On Cybersecurity, Execs Are Burying Their Heads In the Sand

An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"

You want the simple answer?

[gcnaddict]

Put the fucking CISO on the executive board.

Re:You want the simple answer?

[Z00L00K]

Wouldn't help until there's a breach of security anyway.

Way too many don't see the need for improvements in security until it's too late.

Re:You want the simple answer?

[gcnaddict]

The CISO's job is to aid in boosting security posture and mitigate risk. I'd venture that most won't just sit down and plug their ears since it's their job to do exactly the opposite.

Re:You want the simple answer?

[Z00L00K]

No, but the other persons on the board will just say STFU, we got this and kick him out.

That's because they don't think that they will suffer the "pants down" situation when the shit hits the fan.

And that's why the IT department is held off from the board of directors, and why IT departments are outsourced.

Re:You want the simple answer?

[Opportunist]

As long as he still doesn't get any power, he's still just the scapegoat. It's like sitting on an ejector seat, and some asshole on another continent you don't even know has the button to shoot you out.

You don't have to put the CISO on the board. He only needs two powers: First, the power to put his foot down and stop a project if it becomes dangerous. And second to fully put the weight of the responsibility onto the shoulders of whoever overrules him.

Cybersecurity IS a C-level problem

[Stolpskott]

Yes, the technical analysis and implementation of security fixes/updates for hardware and software within a company is a set of IT tasks, but the task of budgeting for that is/should be a finance task, with oversight from C-level legal representation.
If the CEO doesn't know how to handle it, that is fine - as long as he/she understands that they are the ones who will ultimately be left holding the can for a data breach, they will have the incentive to get somebody in place who does know how to handle it - the role of the CEO is to be the figurehead and "big picture" source, not subject-matter expert in all areas.
So the CEO needs to think "this is an IT problem, but I will be carrying the can for a problem, so I need to talk to the head of IT and see what they need to help me save my job", and work from there.

Re:Cybersecurity IS a C-level problem

I think the real problem is the employment contracts these executives have. They are hired to take risks, so their employment contracts have "golden parachutes". A big severance check if they screw-up. Then, they can pedal their mistake on the next job as a reason they need to hired because they have first hand knowledge of how important cyber security is. If severance benefits are removed when security breaches happen, then executive will take cyber security seriously.

What should CEO's be looking for?

Well, the CEOs can start by looking at their own system account - the one with all the access to private customer data and corporate secrets - and changing the password to something other than '123456.'

What, they won't do that? And it's IT's fault for bitching about it?

Guess the CEO's are fucked, then.

Haha

Just yesterday I found a forum post by the former Windows Division president at Microsoft (from 2009-2012 IIRC) talking about how the Commodore 64 was such a great machine because it "was unhackable." He said he had the authority to call it such ~"as CIO of an international Fortune 500 company".

Of course in the replies below were several explanations of many, many hacks that could be used on a Commodore 64 ranging from simple keypresses to complex serial port inputs.

CEOs Aren't Paid to Care About Cybersecurity

From the standpoint of the CEO, cybersecurity is costly, unlikely to improve earnings or boost the stock price and possibly disruptive to existing business operations. It's much cheaper and easier to purchase insurance against the costs of an attack or breach, should one occur, than it is to be proactive and throw lots of money into techs, consultants and the ongoing costs to deploy, train people and maintain it all. American CEOs are mostly concerned with the stock price in the short term because that is what their compensation is based on. They want to increase the share price as much as possible as quickly as possible with little regard to what the long term outcome will be. These CEOs also know that the average tenure of an American CEO is often less than five years and even if they fail they have a golden parachute clause in their contracts that will allow them to live comfortably for the rest of their lives regardless of what happens. Now I ask you, given these incentives, if you were the CEO, what would you do?

Re:CEOs Aren't Paid to Care About Cybersecurity

[gcnaddict]

It's much cheaper and easier to purchase insurance against the costs of an attack or breach

...right, which'll result in an Insurance Institute for Cyber Security (ugh) which'll mandate certain precautions in order to reduce losses. Insurance will be the driving factor in determining which controls work, and any CISO would be an idiot to buy insurance and not implement the controls the insurers want.

Re:CEOs Aren't Paid to Care About Cybersecurity

[AchilleTalon]

Nice, the CEO will then purchase insurance against a data breach, I don't see any problem with this. However, the insurer will accept to cover the risk only if certain conditions are met. This is then back to the CEO to make sure the conditions required to ensure the insurance will effectively cover the risk and a data breach will not turn into a legal case where the insurer will deny any payment to the company because the CEO didn't take his responsability to make sure the security is managed appropriately and accordingly to the insurance contract.

Purchasing an insurance is absolutely required, however it doesn't automagically make someone else responsible for the security.

The "IT problem"

[nine-times]

The summary says that many view security as an "IT problem", but it probably fits into the category of IT problems where the real problem is the company's management.

As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management. The first task is persuading management that security is important enough to even consider. The second is persuading them that it's worth spending any amount of money on, rather than asking IT to do what they can without additional resources of any kind. The next challenge is getting management to listen to security experts rather than going off the CEO's half-baked misunderstandings of how security works. The fourth is convincing them to enforce security policies even in cases when the employees don't like them. Finally, you need to get management to follow the security policies themselves, rather than requiring IT to carve massive holes in the security policy for the CEO's convenience.

In my experience, it's pretty rare that IT departments can make it past the second hurdle-- being able to allocate money/resources to security. Even when they do, the security that gets implemented is often porous and full of security theater.

Re:The "IT problem"

...and then theres Mordac the preventor of IT services, the darkside of Security. The kind that enforces mandatory password changes every 30 business days, and makes disk quotas and security restrictions ON DEV SERVERS... you know the type. Has no regard for user processes, for what company does, he just sees security as the top priority.

in all my years as sysadmin (less then 20, more then ten), i tried hard not to be like him.

Empathy for the users is a good thing :)

Re:The "IT problem"

Or you have the admins like me who, like the italian mob, work over the CFO.

I learned this method when my security+ teacher was discussing how he got his school district to go from hubs to switches by calling up the Superintendent and telling him "So hey, I've been playing with this awesome new software called sniffit, and noticed there's someone who logs into yahoo with a password of picklesandjars, and then there's this other password of slugsby, oh and "..."Jason, how did you get my passwords?", "Oh, through this totally awesome software package that like totally like any student can get for free and gives them full access to sniff packets off the network since we're on hubs and hubs broadcast the packets everwhere. Of course we could buy switches since the kit is up for refresh anyway...".

Watch:

I tell management "The competitive advantage we get from deploying basic security on our infrastructure is that when our competitors don't, and the Eastern Europeans figure out a new way to get the dosh, they get screwed, we get their business."

"Oh well that's BS".

Then crypto-locker happened to someone's PC that had hardly any data on it but it nailed the main server. I had recently used my Boss skills to get our backup infrastructure setup right which was a part of the package, we were back up and running the next day with virtually zero data-loss.

Our competitors?

"Well Company X and Y and Z got hit by the same thing. X Paid the ransom, Y was out for a week, Z lost everything. Jesus. I had no idea." Said the sales guy to the CFO over dinner. The sales guy also said to the other sales guys "That's funny we were down for half a day, paid no ransom, and lost nothing".

Re:The "IT problem"

[uniquegeek]

I'm always blown away by how much work it is to do this with IT. Do they tell accountants to not use basic accounting principles and resources?

(Well. Maybe sometimes they do.)

Re:The "IT problem"

[uniquegeek]

I agree, but I'd say those are rare. We have so many "Mordac" problems more due to perception and lack of accountability.

At my last job, we didn't have dev servers, never mind someone in security. Several services were lacking in failover because there only was one machine, which would typically be 1-4 years behind in patches and updates. We had 1/3 of the IT staff that other comparable organizations would have. I left last year, and they still haven't replaced me. Most of us on the team were capable of doing a lot better - if only we had had the resources and were allowed to do what we do best.

The IT manager was treated like Mordac of IT services because forcing their computers to have passwords and not being able to install any crapware they felt like was "preventing them from doing their work". The token argument when people weren't getting their way was "But I NEED this". I NEED to install some sketchy tool I found on the internet. I NEED to install this cute bubbly font I found for free on the internet (well the web page said it was free and it didn't cost me anything, so that means it's legit, right?). What do you mean you won't help me with this personal project that has nothing to do with the business? I NEED dropbox because how can I back up my stuff if I don't... no, no, I'm not interested in listening in how stuff is backed up already, I would much prefer to store sensitive data wherever and copy it to my non-password protected malware-infected devices at home. YOU'RE PREVENTING ME FROM DOING MY JOB! WAAAAAAA!

If crying to the other IT members separately doesn't work, then they cry to upper management.

Every IT person who is just trying to do their job is a Mordac to a large group of people. Ignorance or unwillingness to learn the tools of a job is no excuse for sabotaging it or blaming others, and we need to call bullshit on it.

There's been a big focus on security recently that if users are doing the wrong thing, then it's actually the security team's responsibility to make sure that you find a way to make it easy for people to do the right thing. It's a step in the right direction. But there are still some basic standards where we need to say "It's a basic requirement of the job. It's 2016. Get over it, or go a job that's not in an office environment."

Re:The "IT problem"

[__aaclcg7560]

As someone who has worked in IT for decades, I don't think that I've ever seen a security initiative where the biggest challenge wasn't persuading management.

I work for a government IT security initiative hat has national and regional support to get the job done. Local support is almost nonexistent since fixing security issues means a local tech will have to track down a computer, persuade the user to surrender it, and then re-image the system to bring it back into compliance. They don't want to touch a system unless a user reports a problem. Security is proactive and not reactive. Since I'm the regional rep assigned to the facility, the local management wants me to go find and re-image these systems for them. It's not my job. Last I checked there were 300+ systems that needed to re-imaging and the list keeps growing.

Re:The "IT problem"

"Well Company X and Y and Z got hit by the same thing. X Paid the ransom, Y was out for a week, Z lost everything. Jesus. I had no idea." Said the sales guy to the CFO over dinner. The sales guy also said to the other sales guys "That's funny we were down for half a day, paid no ransom, and lost nothing".

Had you somehow made it entirely impossible to get hit*, nobody would've noticed anything at all. This would be obviously better but much worse. Thus, "we" deserve our misery. For once "we" learn that yes, these invisible cyberbogeys are real and can be avoided once you listen to your IT people instead of insisting on them supporting your poor choices, only then will "we" be able to free ourselves from this misery.

* "Brick wall across the motorway" style, like, only thin clients contacting a *BSD remote desktop server running on POWER hardware. Apart from better engineering, it's not a guaranteed solution but currently so far from mainstream that it's very unlikely indeed a drive-by-download will know what to do with it. You can drive through most brick walls just fine with a tank, but who routinely drives tanks on the motorway?

Re:The "IT problem"

[mcswell]

IMHO, this story (I'll assume it's true, and not just boasting or wishful thinking) deserves to be told in a much wider forum (like the Wall Street Journal), with the X, Y and Z replaced by real names, and especially with your company's name.

Re:The "IT problem"

[nine-times]

The kind that enforces mandatory password changes every 30 business days...

That's the sort of thing I mean by "security theater" actually. Overly strict password policies can actually worsen security. I've seen a company where some management guy insisted that everyone reset their password every 30 days (but it would start warning you 2 weeks early, so it would actually prompt you to reset your password every 16 days or so), then password had to be 14 characters long, can't be any of your last 14 passwords, and needs to have a capital letter, lower-case, number, and symbol. Half the people had a post-it on their monitor with their password. The other half used passwords like "P@ssw0rd9!!!!!"

Or to give another example that I've described here on Slashdot before: I once worked at a company where one of the doors needed a 4-digit key code to enter. In order to make it more secure, they started resetting the code every few months. It was a pretty high-traffic door, though, and people kept forgetting the code. First, someone had the bright idea to put up a sign telling people what the code was, right next to the door. When management said they couldn't do that, people started propping the door open with a door-stop. Eventually they realized that rotating the code wasn't actually improving security, so they stopped.

What is the approprate course of action

[sphealey]

The question that I always have when reading essays of this type is, what is the appropriate course of action? Setting up business information systems to be thoroughly and deeply secure would take 100% of the financial resources of a good-sized organization and would render the business tools virtually unusable by ordinary human beings. OTOH it is becoming increasingly clear that all of our interconnected systems are penetrated to some degree, including those of the organizations banks, trading partners, and government. If everyone is insecure is there any profit or even any theoretical reason to make ones own systems fortress-like?

That's even leaving aside the question of exactly how an organization would go about this, given that we now know that every firewall and router we use for security has been compromised by national intelligence agencies and it appears that one of the most ubiquitous operating systems has been since 1996 as well.

sPh

Re:What is the approprate course of action

I think that what people want is to have a person that has enough power to get things done when they come across problems. A person that has a team actively looking for problems and staying at the very least abreast to known problems, as well as actively notifying those involved (usually customers) of breaches. Also better design of systems and security measures. I'm not talking just avoiding dictionary attack passwords, I'm talking that employee A or CEO B has no need to have access to a lot of the information, so their accounts shouldn't have direct access. If they do need it, give them more than one account or temp elevation.

Re:What is the approprate course of action

[Opportunist]

The key word is risk management. You needn't be 100% secure. The cutoff is no later than where the cost of security trumps the possible damage of a breach (obviously), but it is usually far, far lower.

What you have to aim for is sensible security. And we're far from even picking the low hanging fruits, there is a lot of quick wins in ITsec most companies simply still didn't go for.

radical idea

Put people in those positions who actually understand everything about the business they are running, and not just privileged douches with zero talents whatsoever.

Endless audits, very little actual work.

[clintp]

Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants

Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.

Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.

Re:Endless audits, very little actual work.

What IT needs are people willing to get their hands dirty and actually help out with these projects.

Hire me or people like me. I am a specialist. Contractors are knocking down my door to be part of the platitude parade but all I want to do is get shit done. No organization is hiring people like me despite "high demand". You want people that can help, put your money on the table. We will come.

What should I be looking for?

[fluffernutter]

"What should I be looking for?"

How about a competent IT staff that are happy with what they do and don't feel like they're working for bottom dollar.

Re:What should I be looking for?

Don't forget the part where "GUI everything" enabled "IT administration" through monkeys getting paid peanuts. Oh and software sold on eye candy with security being "not important" to the manufacturer (famous own words). Same sort of mechanism that made filling datacentres with desktop boxes with hard-wired one-screen-one-keyboard seem like a good idea, only to need patching up by bolting on a second computer with a separate OS (in firmware, neglected, just as much full of holes, though likely different ones, yet certainly unfixable in case of breach) later.

All those are "IT problems" ultimately created by management taking shortcuts. And now we find that a foundation built out of shortcuts will never really cut it. In fact, there is an entire "computer security industry" that sells non-solutions and tiny piecemeal "fixes" for some large multiple over doing it right the first time. Quelle surprise.

It's been going on for so long that merely hiring competent staff no longer cuts it, even if you can find'em.

Market Solution

[ISoldat53]

I have had five new credit cards issued in the last year. My bank never tells me who screwed up. If I knew what companies compromised my information, I would not deal with them. Let the market put pressure on CEOs to fix their security.

Re:Market Solution

[Intron]

Penalizing the victims leads to a bad outcome. It will discourage companies from being open about security problems that they've experienced so that they can be fixed everywhere.

Theatre

Theatre is great up till the part where what you're protecting has the ability to destroy all kinds of lives then it's a good idea not to wear the blinkers.

Well, duh

New features in a long list--longer than the competition--sell products and increase the status of the engineers and their managers.
Invisible increased security, none.
Engineers are expensive--do you assign a new one to grind out new features--or to security?

Here's another example, the there re over 15 million bitcoin in existence, yet no one has yet figured out and implemented a way to prevent child porn from being irrevocably encoded and broadcast as transaction records in the permanent blockchain. How about state-sponsored fork hijacking? Ought progress on promoting bitcoin cease until all possible exploits real and imagined are mulled and defended against?

Sounds cliche but...

Windows is the problem. Always has been, always will be. They've done nothing to address their broken auth system. Every APT and pentest since the widespread adoption of NT 4.0 has been: Own any one workstation or server on a network, dump the cached credentials or crack the local admin account, dump the domain controller, crack everyone's password, lulz, repeat lulz until satistified.

Now, why do businesses run Windows? Office. Seriously the only reason. All other software could just as easily have been written for another platform given that it's 3rd party. Office keeps Windows afloat in business.

Why Office? Calendar and Outlook. The rest are just necessary to be a productivity suite. It's the one piece open source has failed to replicate well.

Seriously?

[Intron]

Do you think that the companies who are outsourcing their IT jobs and network management to companies in India care about security? Anybody have numbers on what percent of breaches are either inside jobs or recently laid-off workers?

CISO role

[Tool+Man]

If not on the board, answering to the CFO is a good alternative. The CFO ultimately cares about all things that cost money, and should consider things besides uptime. That was a conflict I'd seen before, where security reports to an operations director, who tends to care about little besides 100% uptime.

It IS an IT problem

[DogDude]

Of course it's an IT problem. IT people always seem to think that every IT problem is a #1 priority issue in every organization. The thing is, IT isn't #1 unless it's an IT company. IT keeping things secure is just as important as keeping the physical doors locked. It's important, but it's not the CEO's job, any more than it's the CEO's job to make sure that the locks are working properly on the company's doors.

IT people need to take their heads OUT of the sand, and realize that what they do, while important, isn't any more important than any other pieces of large organizations.

Re:It IS an IT problem

No information security is an organizational problem. Even Cesar Augustus had problems keeping plans secret. These issues are thrust at IT for a variety of reasons, but information security has never been just about IT. Business leaders need to be educated and take responsibility too. A person from sales can copy down critical information by hand and the best IT security team in the world couldn't do a damn thing to stop that intellectual property from walking out the door.

Re:It IS an IT problem

[Ryanrule]

No, fuck you in the face. 90% of companies today ARE IT companies, whether they want to admit it or not.

Re:It IS an IT problem

[DogDude]

No, fuck you in the face. 90% of companies today ARE IT companies, whether they want to admit it or not.

That makes no sense, whatsoever.

Pulling tight the money purse strings

[keneng]

Welcome to Capitalism. If there is no money to be made in placing effort to be duly diligent about security, then no effort will be placed. That simple.
That's what the SNAFU is in the U.S.A. and in Canada. I can't confirm anywhere else. I'm in a privileged position to influence and have the ear of some decision making clients on these matters, but if it hurts their pocket, they just stick their heads back in the sand and say "la la la I'm not hearing you." I got paid for providing them advice, they get paid to keep the company afloat by making the tough decisions.

Businesses buy hardware known to only be good for a couple of years, but stretch it for 10 maybe 20 years if they can get away with it.
Ditto for software PURCHASES. Companies stay afloat by continuously resolving crises rather than preventing them.

A strong percentage of businesses rely on I.T. to manage facilitate their workflow, but that doesn't matter. That's life.

I don't agree with this, but that's the observation about those holding the strings to the money purse.

IF GOVERNMENT REGULATION WOULD IMPOSE SOMETHING THROUGH TAX INCENTIVES TO UPDATE HARDWARE/SOFTWARE PERHAPS CYBERSECURITY WOULD BE DIFFERENT TODAY.
 

Who cares?

When things go topsy-turvy the company will most likely not be punished at all. If punished, it will be a slap on the wrist.
Cybersecurity isn't just not a C-level problem, and even isn't an IT problem, it is simply not a problem.

Easy

[Ryanrule]

Make them fully and personably liable. 20 million customer records lost? At lets say 1 million per person? Drain the execs bank accounts, liquidate their assets, seize their trust funds, put their children on the street. Problem FUCKING solved.

Drone The Bohemian Grove 2016!

[igobyjoshua]

Wait... I forgot...... Does Obama dump the screaming new born kids in the fire @ Bohemian Grove during the Cremation of Care Ritual , OR Just the High Priest? Drone The Grove 2016! Yes Grandma, for the last time there will be countless wave after wave of Drones flying above the Bohemian Grove streaming the Cremation of Care Ritual to YouTube and CNN, get over it and take your pills silly...

On Everything, C-level execs are useless

This should be the title of the article:

On Everything, C-level execs are useless.

Why we still let retarded people with no actual skills run a group of skilled people is beyond reason.
Never met a C-level employee that did more than contribute to global warming and chum-up to the oligarchy.

Worked at one startup where we had no C-level people, and we were very successful and profitable in under 3 years.