The Job of Cybersecurity is Presently Addressed as an "Additional Duty"
By Paul Garrin, CIO Partner, Tatum, A Randstad Company
What I have seen as a CIO/CTO and now as a C-Suite consultant is that in the mid-cap and small-cap organizations, the job of Cybersecurity is presently addressed as an “additional duty” shared amongst groups or individuals within the IT organization. I have even seen some large-cap organizations treating Cybersecurity as an “additional duty” or relinquishing it to a consulting firm. In my opinion when it comes to cyber risk, you can never outsource the responsibility.
Today, the network administrators check their firewall logs periodically and conduct penetration tests on an ongoing basis. The web administrators review access from foreign countries and attempts at denial of service “DoS.” Software is available to alert IT to potential hacks and DoS. In this present day, the digital footprint of businesses and individuals has expanded to the point where any interruption of computing from a network, server or even an individual’s laptop, can cost time and money. The mobile workforce is a growing trend and their computers are constantly joining unsanitized Wi-Fi networks, which can introduce spy where and Trojans onto the corporate network once reattached. The reputation of the corporate IT department and the company in the press may be jeopardized when an event is publicized.
In 2016 Hollywood Presbyterian Hospital paid $17,000 in ransom to regain access to files locked by ransomware. We saw $81 million fraudulent transfer from Bangladesh Bank, which opened up inquiries into authentication vulnerabilities in the SWIFT financial messaging service provider, which may have opened up 11 other banks to similar attacks. Take for example the Ukraine attack where a denial of service attack was able to black out the Western Ukraine’s power grid. Security experts say that the Ukraine attack came after six months of reconnaissance after breaking into the utility's network via a phishing attack. Of course last year saw the Democratic National Committee emails also released into the public domain. The leadership of the fore mentioned organizations all turned to their IT leadership and wanted to know “How and why did you let this happen to us?”
I have even seen some large-cap organizations treating Cybersecurity as an “additional duty” or relinquishing it to a consulting firm. In my opinion when it comes to cyber risk, you can never outsource the responsibility
In a mid-market organization this individual will have a team but in a small-market organization this may be just one FTE or part of an FTE who has the title IT Cybersecurity Officer. This title is a subset of a Chief Information Security Officer’s duty which is a senior-level IT executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, as well as systems and assets from both internal and external threats. The CISO’s duties are very broad and yes this individual is charged with the moves, adds and changes to company personnel access to e-mail, voicemail remote and local network access. In some organizations these internal changes can take up most of a person’s day leaving no time left to focus on external vulnerabilities.
The CIO needs to dedicate some dollars to get the Cybersecurity person or unit up and running with proper training. Of course you can try to hire an individual. Although, this new hire will also have a learning curve of anew hire he/she also brings new ideas to an organization. An existing IT employee should know the organization’s vulnerabilities but this individual is not sure how to reduce or eliminate vulnerabilities without formal training. I recommend having the Cybersecurity folks pursue their CISSP and the leader pursue the CISM certification.
I was recently at an IT conference with peers, the discussion quickly turned to Cybersecurity and we started to whiteboard out ways we could be more proactive in this area.
Here are some of the thoughts we discussed: IT could go on the offensive by testing employee knowledge of phishing. Send a bogus email to select employees asking them to click on the URL in the email which would send them to a harmless internal server. For the employees who don’t notify the IT helpdesk immediately, a reward is given out. For those employees who do click on the email, a Cybersecurity training session is required. One of my CIO colleagues already implements this process and others commented that this was an excellent idea.
Technical resumes are good but many of today’s threats can generally be traced back to cyber adversaries who specialize in a particular industry within a geographic area. Understanding the industry and what to look for makes sense. Attacking a U.S. bank demands language skills, business processes and regulatory knowledge that aren’t applicable for attacking banks outside of the U.S.
In the 1980’s and early 1990’s I worked for a Property and Casualty insurance company. As part of my employment I was required to take and pass two property and casualty industry specific classes called CPCU classes per year until certified. CPCU stood for Chartered Property Casualty Underwriter. Of course the naivety of IT folks myself included said that CPCU stood for “Can’t Produce and Can’t Underwrite.” This requirement came from the company’s CIO. Even back then, there were forward thinking CIO’s who knew that IT employees who understood the business were an asset to the organization. Today this proves itself in the Cybersecurity domain.
Another item we discussed was that in order to defend the data you need to think like your enemy. In healthcare, what would an enemy want? We saw ransomware at Hollywood Presbyterian Hospital. Would someone want to hack the food service system or patient records especially those of famous people. These threats not only come from external sources but from internal employees.
In conclusion, having a cyber security unit and/or person in place is a great way to be proactive with the imminent threats to your business. The number of threats that cybercriminals unleash continues to increase exponentially. Since any organization can be a prime target, it is vital to take all the necessary steps to safeguard business information, technologies and processes and build a Cybersecurity unit now before your CEO and Board knocks on your office door and asks the famous question “How and why did you let this happen to us?”