Security professionals are a smart, resilient group. Whether it is dealing with the constant barrage of threats from hackers, software vulnerabilities, privacy concerns, and compliance activities, security professionals are generally in a constant state of learning from on the job experience, technical books, journals, and conferences. However, I have often wondered how many security professionals have an opportunity to reach the C Suite. Certainly, the CISO position has increased in importance and relevance over the last several years, but I am not sure it is a path to the CEO role. There is also no generally accepted reporting structure for the CISO – is this a technical position reporting to the CIO, a financial position reporting to the CFO, or a strategic position with a line to the Board?
An Ode to Narcotics
I admit, the title of this blog was written to grab your attention. But it was also legitimately inspired by recent personal events. About a month ago, my daughter underwent shoulder surgery, and given her multiple shoulder injuries over the years, it was an extensive procedure that involved bone graphs and several medical terms I don’t understand and can’t pronounce (or spell). We brought her home with a collection of Schedule II narcotics that would make the members of Aerosmith (circa 1978) salivate.
When most of us think of our vendors handling sensitive information, we tend to gravitate toward the obvious: the payroll processing company, our contracts law firm, our accounting firm with our financial data, or the patent law firm with all our intellectual property. Frankly, the company that builds and maintains the company website isn’t typically top of mind.
Ask the Australian Red Cross if they agree.
In a way, the Sony breach was really good for the cyber security community. A watershed moment in the industry’s history, it began a transformation from infosec as a compliance requirement – a nuisance – to a legitimate enterprise need, right up there with sales and product development (well, not exactly, but you get the idea). It prompted increased investment in infosec technologies (e.g. SIEM), and accelerated the development of new ones (e.g. UBA).
But, I’m afraid, it was not so good for the third party risk community.
“But Jeff. That’s silly. After Sony – and on the heels of Target especially – regulatory organizations and companies alike began to appreciate the importance of their vendors’ information security.”
My point exactly.
It’s a foundational principle of all football offensive coordinators: if something is working, keep running it until the defense proves they can stop it. Your top wide receiver is consistently beating the opponent’s rookie cornerback? Keep throwing to him. Your offensive line is opening holes that result in 7 yards a carry every play? Keep running the football. Unfortunately, cyber criminals have learned the same lesson.
A recent report from the Anti Phishing Working Group (APWG) noted a 61% quarter-over-quarter increase in phishing attacks from the first quarter to the second in 2016. The number of attacks from January through March was 289,371, while the number grew to 466,065 in the following three months.
Because if you spot a weakness in your opponent, keep exploiting it until they show they can stop it. Phishing is all the rage among the bad guys… because it works.