CISO Risk issues versus CIO budget issues.
While the concept of reasonableness is somewhat subjective, the questions for CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry and would the legal system agree? If my company is breached, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company’s information assets?
Now if I am a budget officer or the CIO and the preparation for managing cyber risk was thrust upon me, would I increase the risk, run the possibility gauntlet and hope that the cyber criminal misses out on the gaps in our cyber security?
Then will the CISO and the CIO be at loggerheads over what the risk is, would they play Russian Roulette, and would they hope that new laws and regulations fail to act upon this crazy decision making?
Based on the facts, Data protection laws of all types now follow the principal that tech data on a person is both data at rest and data in transit, this covers the scope of what is needed to be protected.
If you have been securing Data at Rest using legacy technologies (been around for a long while in design) then you will feel reasonably in control as changes/patches can help, if available.
If you have never recognised Data in Transit, such as voice calling, video calling, Instant Messaging and access to RTC applications, where persona data is being discussed, transmitted or pointed to, then you will be surprised the huge attack surface now open to hackers.
So, let’s take this example: – Purchase a Unified Communications platform, either on premises or from the cloud as a service, communicate to other platforms, IPPBX or mobile devices from the LTE or PSTN network-bingo, 90% will be open communications, non-encrypted, unless steps have been taken to secure them beyond the local LAN.
Having established this as an attacker, a number of access points will be open, a number off tactics to disrupt or harvest data will be available and with the aim to access content being key, if not just business disruption, then your defence against the regulation or laws that now govern data management will be worthless.
Anticipate this and look to gain protection, then understanding this new angle of Data in Transit, the CIO and CISO must begin to see this set against a back drop of various technology/product warrantees and product certifications of what data in transit protection and service uptime is needed.
But and there is always a but, all warrantees are specific to the products or services purchased, unless there is one prime contractor who is willing to pool all of the technologies needed to protect, intercept and archive for both data in transit and data at rest, it is clear that these do not combine for compliance set against laws or regulations.
Also, should the platform providers only provide warrantees or SLA’s set against their products and then the other components of the end to end offering, this immediately creates a low residual value in any organisation, where risk is at its highest and the CISO must ask the question- Does my security program constitute reasonable protections for a company in my industry and would the legal system agree?
The idea that warrantees can be rescinded based on the components in use to connect the various networking, application and content management of Data in Transit or Data at Rest is completely unlikely, as the components either do the job in hand or they do not. If they do, then it is down to a prime contractor to satisfy the CISO that the low residual value of organisation is in check and this will move the low to high residual value status.
High status means data held is secure, data in transit is protected over all levels needed and cyber security meets the compliance requested by regulation or laws.
Should the technology in use be known to have already failed these risk assessments and even with a prime contractors knowledge implemented due to budget restraints, unknowledgeable suppliers or other reasons, any Service Level Agreement set against the end to end service will be unworkable and more to the point legally undefendable with a successful breach or attack occurring and thus the low residual becomes key, as now the risk of fines becomes business threatening.
As legally responsible executives such as CISO’s or data controllers are bound by new laws and regulations, it is clear that any organisation must not play Russian Roulette, make sure that prime connectivity is secured, make sure that politics does not increase risk and make sure that being caught for GDPR, NIS, California Consumer Privacy Act 2018 or other in country data protection law fines, must be managed from a back drop of full compliance only.