begun in the aftermath of the 9/11 attacks, no longer effectively serves its intended purpose. The program was significantly changed after its existence was disclosed by Edward Snowden in 2013. The NSA has struggled to satisfy the new requirements of the program, ultimately suspending it in 2018 and purging all records collected since 2015.

The Trump administration has defended the program and called for its continuation. Despite this support, senators on the intelligence committee say that its current effectiveness does not justify the public relations and operational liabilities the program poses. Sen. Ron Wyden (D) of Oregon has announced that he will introduce a bill that would prohibit certain location-tracking surveillance activities and require more transparency from intelligence agencies.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/senators-call-for-end-to-controversial-nsa-program/d/d-id/1336544?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Republicans and Democrats in Congress have come together to support ending one of the National Security Agency’s more controversial surveillance programs. The call-detail records program, which collects metadata on every telephone call to, from, or within the US, would end under a bill introduced by Sen. Richard Burr (R) of North Carolina and Sen. Mark Warner (D) of Virginia, the ranking members on the Senate Intelligence Committee.

According to senators, the program, begun in the aftermath of the 9/11 attacks, no longer effectively serves its intended purpose. The program was significantly changed after its existence was disclosed by Edward Snowden in 2013. The NSA has struggled to satisfy the new requirements of the program, ultimately suspending it in 2018 and purging all records collected since 2015.

The Trump administration has defended the program and called for its continuation. Despite this support, senators on the intelligence committee say that its current effectiveness does not justify the public relations and operational liabilities the program poses. Sen. Ron Wyden (D) of Oregon has announced that he will introduce a bill that would prohibit certain location-tracking surveillance activities and require more transparency from intelligence agencies.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/senators-call-for-end-to-controversial-nsa-program/d/d-id/1336544?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CyrusOne, a major provider of data center facilities with more than 1,000 customers and 45 data centers, this week confirmed a ransomware attack aimed at its managed services division.

In a statement issued Thursday, the company announced the division is “working to restore availability issues” for six managed service customers after a ransomware attack encrypted certain devices. These businesses are primarily serviced by CyrusOne’s New York data center. Data center co-location services, including IX and IP Network Services, are not involved, it says.

When CyrusOne discovered the incident, it began response and continuity protocols to determine what happened, notify authorities, and get its systems back up and running. An investigation is ongoing, and third-party experts are helping CyrusOne to mitigate the attack.

The attack involved a version of REvil/Sodinokibi ransomware, ZDNet reports. This is the same form of ransomware that struck three managed service providers in a June campaign, in which adversaries leveraged remote management tools to distribute ransomware on user systems.

Read more details about the CyrusOne incident here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/data-center-provider-cyrusone-confirms-ransomware-attack/d/d-id/1336545?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CyrusOne, a major provider of data center facilities with more than 1,000 customers and 45 data centers, this week confirmed a ransomware attack aimed at its managed services division.

In a statement issued Thursday, the company announced the division is “working to restore availability issues” for six managed service customers after a ransomware attack encrypted certain devices. These businesses are primarily serviced by CyrusOne’s New York data center. Data center co-location services, including IX and IP Network Services, are not involved, it says.

When CyrusOne discovered the incident, it began response and continuity protocols to determine what happened, notify authorities, and get its systems back up and running. An investigation is ongoing, and third-party experts are helping CyrusOne to mitigate the attack.

The attack involved a version of REvil/Sodinokibi ransomware, ZDNet reports. This is the same form of ransomware that struck three managed service providers in a June campaign, in which adversaries leveraged remote management tools to distribute ransomware on user systems.

Read more details about the CyrusOne incident here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/data-center-provider-cyrusone-confirms-ransomware-attack/d/d-id/1336545?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple