July 31, 2019|
Blog Series: Defensible Security – Lessons from an Epic Fail
This is the first blog in a three-part series that focuses on defensible security, and more specifically, defensible audit. What exactly constitutes security as “defensible”? The most simple explanation of defensible security, is a security program that can answer the question from stakeholders, “Is the organization doing enough to protect its data and information resources and can we defend our choices in the event of an incident?”
What Brings Us Here
July proved to be the month of massive compliance fines. British airways was fined by the UK’s data privacy authority, to the tune of $230 million. And the FTC issued its largest fine in history against Equifax – $700 million. The fine amounts to as much as 20% of Equifax’s 2018 revenue of $3.41 billion.
What’s the common result? For several years now, we’ve seen an increase in the number of chief executives either resigning or being fired after their company suffered a data breach. In fact, research shows that twice as many CEOs are being fired over cybersecurity incidents than are CIOs or CISOs. It’s happening so often, the public is becoming numb to news like this — it’s even expected.
According to Gartner, by 2022, 50% of CEOs who lack cybersecurity postures that are defensible to their key stakeholders will be fired following material breach incidents that impact greater than 25% of their customer base.
Consider the statistics…
- In March of 2017, both the CEO and Lead Attorney for Yahoo! were fired.
- In September of 2017, the CEO, CIO and CSO of Equifax stepped down.
- In November of 2017, both the CEO of Uber resigned, while their Chief Security Officer was fired, after their 2016 data breach.
- The CSO and CISO of JPMorgan Chase reassigned following their data breach in November of 2015.
- Following Home Depot’s data breach in 2016, the CEO resigned.
- The CIO and CEO of Target both resigned following their massive data breach in 2014.
The Epic Fail of Equifax
Equifax is perhaps one of the best examples of an indefensible situation. In 2017, Equifax was breached due to a third-party library vulnerability in their code — Apache Struts. (Apache Struts is an open source MVC framework for Java). Apache Struts helps developers build complex applications by reusing components for certain tasks. The Apache Struts patch was available in March of 2017, but Equifax failed to remediate, and was notified of the breach in September of that year.
Why would anyone, especially in a large organization that deals with the data of hundreds of millions of consumers, leave a critical vulnerability unpatched for months? That’s a long and complex answer, mostly having to do with budget, risk, and accountability inside the organization that let it happen.
In December 2018, the House Oversight Committee released a final report that states, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation. This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner.
As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.
Second, Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Equifax ran a number of its most critical IT applications on custom built legacy systems. Both the complexity and antiquated nature of Equifax’s IT systems made IT security especially challenging. Equifax recognized the inherent security risks of operating legacy IT systems because Equifax had begun a legacy infrastructure modernization effort. This effort, however, came too late to prevent the breach.”
Top executives at Equifax, including the CEO, the CIO and the Chief Security Officer all resigned, as these issues and lack of action taken, were not defensible.
The Bottom Line
But let’s step back for a moment. In today’s world, after such huge upticks in data breaches, executives don’t necessarily need another wake-up call, nor do they need more advice about security budgets. In most cases (exceptions noted), organizations actually have adequate security budgets and spend accordingly on great solutions.
So where’s the disconnect? What we’ve observed in the industry is that it always comes down to one thing — the systemic and cultural issues that can often stand between IT and non-IT employees, trying to create the right level of security that allows for strong protection and the need to stay productive to achieve business outcomes.
In addition, it’s not necessarily a problem with the chosen security stack, but the lack of defensibility of the program that was put into place. To clarify, we don’t mean defense against “hackers”, but the ability or inability to defend the security investments with customers, board members, and shareholders. This is exactly why more non-IT executives are being held accountable in the event of a data breach.
In the second part of this three-part series, we’ll discuss the necessary steps to take on the road to an integrated, defensible security program, that aligns teams and addresses organizational, systemic risk.
In the meantime, if you want to know more about defensible security and how VERA helps, download our free whitepaper, “Building a Defensible Security Program: Align teams, address systemic risk and maintain stakeholder trust”.