
The Complex Realities of a Cybersecurity Program


Mark Morrison, Chief Information Security Officer, OCC
As October is Cybersecurity Awareness Month, I’d like to share what I believe are some significant cybersecurity issues that don’t always make it into today’s headlines.
Limited Standards for Technology Infrastructure Are Problematic
The companies who develop the underlying information technology infrastructure are rarely held accountable for creating secure operating systems, cloud technology, website servers, and network infrastructure. Yet the design and implementation of these products are crucial for creating secure systems.
Aside from a few highly regulated environments, the U.S. government’s cybersecurity regulations are for the most part reliant on voluntary adherence to “industry best practices,” rather than a set of mandatory security requirements. For example, the federal government produces airplane and automobile safety requirements such as seatbelts and airbags but has no such cybersecurity equivalents.
As a result, CISOs are constantly plugging holes in both legacy and newly acquired information technology components that never should have existed in the first place. This is not optimal. Ideally, CISOs should instead be concentrating on the integration of security capabilities to achieve business objectives while operating in a risk-acceptable environment.
For example, there is an ongoing push to adopt blockchain technology within the financial sector. While blockchain offers enticing improvements in financial data processing and information security, it runs on existing infrastructure. As we have seen, sophisticated cyber adversaries are adept at exploiting infrastructure vulnerabilities so that the security of the application is rendered less meaningful.
This is like building a fortress on top of a foundation of sand. We need cybersecurity across the entire technology stack. The same principles apply to cloud technology, as we have seen with recent examples of the Spectre and Meltdown process layer vulnerabilities.
Consumer Trust Is Misplaced
A related challenge is the issue of misplaced trust. Many people both at work and at home erroneously assume technology vendors, social media providers, retailers, medical providers, and financial institutions will be able to protect their most personal information. Ceding trust in this way can harm the average consumer or business.
CISOs should instead be concentrating on the integration of security capabilities to achieve business objectives while operating in a risk-acceptable environment
For example, Facebook was recently exploited by attackers in part because the company lacked a detailed understanding of its own business processes, potentially making consumer information vulnerable. Or, with the Equifax data breach, people trusted the company to protect their confidential information, yet Equifax was lax in patching a known security vulnerability.
Considering the increasingly digital world we live in, reliance on technology has become a necessity. Data breaches may become more common, with people accepting them as a cost of doing business or living within the digital world.
Cyber-Attacks Not Seen as an Every-Day Occurrence
Part of the high consumer trust may be related to reporting on cyber-attacks.
While the media rightfully reports on the Department of Justice and FBI indictments of domestic and foreign adversaries (Russia, China, North Korea, along with recent CIA and NSA employees), this emphasis leaves the mistaken impression that cyber-attacks are rare occurrences perpetrated by a small number of state-sponsored actors that are part of the global geopolitical landscape.
In fact, organizations face constant cyber-attacks, sometimes on a daily basis. Most news readers don’t realize this. And, this paradigm shift has yet to reach many companies. In the business world, cyber risk is still assessed and considered as an independent risk factor and has yet to be fully integrated into the overall corporate risk assessment acceptance process. It needs to be factored in with business, financial, operational, and other regulatory risks.
As a CISO for the world’s largest equity derivatives clearing organization, I know that it is important to effectively measure the effectiveness of your security program and calculate the residual risk, especially in the context of dollars, as best understood by your board of directors. Too many times we establish metrics that focus on what we can measure versus what we should be measuring.
The challenge is that the metrics must be inextricably linked to the critical business process and operations. A broad scope of testing at multiple levels is key; it provides empirical data and demonstrates some independence for the overall security program.
A Proper Fix Requires a Proper Identification of the Problem
As was well-documented in the annual Verizon Data Breach Investigations Report, about 85 percent of the security vulnerabilities being exploited are known vulnerabilities with an issued vendor patch. So our largest and most significant problem is basic security hygiene—blocking and tackling.
These are the most common types of attacks. And cybersecurity professionals across many industries deal with them frequently.
The more widely this fact is understood, the sooner we can address the root of the problem and build a solid foundation for more secure technology.
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
3 Ways to Integrate AI into your Business Today
For Richer Insights
Delivering Unique Customer Experience via Technology
Advancing Customer Experience in an Ever- Evolving Hospitality Sector
A Modern Policy Admin Platform with Cost and Customer Experience in Mind
Laying the Foundation of a Satisfying Commuter Experience
