In September 2017, Equifax admitted it had been hacked. The breach of sensitive information affected 145.5 million people, with those behind the hack accessing user data including tax identification numbers, Social Security numbers, birth dates, addresses, driver’s licence numbers, and credit card information.
Equifax chairman and chief executive Richard Smith stepped down from the embattled credit rating agency days after the breach was admitted. Facing a US House Committee a month later, Smith accepted responsibility for the breach, saying “I was ultimately responsible for what happened on my watch”.
SEE: Information security incident reporting policy (Tech Pro Research)
Speaking at the Gartner Symposium/ITXpo on the Gold Coast in Australia last month, Gartner VP Paul Proctor said the former CEO set a precedent when he left. Proctor expects it will be a trend likely to continue as more breaches emerge.
Here are eight reasons why.
That server that never gets patched
“Another way to say this is: Invisible systemic risk,” Proctor explained.
It’s the idea that an important process demands a system stay online at all times because it supports core business functions.
“The problem with this is, is that there is a business executive that is making that call–it’s not security people–those people don’t really have an understanding of the security,” Proctor said.
“This is happening across the organisation from systems not being patched to security being gotten around by the people inside the organisation. Security people might know about this, but the problem is it’s invisible because you’re not telling anybody about this properly.”
The cultural disconnect
The cultural disconnect can best be described as treating security purely as a technical problem handled by technical people and as a result buried in IT.
“They treat you like wizards. They give you some money, you cast some spells, the organisation is protected, and if something goes wrong, you must be to blame,” Proctor said.
“Why has no IT executive ever asked you to build a secure system? Because what idiot would build an insecure system? The problem is that if we told them that building a secure system cost twice the budget and would extend the schedule by twice as much–we don’t tell them about that and they don’t pay attention to that.”
He said it’s a shame that too often security folk would approach an average non-IT executive, telling them there was a problem with patching and they would be dismissed and have their ability questioned by asking why it isn’t fixed.
“All of this cultural disconnect leads to poor investment decisions, poor priorities … and this also leads to the idea of: ‘Well, I trusted the security people to get this right’,” he added.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the PDF version (TechRepublic)
Throwing money at the problem
“It is actually possible to overprotect the organisation,” he said.
“I would say [overspending leads to] inappropriate investment decisions, because it’s not always about spending too little, sometimes it’s about spending too much in the wrong areas.”
The outdated approach boards had of doubling or tripling investment and pushing security to the back of their minds is no longer acceptable.
“The truth is you’re not going to be perfectly protected if you do that, what you are going to start doing is damage the ability of the organisation to function,” Proctor explained. “Basically for a CEO, spending a bunch of money to impact negatively on your business operations and your business outcomes is not the winning formula.”
Your security officer is the defender of the organisation
“I have been a security person for 30 years, so I can say this: Security people can be annoying–they’re the ‘no’ people, they walk in and they say: ‘Look, I was brought in to protect the organisation so no, you can’t do that’,” Proctor said.
“The first line in most security charters is the purpose of this charter is to protect the organisation from all types of threats etc., etc., so what this does is engender a lot of telling people what they can do and what they can’t do and that has never worked in the history of organisations and yet it creates an awful lot of problems.”
Putting security people in charge of protecting business outcomes they don’t understand yet still telling people what to do is not appropriate.
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
Accountability is broken
According to Proctor, giving executives a risk acceptance form is basically a get out of jail free card.
“Everybody has some sort of form that they tell executives to sign–they don’t care … just tell me where to sign,” he said.
Sharing an anecdote of an executive from a bank in Canada not wanting to apply 2FA to a customer-facing application because it would ruin the customer experience, Proctor said it’s tricky to appropriately delegate accountability.
“That person almost certainly has the authority to stop that. Ironically, it’s probably the right business decision,” he said. “The problem is that person only owns the customer experience, they own nothing to do with the security of the organisation, so their decision is made with that perspective–no accountability for it.”
Risk tolerance and appetite are fluffy
Proctor said because accountability is broken, organisations end up with similar inconsiderate engagements of risk.
“Everybody is creating risk appetite statements and they all tend to say: ‘Yeah we’ll do risk around here’,” he said.
This is usually seen within an organisation when someone approaches the board with a great idea for an app, with a short go-live time, and the board wants it to happen as soon as possible.
“This idea that we’re going to walk around and say we only accept low risk and then engage in activities that are actually pretty risky,” Proctor said.
“Society, when they see these breaches … society just wants heads to roll,” Proctor said.
He said it’s contradictory to accept the physical security steps in place at a branch, but treat the online realm differently.
“When a bank gets robbed, society understands that for a bank to operate it has to have big glass doors that open wide and they have to have people … have huge sums of cash on hand–society understands that occasionally someone with a gun is going to say: ‘Fill a bag with money’,” he explained.
“Society is okay with that because we exhibit sympathy for the people at the bank. Cybersecurity not so much.
“The first question that arises when cybersecurity has a problem is somebody screwed up. This is because we treat cybersecurity like a black box and until we change the conversation, until we start talking about the fact that to use data we actually have to make it open and that leads to problems sometimes nothing is going to change.”
“Many organisations don’t want to be transparent about these things, they want to hide them, put it in the legal department so it’s under attorney-client privilege,” Proctor explained, noting also that means no disclosure externally and potentially internally is required.
“This is a pretty huge reason that we end up with poor decisions about priorities and levels of investment.”
The CEO is responsible for everything that goes on within an organisation, so if any of the eight reasons Proctor listed occur within an organisation, and a breach ensues, the CEO should be asked to leave.
- Equifax has spent $242.7 million on its data breach so far (ZDNet)
- Equifax ex-chief admits responsibility ‘starts at the top’ for devastating data breach (ZDNet)
- Why the Equifax breach could force executives to finally take cybersecurity seriously (TechRepublic)
- How to calculate the cost of data breaches (TechRepublic)