In the last (maybe…) of my three-part CISO rant series (See Part One and Part Two if you want to catch up) I am going to wrap up with a rant about the 33% CISOs not giving their organisations of a full CISO role. These are the CISOs who think their role is solely about maintaining data confidentiality. They seem to have forgotten that there are two other pillars in the information security trifecta and pay lip service (at best) when dealing with issues concerning integrity and availability. The ironic thing is when looked at from a risk perspective, organisations may be haemorrhaging more money from integrity and availability issues than they ever will from a breach of confidentiality…here’s why…
CISO Role: But GDPR means we must focus on Confidentiality…
A major data breach is eye-catching, newsworthy. Boards are now sensitive to the effects of such a breach. Senior Management have read about the data breaches at Capital Onc and Equifax and are asking questions. They know the CEO and CIO at Target resigned after a major security breach and want to know if the same thing could happen to them. The new GDPR fines such as those about to be issued to Marriot and British Airways have also focussed attention at the senior level and so money is being allocated to Cyber Security at an unprecedented scale. BUT, where does all the money, time and resource end up? Yep, poorly deployed vanity tools aimed at trying to secure the organisation from a breach of confidentiality. A lot of it does seem to be GDPR panic even though Article 4(12) of GDPR makes it quite clear that a personal data breach is not just a loss of confidentiality. It’s:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
So that breach of security is more than just unauthorised disclosure and that fancy new SIEM is often not even set up to prevent the types of breach highlighted in bold text – destruction, loss, alteration. The 33% CISO doesn’t understand a breach isn’t just limited to data stolen by a hacker. There are plenty of other ways you can end up in a sticky situation with the ICO or in front of the Treasury Select Committee. A breach could just as easily be a primary storage failure combined with a failed backup regime causing a total loss of personal data. It could also be a corrupted SQL query which remaps all your customers’ details to different customers altogether. Mr Jones’s wife is now very perplexed as to why she has just taken receipt of her husband’s new silk negligee in a size that does not flatter her! These are examples of availability and integrity issues relating to personal data but there are plenty of others. How much time, money and resource are being spent making sure these risks are managed?
CISO Role: The only thing certain is change…will be the root cause of most outages!
Just as often as a breach in confidentiality appears in the headlines so too do breaches in availability. Only last week the London Stock Exchange was forced to delay opening for nearly two hours on a day where European stocks were rallying – due to an ‘ahem’ technical issue. RBS have recently had to appear in front of the Treasury Select Committee to explain ‘in addition to a litany of IT failures’ why new technical failures left millions of users locked out of their accounts. These are the major breaches affecting significant volumes of customers but the reality is there are outages occurring daily in an IT department near you. Why do they happen? The main cause is poorly controlled change management. In the thousands of incidents I have been involved in managing, well over 80% can be traced back to the following:
“Incorrectly administered change”
Read some of the articles discussing the root cause of a major system outage and it will typically be an upgrade that didn’t go as planned, or a patch applied and no-one realised the system needed to be restarted. Why does this happen? Often, usually down to resource pressures (and sometimes just incompetence) there as either a token nod to filling out the planning section of a change record. Too frequently there is no real plan at all and the words ‘we’ll roll back if it doesn’t work’. When there is a toll-back plan, they are often not tested and the impact of minor system interdependencies are not fully (or at all) understood.
Why isn’t more of a thing made of these failures in change governance? The main reason is they just don’t get called out as security incidents because the 33% CISO doesn’t think system outages that didn’t originate from a hacker have anything to do with their world. The 33% CISO doesn’t make sure someone from Information Security is represented in the change management process. Sure the 33% CISO may look at the change record if it relates to a firewall change request or similar but general changes to technology infrastructure outside the security apparatus may never get seen by anyone from infosec (1st or 2nd Line). The 33% CISO has not educated their organisation what is and isn’t an information security incident and then put in place measures to fix the root cause – poor change management practices. And if the CISO isn’t providing the governance – who is?!
BTW, and for clarity:
“When it comes to a system outage, if the outage affected the availability of a system, to those who have a legitimate need to access that system, it’s plain and simply an information security incident.”
It does not require the system to be hacked, for data to be lost, or data to be corrupted before it becomes a security incident. The lack of availability is enough on its own. CISOs must, therefore, ensure these incidents are captured so that something can be done about poor change management – it’s costing organisations £millions!
CISO Role: A King’s Ransom(ware)…
Then there is ransomware causing both availability and integrity issues. If some data is lost the integrity of other datasets can become quickly affected. In some cases, it can cause whole organisations to shut down even if no personal data is involved. In March this year Norweigan company Norsk Hydro was reported to have amassed losses of $40million in lost revenue in just one week because of a crippling ransomware infection. Two years earlier Maersk fell foul of NotPetya which is estimated to have cost them around $200million. These losses were not to shell out for customer compensation or to pay for identity protection. These losses weren’t even to pay for regulatory fines. These losses were because they couldn’t function as a business just doing what they do. Whether that be logistics and shipping, banking, mining or petrochemicals, every business now relies heavily on technology. The reason these disruptions are still occurring – because there wasn’t the correct level of focus on managing the risks relating to the integrity and availability of systems!
CISO Role: How much of your business runs on Spreadsheets…
Integrity issues can have significant impacts on your business. In 2017 Eskom (a South African Utility Company) made a R1.5billion (~£80million) spreadsheet error which luckily was discovered before any money had to be paid out. Conviviality, who own Bargain Booze, blamed a shock profit warning on a spreadsheet arithmetic error made by a member of its finance team. Conviviality’s chief executive Diana Hunter stepped down amid criticisms of a lack of systems and controls. Where was the CISO? Who, if anyone, was managing this risk because this is most certainly a CISO role.
Imagine this for a second…hacktivists write exploits that go through all your organisation’s spreadsheets and just make subtle changes to formulas and macros. Nothing immediately noticeable. Imagine they specifically targetted the risk models of financial institutions or subtly altered the code of third-party open-source machine learning libraries as part of a supply chain attack. Is anyone taking ownership of the integrity of these non-standard data sources? Do they include end-user computing applications that do not contain personal data? The 33% CISO certainly isn’t because model-risk is not in their scope.
CISO Role: Stop being so one dimensional!
Information Security is multi-dimensional. It’s not just preserving the confidentiality of personal data as the 33% CISO seems to think. It’s about protecting all your business data and all your business systems. It’s not about just stopping malicious hackers and disgruntled employees, it’s about protecting the overworked network engineer and the busy finance team from their inevitable human errors too.
The CISO role must understand their business, from Finance to the Front Office and beyond. They must take a holistic approach to information security and not just focus on confidentiality. CISOs need to take a balanced risk-based approach and employ mitigation techniques which in addition to preserving the confidentiality of all datasets and systems, also preserve data integrity and keep systems up and running when organisations need them to be up and running. CISOs, who are only spending their time managing 33% of the risk, are not helping their senior leaders make informed decisions – and, as with Maersk and Conviviality, some organisations are only going to find that out when it’s too late!
If you need help understanding the integrity and availability risks in your business get in touch and let us show you how we can help.
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to providing coaching to InfoSec leaders on strategy development, provides a Security Advisory Service for CISOs a vCISO service for Non-CISOs and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy which, amongst other things, helps client organisations with educating their senior management teams about strategic cybersecurity issues such as those described in this article. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso