The Troublemaker CISO: Getting HackedThe Rant of the Day From Ian Keller, Security Director
Before we delve into getting hacked, I guess you will need my bona fides.
I have been in the InfoSec world for over 30 years, and I have worked in almost all verticals barring porn and automotive. I have been on both sides of the desk - as a consultant with the big audit firms and as CISO to numerous banks and group CISO to multinationals.
Why do we say we manage risks when the evidence shows we don’t?
I have worked on all levels of business, and I most enjoy working at the executive level.
I have all the required industry certifications and a master’s degree in information systems management with a specialization in security. Currently I am working in the telecoms space, advising and guiding operators on cybersecurity and stuff.
During my time on the front lines - before security became sexy - I defended companies against all the good attacks – NIMDA, Code Red, SQL Slammer and Heartbleed. The list goes on and none of the companies I defended got hacked.
Yes, I might have been lucky but also I know what should be in place, because we pioneered everything that's relied on now to prevent hacks.
Now let's move on to my rant of the day.
Why We Get Hacked
Are we getting hacked because we now work remotely in the new normal? No, we're being hacked because we're not managing our risks and being lazy - and because the CISO is not being heard.
Why do we say we manage risks when the evidence shows we don’t? It is more than fair to say that the CISO, CIO and CTO are accountable to ensure that the information and technology risks are properly defined, managed and reported.
That means that standards, processes and procedures that are geared toward reducing risk must be approved and followed. These include controls to stop shadow IT, which is most likely the biggest risk to business today.
Then there is the missing or not applied default systems hardening or minimum secure baselines build per system class, role-based access control, centralized asset management, application and systems management controls - and the list goes on.
Think this through: To be hacked, you to have skipped a step somewhere.
Yes, there are acts of God but those are few and far between. You installed hardware and software without following the approved secure configuration. Or worse - there is none, leaving the system with services running that are not needed and default user IDs and passwords.
Perhaps you commissioned a server onto the network without following proper deployment processes, i.e., plan, build, test, deploy - yes, with all the security gates in there. Or worse still - the proof-of concept became production.
Systems maintenance, such as patching, is only done after the hack. Software and systems are not put through a stringent DEV/SIT/UAT process before going into production.
Identity management is not being done, role management even less so, and the principles of least access are haphazardly applied. "Position does not equal access" has fallen by the wayside. I could go on and on with the list of things that we are just too lazy to do or that we allow to be circumvented.
Have you ever wondered why the first questions asked by an auditor are: Where are your processes, policies and procedures documented? Who approved them? When were they last reviewed?
They ask those questions because they know the biggest risk is people, or as we put it" the “insider threat.” They also know that in 99% of the cases they will find that those processes, policies and procedures are not being followed.
Again: We are getting hacked because we are lazy and because we don’t manage the risks.
In the next post from The Troublemaker CISO, I will be on a rant about how the CISO role is misunderstood in business and what a CISO should be.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, who is director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.