ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > When it Comes to Cyber Risk, Execute or Be Executed!

When it Comes to Cyber Risk, Execute or Be Executed!

Brigadier General, USAF (ret) Gregory Touhill, CISSP, CISM, Former US CISO, President, Cyxtera Federal Group
| Posted at 3:07 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (3)

Gregory TouhillNestled in William Craig’s book Enemy at the Gates, which recounts World War II’s epic Battle of Stalingrad, is the story about a Soviet division that was plagued by failure in the face of the enemy. Desertions were rising, officers’ orders were not being followed, and the invading enemy was making gains. Faced with this calamitous condition, the regimental commander called the troops into formation and let them know that collectively, they were failing and would be held responsible. Then, in an outrageously cold manner, he walked through the ranks and summarily executed every 10th soldier until six soldiers lay dead on the field. He got their attention, and the unit was instrumental in the subsequent Soviet counterattack that led to victory against the Nazi invaders.

Obviously, I do not support such extreme and violent methods of accountability, yet the example does make you pay attention. As we grapple with today’s digital “enemy at the gates” or even the “enemy inside the gates,” the importance of accountability for failure to properly protect the information our national prosperity and security depends on has never been more important. Firing CEOs and CIOs is typically a public gesture enacted to diffuse blame rather than address the root causes. Sadly, accountability and ownership often are missing components in cyber strategies and risk management planning at a time when risks are ever-increasing. Therefore, it is critically important that all organizations better manage cyber risk by embracing a culture of accountability and ownership that guides the implementation of due care and due diligence measures.

I define due care as “doing the right things” and due diligence as “doing the right things right.” Unfortunately, I’ve found too many organizations where due care and due diligence are not occurring. For example, ask most cyber incident responders about the root cause of cyber incidents and they likely will sigh and point to the “usual suspects” – failure to patch, misconfigured systems, failure to follow established policies, misuse of systems, lack of training, etc. As someone who led incident responders in both military and civilian government organizations, I found one of the great frustrations of cyber professionals is when they see leadership ignoring or tolerating the so-called “usual suspects” and not holding people accountable for a glaring lack of due care and due diligence.

While many media reports these days focus on the very real and present threat of well-funded nation-state actors, I contend that the greatest cyber threat we all face is what I refer to as the “Careless, Negligent and Indifferent” in our own ranks. Failing to properly configure a system so that it exposes information to unauthorized personnel is an example of carelessness. Failing to patch critical vulnerabilities quickly or implement additional compensating controls until the patch is ready for promotion could be considered negligence. Failure by personnel indifferent about following established policies such as prohibiting password-sharing exposes organizations to increased cyber risk. While nation-state actors get all the hype, I contend that more than 95% of all cyber incidents are preventable and are the result of the Careless, Negligent and Indifferent in our own ranks. We should not accept this!

Do we need more legislation, regulation or policies to thwart the threat posed by the Careless, Negligent and Indifferent? Do we need to continue our habit of buying the next neat technology in hopes that its “silver bullet” defense will save the day? I don’t think so. I believe what is needed is to execute our existing policies better and hold those who do not follow those policies accountable. While we can’t eliminate our cyber risks, we certainly can reduce our risk exposure by executing our plans, policies and procedures with greater velocity and precision. When we do so, we are exercising due care and due diligence that protects our brands, reputations, customer data, intellectual property, corporate value, etc.

Accountability must be clearly defined, especially in strategies, plans and procedures. Leaders at all levels need to maintain vigilance and hold themselves and their charges accountable to execute established best practices and other due care and due diligence mechanisms. Organizations should include independent third-party auditing and pen-testing to better understand their risk exposure and compliance posture. Top organizations don’t use auditing and pen-testing for punitive measures, but rather, to find weaknesses that should be addressed. Often, they find that personnel need more training, and regular cyber drills and exercises to get to a level of proficiency commensurate with their goals. Those organizations that fail are those that do not actively seek to find weaknesses or fail to address known weaknesses properly.

Sound execution of cyber best practices buys down your overall risk. With today’s national prosperity and national security reliant on information technology, the stakes have never been higher.

Copy Item to All Language Codes
Lists/SqtResources/AllItems.aspx
0x0
0x0
ContentType
0x01009AF1BC4E56474a80B49512D1B30D6EEC
225
Manage Subscriptions
/_layouts/images/ReportServer/Manage_Subscription.gif
/Knowledge-Center/Blog/_layouts/ReportServer/ManageSubscriptions.aspx?list={ListId}&ID={ItemId}
0x80
0x0
FileType
rdl
350
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
rdl
351
Manage Parameters
/Knowledge-Center/Blog/_layouts/ReportServer/ParameterList.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
352
Manage Processing Options
/Knowledge-Center/Blog/_layouts/ReportServer/ReportExecution.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
353
View Report History
/Knowledge-Center/Blog/_layouts/ReportServer/ReportHistory.aspx?list={ListId}&ID={ItemId}
0x0
0x40
FileType
rdl
354
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
350
Edit Data Source Definition
/Knowledge-Center/Blog/_layouts/ReportServer/SharedDataSource.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
351
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
350
Manage Tapthrough Reports
/Knowledge-Center/Blog/_layouts/ReportServer/ModelTapThrough.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
352
Manage Model Item Security
/Knowledge-Center/Blog/_layouts/ReportServer/ModelItemSecurity.aspx?list={ListId}&ID={ItemId}
0x0
0x2000000
FileType
smdl
353
Regenerate Model
/Knowledge-Center/Blog/_layouts/ReportServer/GenerateModel.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
354
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
smdl
351
Load in Report Builder
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderModelContext&list={ListId}&ID={ItemId}
0x0
0x2
FileType
smdl
250
Edit in Report Builder
/_layouts/images/ReportServer/EditReport.gif
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderReportContext&list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
250
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XsnLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
FileType
xsn
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.2
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.3
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.4
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsx
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsb
255
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsx
256
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsb
256

Comments

Very Informative

Very informative and well written blog :)

I do believe top down approach may be followed in terms of accountability/ ownership of every resource. It will definitely help in strengthen the security of an organization.

SMAH at 2/14/2018 6:51 AM

Very Informative

Very informative and well written blog :)

I do believe top down approach may be followed in terms of accountability/ ownership of every resource. It will definitely help in strengthen the security of an organization.

SMAH at 2/14/2018 6:52 AM

Due care and due diligence, where the buck stops

General Touhill, With great respect Sir, I too have been on the front lines as well as in Senior management. Too include being a veteran (albeit not at your rank). I have found many organizations choose to not use due care and due diligence at the most senior levels regardless of being told of vulnerabilities.

I too have run SOC's and have been a vulnerability manager to be told the priorities are to keep the lights on or not interrupt production. As leaders, we bear the ultimate responsibility to report the risk to the CEO and reduce the exposure after leaders make the call. Blaming subordinates in my humble opinion lacks credibility.

We all are responsible and need to address not only the risk of business interruption but mitigate risk when we consciously decide not to act to close open issues. I do agree this is an important conversation to have and offer my opinion with upmost respect.
Donald831 at 2/21/2018 3:22 PM
Copy Item to All Language Codes
Lists/SqtResources/AllItems.aspx
0x0
0x0
ContentType
0x01009AF1BC4E56474a80B49512D1B30D6EEC
225
Manage Subscriptions
/_layouts/images/ReportServer/Manage_Subscription.gif
/Knowledge-Center/Blog/_layouts/ReportServer/ManageSubscriptions.aspx?list={ListId}&ID={ItemId}
0x80
0x0
FileType
rdl
350
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
rdl
351
Manage Parameters
/Knowledge-Center/Blog/_layouts/ReportServer/ParameterList.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
352
Manage Processing Options
/Knowledge-Center/Blog/_layouts/ReportServer/ReportExecution.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
353
View Report History
/Knowledge-Center/Blog/_layouts/ReportServer/ReportHistory.aspx?list={ListId}&ID={ItemId}
0x0
0x40
FileType
rdl
354
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
350
Edit Data Source Definition
/Knowledge-Center/Blog/_layouts/ReportServer/SharedDataSource.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
rsds
351
View Dependent Items
/Knowledge-Center/Blog/_layouts/ReportServer/DependentItems.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
350
Manage Tapthrough Reports
/Knowledge-Center/Blog/_layouts/ReportServer/ModelTapThrough.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
352
Manage Model Item Security
/Knowledge-Center/Blog/_layouts/ReportServer/ModelItemSecurity.aspx?list={ListId}&ID={ItemId}
0x0
0x2000000
FileType
smdl
353
Regenerate Model
/Knowledge-Center/Blog/_layouts/ReportServer/GenerateModel.aspx?list={ListId}&ID={ItemId}
0x0
0x4
FileType
smdl
354
Manage Data Sources
/Knowledge-Center/Blog/_layouts/ReportServer/DataSourceList.aspx?list={ListId}&ID={ItemId}
0x0
0x20
FileType
smdl
351
Load in Report Builder
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderModelContext&list={ListId}&ID={ItemId}
0x0
0x2
FileType
smdl
250
Edit in Report Builder
/_layouts/images/ReportServer/EditReport.gif
/Knowledge-Center/Blog/_layouts/ReportServer/RSAction.aspx?RSAction=ReportBuilderReportContext&list={ListId}&ID={ItemId}
0x0
0x4
FileType
rdl
250
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XsnLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
FileType
xsn
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.2
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.3
255
Edit in Browser
/_layouts/images/icxddoc.gif
/Knowledge-Center/Blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser
0x0
0x1
ProgId
InfoPath.Document.4
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsx
255
View in Web Browser
/_layouts/images/ichtmxls.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1
0x0
0x1
FileType
xlsb
255
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsx
256
Snapshot in Excel
/_layouts/images/ewr134.gif
/Knowledge-Center/Blog/_layouts/xlviewer.aspx?listguid={ListId}&itemid={ItemId}&Snapshot=1
0x0
0x1
FileType
xlsb
256
You must be logged in and a member to post a comment to this blog.