Hello? Hello? Is anyone listening?
The cyber pot is boiling, but the management frogs are not reacting
The weekly Security Affairs newsletter is a great information resource for all security professionals. It summarizes the leading stories from the cybersecurity world for the past week, highlighting the latest breaches, incidents, vulnerabilities, and legislation, as well as the latest cyber response actions by legal authorities. This week’s newsletter highlighted 58 major stories regarding progress in the cyber war from the last week. And it is like this EVERY SINGLE WEEK.
The real story here is the relentless nature of the cyber threat, that most management and board members are unaware of. While they may see the headlines when a global corporation is compromised, or be alerted by their Information Technology (IT) or Information Security (IS) leaders when a critical supplier is breached, I doubt that they are aware of the intensity of the battle that is constantly going on around them.
If the board and management were to receive this newsletter, and if they do not immediately panic and drive their IT/IS teams crazy with requests on the status of all the issues highlighted, they might start to appreciate the scope and scale of the cybersecurity challenges that their teams face daily. It is relentless and ever-growing - all the IT/IS teams can do is try to bail faster to keep the corporate ship afloat, hoping they are not torpedoed while still aboard.
So what can management and the board do with this knowledge, should they receive it? First, realize that cybersecurity threats are real and that there is a war being fought that your IT/IS teams are working hard to address and that they need management’s and the board’s support to survive the battle. It is not just a matter of more technology or more resources; often, the biggest thing that management can do to help is to realize the seriousness of the threat and prioritize cyber risk properly against other business initiatives.
Is the company really that desperate for the rollout of the latest business solution or tool that it cannot afford to wait a moment so that its existing technology can be properly configured, inventoried, patched and monitored? The way IT is treated in far too many organizations is as if they were a car that could go anywhere and never needed its oil changed or tires replaced. Just as with your personal car, that strategy will work, until suddenly it doesn’t.
If you would like to learn more, the book Heuristic Risk Management explains these issues in more depth and details how you can protect your organization by adding cyber risk to your business’ dashboard of priorities.