Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

The role and the focus of a CISO with Tim Swope

Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.

Q: What is IT security doing to support innovation in the enterprise?

A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.

Q: What is the single most important thing CISOs should be focusing on today?

A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs.  We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: The CIO and I work very closely together on the overall information strategy for the organizations.  That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology.  In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!

Q: How have you searched for and found the best vendors for your organization?

A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.

Q: What is the biggest challenge for a CISO today?

A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.

Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?

A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations.  As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.

The “Framework” that encompasses their Risk Management Program has the primary functions to:

  • Determine categorization of IT risks
  • Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
  • Define accountability for IT risk management
  • Determine the governance and oversight of IT  risk management activities

Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.

Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.

Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.

If we can take a way one lesson from the need for a risk management program it is the following:

Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!

We don’t accept Risk, we continually Manage it!

 

Tim Swope

CISO

Catholic Health Services of LI

Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.

He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.

He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.

Ohio Implements Data Protection Act

The state of Ohio has implemented its Data Protection Act to encourage businesses to voluntarily adopt strong cybersecurity controls to protect consumer data.

Senate Bill 220, the Data Protection Act, was sponsored by State Senators Bob Hackett (R-London) and Kevin Bacon (R-Westerville) and was signed into law in late 2018.

Senate Bill 220 provides different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program. In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program.

The legislation provides an affirmative defense to a lawsuit which alleges a data breach that was caused by a business’ failure to implement reasonable information security controls.

Businesses are only required to incorporate one of the frameworks into the business’ cybersecurity program[…] Read more ».

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US

OnlineMasters.com, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.”

OnlineMasters.com analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to OnlineMasters.com, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. OnlineMasters.com noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».

 

 

Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »

 

 

 

Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »

 

 

Attention CEOs: The Great CISO Renaissance is Coming

In 2015, the Boston-based security advisory firm K-logix predicted an increase of Chief Information Security Officers (CISOs) reporting to CEOs, and in 2017 the NACD provided provide guidance on boards on basic cyber security principles.  However, CISOs continue to struggle for widespread recognition as an executive officer.  Although the CISO is responsible for integrating privacy requirements into security program controls, the EU’s General Data Privacy Regulation (GDPR) introduced and catapulted a new role into the executive ranks in 2018. The regulation creates a new “Data Protection Officer (DPO)” role serving as a quasi-regulator for EU Data Privacy compliance enforcement who must report to the highest levels of management. Data Protection Officers usually fall under Compliance leadership function closely associated with the General Counsel or legal department, and are integral to the company’s data privacy program oversight.  In contrast, the CISO who is responsible for technology risk management may report through a number of executive functions depending on the industry and company. The General Counsel is no stranger to the executive table, so it should be no surprise that the new DPO role leapfrogged the CISO in the corporate hierarchy.

Although CISOs have been improving their business and risk management acumen by focusing on non-technology-based topics such as GDPR compliance, Third-Party Oversight and Enterprise Risk Management at recent security conferences, the majority of job descriptions for CISOs continue to describe both tactical and strategic duties and continue to list the role under a CIO or CTO.  In response, an increasing number of seasoned CISOs are opting for independent consulting work in the growing Gig Economy rather than struggling for budget and resources within a company only to be sacrificed when the inevitable data breach occurs. If the unique challenges with rank and responsibility continue, the role of the CISO could become a standard appendage to a company like an independent CPA firm or external counsel providing advisory guidance.  

If you are a CEO considering whether you want a CISO on your leadership team, I offer the following reminders regarding the CISO:  

  • The role of the CISO is strategic, not tactical

Some organizations proudly announce they have passed their SOC 2 independent audit report without any findings to communicate the maturity of their security program.  If those organizations were expecting a “clean” SOC 2 audit report to eliminate the need for a customer assurance program, an experienced CISO knows that a SOC 2 report can be crafted to scope out the “dust and cobwebs under the carpet” and only focus on the shiny production service or solution offered to customers.   Rarely are SOC 2 reports accepted on their face as adequate governance of an enterprise risk management program. Additional audits and evidence will likely be necessary to satisfy partner and customer inquiries.

In another example, security solution providers usually begin their sales pitch by describing a legitimate business problem.  However, they quickly shift to focusing on the product features rather than recognize the business problem in context of other risks an organization may face as the company’s executive team would do at a risk review.

The fallacy in both of these examples is the assumption that successful execution of a tactical project will translate into a strategic solution.  The truth is that the problem being solved may or may not be significant in the organization’s big picture, and the CISO should not waste time and resources on low priority problems.  By elevating the role to the strategic level, the CISO will have the appropriate context to consider operational risk challenges within the organization. For example, a survey by Soha Systems reported that 63% of data breaches – nearly two-thirds – are attributed directly or indirectly to Third-Parties according to IAPP.  If the CISO is focused exclusively on the technology used to secure products or services, the company could be missing the larger threat from the access granted to merchants, vendors and subcontractors.  The operational risk has little to do with technology and more to do with processes and permission management.

  • The role of the CISO touches the whole organization just like the Privacy Program

The privacy program and security program are complementary teams – like a right hand and left hand.  Although they serve similar functions within the organization, they are not the same. The privacy office defines the privacy requirements for the business and the security program creates and implements the controls needed to achieve those requirements.  Security and privacy programs are often combined under an Enterprise Risk Program. Much the same way a privacy program includes human resources, training, sales & marketing, corporate communications, legal & compliance, finance, and information technology stakeholders, so does the information security program.  However, the privacy program is dependent on the security team to implement the necessary controls. If the DPO reports to the CEO and/or Board of Directors, but the CISO is not at an equivalent level or is external to the organization, maintaining a current status of the security program may be more challenging than necessary due to office politics and hierarchy.  The right hand and the left hand should communicate equally with the brain to successfully perform a complex job requiring both hands, or the right hand may not know what the left hand is doing.

Similarly, if the CISO’s budget is nested within a CTO or CIO’s budget, re-allocating funds to other departments with deficient security controls is an uphill battle for the CISO.  Assume that the CISO has determined that risk associated with third-parties is the biggest risk for the company, but the procurement and/or human resources department need additional resources to screen contractors and other partners adequately.  If the CISO relies on a cost center such as the CTO or CIO to present the case to the executive team for additional funding, the message may diminish in translation, and the CIO or CTO may perceive higher priorities within the department. Providing the CISO with a seat at the table in executive team meetings will not only optimize spending decisions but will also improve collaboration and improve security and risk awareness among the executive team.

  • The role of the CISO is becoming a Regulatory Requirement

The Ponemon Institute has listed “Appointment of a CISO” as one of the factors to mitigate the cost of a data breach for several years.   Not surprisingly, regulators are beginning to require the appointment of a CISO as a compliance requirement. For example, the New York Department of Financial Services mandates “a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)” be appointed” for each entity covered by the regulation.  Furthermore, the CISO is required to provide an annual written report to board of directors or equivalent governing body on the cybersecurity program and material cybersecurity risks.  Although the New York regulation requires an Annual report to the board, the CEO should receive regular and recurring status on the cybersecurity risks for the company. In light of the additional focus on security and data privacy generated by public outcry, similar requirements may permeate to other jurisdictions in the form of similar regulations.

  • The role of the CISO includes some Individual Professional Liability

As referenced above, audits of corporate security and data privacy programs require the individual responsible for the governance of the program be qualified for the role and maintain his or her skills through continuing education.  This control is often addressed through requiring industry recognized certifications with continuing professional education (CPE) mandates, a code of ethics and a duty to the profession as a condition of certification in the job descriptions for these roles.  Loss of a professional accreditation such as a CISSP, CISM, CISA, CRISC or C|CISO in the case of a CISO or a CIPP or CIPM in the case of a DPO are potential risks to be considered when considering a role within an organization. Both CISOs and DPOs are likely to request Director’s and Officer’s (“D&O”) Insurance / Professional Liability Coverage under the corporate policy as a condition of employment.

Under GDPR, regulatory fines for a company can reach 4% of annual turnover or 20 million EUR for a privacy breach.  Some privacy professionals view the regulation as a “stacked deck” mechanism for funneling revenues to the EU from US companies.  Impacted companies are presumed guilty under the regulation’s “Accountability Principle” and requirement to demonstrate compliance with “Security by Design” and “Security by Default.”

If that assessment is accurate, lawsuits against both companies and the officers responsible for the security and privacy program issues are likely.  Companies need to be wary of potential criminal prosecution risk associated with mishandling of protected information.  CISOs who have their professional credentials provided to regulators, government agencies and customers as evidence of their qualifications will be reluctant to have their communications filtered through another corporate officer, especially if recommendations are not implemented because of other risks.  If an independent or fractional CISO is required to carry professional liability insurance to cover regulatory fines on that scale, the premiums for that level of coverage make the costs for their services exorbitant, and the company will still need to cover their own liability insurance premiums. In-house CISOs covered under the company’s liability policy makes more fiscal sense for regulated industries to avoid paying twice for the same coverage.   Previously unregulated companies are finding themselves within the material and territorial scope of GDPR and are being introduced to compliance requirements and fines, and they are only beginning to understand the impact to their organizations.

Summary

Experienced CISOs with an appreciation for the concept of enterprise risk are venturing out to form their own advisory practices in the booming “Gig Economy” where they can choose their own clients, travel schedule, industry and risk tolerance.  If nothing changes, the trend towards “freelancing” is expected to continue. With full control over pricing and insurance for “gigs,” these freelancers are able to set their own rates commensurate with the risk associated with the opportunity. According to NASDAQ.com, 34% of the total workforce, nearly 53 million Americans were freelancers, and this number is expected to increase to 43% by 2020.  The irony is that the growth of the Gig Economy is only increasing the challenges for the CISOs who remain in corporate America. Managing risks associated with contractors increases in complexity as the number of third parties engaged by an organization increases, so a critical mass is building.   

The problem with the independent consulting option is that many CISOs really do WANT to be a part of a leadership team and would choose that option if offered to them.  These executives rely on teamwork to make the program successful and being an outsider who may or may not be able to use the name of their client as a reference diminishes the personal fulfillment and recognition in a job well done.  Creating a direct reporting relationship between the CEO and the CISO is one of the best ways to demonstrate management’s commitment to the security program, save insurance costs and increase efficiency of the security and data privacy programs.  With improved visibility to enterprise risks, CEOs can be assured their teams are working on the right problems and the security prowess of their leadership team expands through increased exposure to and collaboration with the CISO.

Donna Gallaher, CISSP, C|CISO, CIPP/E

Ms. Gallaher served as a C-Level Strategic Advisor in IT and Cyber Strategy for multiple global companies for over 15 years drawing from her previous successes in engineering, solution selling, IT operations and leadership.  She provides value to clients by thoroughly understanding business and regulatory requirements, assessing obstacles and translating technical challenges into business risks allowing technology to function as a business enabler.

Ms. Gallaher serves on the Board of Directors of the Technology Association of Georgia Information Security Society, Evanta CISO Southeast Governing Body and is active in the local ISSA and Cloud Security Alliance chapters.  She is active in the lobby efforts to shape cyber security legislation and her recent articles have been published on the National Technology Security Coalition website.

Ms. Gallaher holds CISSP, CCISO, CIPP/E and ITIL certifications and is a graduate of Auburn University with a Bachelor of Science in Electrical Engineering.

Magecart: The Largest Payment Card Attack in History. Here’s what you can do …

The previously disclosed Ticketmaster attack was not a one-off event, but instead part of the largest payment card theft in history impacting over 800 ecommerce sites around the world. If we consider the true impact of this event it is absolutely astonishing. The Target supply-chain-enabled attack from a few years ago was frightening, and that was only one merchant under attack, on in-store point-of-sale systems, for a mere 9 days. The Magecart website supply chain attack leveraged digital website payment card skimming that victimized over 800 global merchants for over 3 years – multiple orders of magnitude larger and significantly more chilling in scope.

The Magecart hacker group successfully attacked some of the most sophisticated ecommerce players and operated largely undetected since 2015 by taking advantage of a client-side vulnerability that exists in every commercial website today.  In the case of Ticketmaster, Magecart actors were able to compromise a 3rd party chatbot service called Inbenta that had been embedded on the Ticketmaster site. By manipulating the Inbenta JavaScript code on Ticketmaster’s webpages, Magecart could exfiltrate payment information from every single Ticketmaster customer who was served the Inbenta code.

The client-side browser is the primary environment wherein websites display and capture critical customer and payment data. It is the front door for interaction with customers and their data. 3rd party JavaScript executes on the client-side browser and is granted unmanaged and unlimited access to the entire webpage including the ability to exfiltrate data (keylogging, web injection, form field manipulation, phishing, etc.) and deface/alter webpage content. Simply put, by integrating 3rd party JavaScript, website owners are handing out skeleton keys to the front door while they focus extensively on securing the server-side back door. Security pros must think twice about being so cavalier with the skeleton keys to their front door and diligently secure both the server side and the client side of web sessions.

Given that many 3rd party vendors have comparatively weaker security protocols than the corporate websites that run them, it makes them attractive and susceptible attack targets.  3rd party JavaScript has unlimited access to the webpage DOM. This means that every 3rd party JavaScript vendor, and the hackers that seek to exploit them, have the same level of access to all webpage elements as the website owner’s development team.

 

Once that vendor is compromised, their code can be modified or replaced representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every single website that runs the tool.

3rd party JavaScript is served from external remote servers and executes on the client. This makes current security approaches such as pentesting, periodic code review, and dynamic application security testing entirely incapable of preventing these attacks. Since client-side connections with external servers are completely unmanaged and largely unmonitored, the company has no visibility into what these 3rd parties are doing and no way to prevent hackers from maliciously exploiting this access. Nearly every corporate website is currently unavoidably vulnerable to this attack vector.

Request an Expert Walk-Through of Data Exfiltration from Your Site

Here’s what you can do …

Luckily, there are steps that security teams can take to mitigate or even eliminate the risks of 3rd party vendors. From stringent prevention-level controls that still enable the beneficial usage of 3rd parties all the way to usage limitations that are restrictive and counterproductive, there are practical things that security pros can implement today to protect their companies from the next website supply chain attack.

Prevention is the best option

The best thing security pros can do to prevent an attack like Magecart is to implement technology that controls the access and permissions of every 3rd party running on the page. This insulates websites, their corporate owners, their visitors and private customer data from the inappropriate behaviors of overzealous 3rd parties and the more malicious activities of hackers that seek to exploit them.

Prevention-level approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.  

Additionally, a major benefit of prevention is that with security and privacy concerns satisfied, the business is free to deploy beneficial 3rd party website tools to achieve the shared goal of the business – revenue generation. By using 3rd parties on otherwise sensitive pages (e.g. payment, registration, login) the business is able to optimize their conversion rates at critical junctions of the customer journey. By using new and innovative tools, the business can be dynamic and differentiate from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.

Monitoring and detection

While prevention is obviously the best method, monitoring provides a less secure and reactive option. Magecart’s multi-year activities are evidence that detection, although helpful, is woefully inadequate. The major inadequacy of detection approaches is that they are incapable of detecting these attacks in real-time. Even with a multitude of global sensors detection schemes may miss highly targeted and hyper-segmented attacks altogether.

Although they may detect an attack, they assuredly will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling. We have not even begun to discuss that detection approaches have no remediation capability, so the only response is to completely remove the tool and suffer the operational and capital costs associated with losing and/or replacing its functionality. Ultimately, even this removal does not address the root cause leaving the site entirely and continuously exposed to future attacks via another compromised 3rd party tool operating on the site.

Fundamentally, these approaches are not scalable. 3rd party JavaScript changes routinely and sites are frequently changing and rotating the vendors they use. The alert fatigue coupled with the reactive nature of detection and the persistence of the underlying vulnerability renders these approaches severely limited.

Vendor due diligence assessments

Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although, well intended and highly recommended, such exercises only provide a point-in-time assessment – and even then, only produce a comfortability level rating of a vendor’s security program. Any vendor can be breached at any time.  In practice we see some of the most seemingly mature and trusted 3rd party website tools be breached and exploited to victimize hundreds of websites. Although these assessments provide a semblance of comfortability and satisfy some compliance requirements, they do not provide prevention or even continuous detection. These assessments should be part of a comprehensive security program but are in no way adequate as a stand-alone approach to mitigating or preventing 3rd party risk.

Restricting the usage of 3rd party tools

The last resort would be to exercise a debilitating level of caution. The result is limiting the usage of beneficial 3rd party tools and is entirely counterproductive to the overall goals of the business. Limiting the number of tools used limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. Relying only on “mature” or “trusted” 3rd party vendors and missing out on new and innovative tools makes delivering a compelling, differentiated, and dynamic web presence difficult. Restricting 3rd party tool usage in on sensitive areas of the website cripples conversion rates if customer experience and analytics are not optimized at critical points in the customer journey – like account registration, transactions, and check out.

The Time to Act is Now

It’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.  3rd party vendors have shifted blame to site owners to incorporate the necessary security measures themselves.  It is therefore critical that site owners proactively employ preventative technology to prevent website supply chain attacks and continue to benefit from the differentiating utility they provide.

Next Steps

Quickly access an assessment of your current risk level.

If the industry wide susceptibility to this attack vector does not have you concerned about your own current vulnerability:

Request a customized expert walk-through of data exfiltration on your site @
www.sourcedefense.com

 

 

 

 

From a birds eye view of a CSO with Ian Amit

Apex sat down with Ian Amit, Chief Security Officer of Cimpress to discuss his views on what it means to be an innovative CSO today while remaining a business enabler. With over a decade of experience in diverse security fields he shares his experience and advice.

Q: What is IT security doing to support innovation in the enterprise?

A: First and foremost, ensuring that security understands the business needs as far as direction (technologically) and strategy. Then security complements said strategy and not only ensures it is taken through secure means, but also further enables it to take additional risks.

Q: What is the single most important thing CISOs should be focusing on today?

A: Understanding and prioritizing the risks for the business. It’s not a question of a technological vulnerability “du jour” to be addressed (especially if it does not affect the organization’s threat model) and more about being able to correctly utilize the resources at hand to most effectively address the actual relevant risks.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: Independent. The CIO and CISO have potential conflicting views when it comes to technology, and hence should be independent of each other.

Q: Should IT security be a business enabler?

A: Absolutely. IT Security should never come from a “NO” approach, and by definition should enable the business to pursue whatever course of action it deems the most beneficial.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Beyond the continued technological education, working and engaging with peer CSOs and CISOs has been the most beneficial for me as far as keeping up with the news, and mostly around how other executives are meeting their challenges. Forums where there are curated discussions where the members drive the conversations have been the most effective in doing that.

Q: How have you searched for and found the best vendors for your organization?

A: It is a constant cycle of looking for the right vendors for the organization, and in my view the value of VARs have diminished significantly over the years and are only used to secure the best price point for a product. For me the focus on products is shifting, and I’m spending more on training my internal resources, while augmenting them with the right products. That means continuously challenging our operating model, and also the products we use.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: There is definitely a lot of overlap from my perspective, and I feel like a CRO is only applicable in organizations where the majority of the risk contains not only non-information elements, but is highly biased to financial or legal elements. In more “traditional” organizations, I believe that a CSO (who has all security in scope, not just information security) is the executive role responsible for risk overall, and can be coupled with a strong internal audit function to provide full risk management coverage for the organization.

Q: How has the role of the CISO changed over your career?

A: At the beginning of my career, CISOs were mostly IT-Security managers. The scope and focus of those roles has been mostly limited to technology risk and managing the security of the infrastructure and the technology stack. Modern CISOs, and especially CSOs are tasked with a broader scope which includes the social as well as physical elements of security of the organization.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Communication is key. Being able to have discussions with your peers in the executive management is critical, and this includes learning to formulate risk in business terms. Only then the application of “our” domain knowledge becomes applicable. One of the most common mistakes I’m seeing with CISOs in general is gravitating back to the engineering-heavy comfort zone where a lot of them came from, while losing focus over the actual missions which is to secure the organization and enable it to advance.

 

Why Employees are Your Greatest Cyber Risk

A new study has found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize.

This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the Finn Partners Research study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s U.S. cybersecurity specialty group. “Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords […] Read more »