Cyberslow, Cyberdown

By Dan Hadaway | Wednesday, August 12, 2015 - Leave a Comment

Let’s think this through . . . .
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . and this is one of those posts Dan sat on for a few weeks before he finally convinced the team . . . . yes, we can release this!

At the time I heard of a book by John Mueller (Overblown, 2007), which made a case that our reaction to 911 cost more lives than the actual terror event itself, I probably wasn’t ready politically to accept the premise. Still, his question, “which is the greater threat, terrorism or our reaction against terrorism,” stuck in my mind.

I registered “over-reaction” as a subcategory of my threat, “a false sense of security,” which, by the way, I’ve always maintained was the greatest threat we face.

Now . . . before you read on . . . please consider that I have always blanket-classified threat likelihood. Sure, it’s different for every situation, and it changes over time; but because it’s inherent risk, I maintain that the likelihood of a threat exploiting a vulnerability can USUALLY be seen from a blanket-approach. In other words, I can walk into any organization and tell them what their top ten threats probably are, inherently, without much analysis. Thus, we can shortcut the threat analysis process, and get down to the business of calculating residual risk, based on control structures.

Anybody selling you threat-analysis services would say this is a dangerous approach and I agree. I’m just proposing that, at a high level, we can assume at least ten threats to every organization.

And because of this, I’ve been able to come up with Dan’s Top Ten Technology Threats. And if you’ve seen any of my presentations since about 2004, you’ve probably seen an iteration of this list when I discuss awareness as 9/11’s of the battle:

10 – Professional Cybercriminals
9 – Script Kiddies
8 – Vandals
7 – Scammers, Opportunists, and Fraudsters
6 – Nosy neighbors and ex-spouses, enemies of our customers
5 – Insiders
4 – Our customers (as an accidental threat. Mad customers end up falling into 8, 7, or 6 above.)
3 – Our examiners and auditors (as a compliance threat, or a security threat if they aren’t competent.)
2 – The technology itself (Our use of technology, heightened when we deploy new technologies)
1 – A false sense of security

Again, the above is a blanket list, and does not apply to ANY organization at a detailed level, while at the same applying to ALL locations at a high level. There are specific threats not included in the list, but everybody’s list would include the above threats, in many flavors. (Have I qualified that enough?)

So . . . . what’s the point? I have always maintained there is a much higher likelihood we are hurt by a false sense of security, than a professional cybercriminal.

All this cyberbuzz is a good thing for sure.

However, and I know I’m probably not making many friends by sharing this: this time I am disturbed by the buzzword mania. I am watching hundreds of companies jumping into the field, offering what may be good solutions. [At the request of “good sense,” I have removed a laundry list of companies who started selling cyber-products since 2013.]

And while I, of all people, should not rue the sound of heads popping out of the sand, I still feel compelled to utter the cautious words, “slow down.”

Think this through.

The “guidance” was released on June 30th. It is not even a guidance. But it was released about a month ago: your examiners don’t know yet what it really means for you. It is a great tool. As stated in the CEO Overview, “the Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”

The key words there, to me, are “over time.” It’s what makes the tool so usable . . . . maturity is something that occurs over time, not overnight.

So let’s think this through. Let’s not over-react, moving resources before we fully understand priorities. Every conference and convention we attend for the next year or two will have advisors sharing their take on the subject. Let’s find a basis we can study from, to make these presentations more valuable to us.

And that basis?

The actual documents themselves.

I’m getting bombarded with questions about issues that aren’t even in the Cybersecurity Assessment Tool, raised in some cases because a vendor somewhere has pitched a service as a cyber-service.

Gosh, if I wanted to sell a trash can to a bank, I would be more successful if I called it a cyber-trash can.

I’m sorry. The previous sentence was in the first draft of this post, and I had pondered its removal since I first wrote it. But I obviously feel it needs to stay. I don’t mean it to be condescending, and yes, we should be praising our management teams for coming to the table. But let’s realize that nothing changed on June 30th. Other than we now have a map. And there’s only one map for banks now, and that’s a good thing.

But the threats are still the same. Cyber is real, but it is still #10 on my list. And we still haven’t fully protected ourselves from #2 through #9. And if we don’t recognize this, then in a rush to address #3 (compliance) we’ll be a victim to #1 (false sense of security).

Let’s roll up our sleeves, yes, but let’s do so in a focused, balanced, THOUGHTFUL way. We do not need to rush into this.

So my advice about the Cybersecurity Assessment Tool? Read all of the documents located here. Go ahead and attend the myriad of seminars, webinars, and such on the subject. And yes, we’ll be providing webinars too. Quite frankly, CyberCyber is a boon for our business! And we’ll be having many talks on the subject, and an Examiner Panel, at the IBA’s Cybersecurity Conference, that we renamed Cybersecurity for the very reason I just warned against. (To get you to come to it!)

But don’t waste time attending my webinars if you haven’t read the documents.

And sure, read articles about it. Like this one. But don’t read ANYTHING, including the rest of this article, until you’ve read the actual documents, located here.

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.

Posted in Dan's New Leaf, Incident Response, Infotex News, Management Awareness, Risk Management, Schools, Vigilize

Latest News

The Consequence of Unintended Consequences

27 May 2023

Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]

Introducing Nathan Taylor

26 May 2023

PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex. “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]

I saw the news today, oh boy

20 May 2023

about artificial intelligence . . . And who will protect us from it . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]

Slammed Again

20 May 2023

The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]

“Inbox Zero” – Awareness Poster

17 May 2023

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]

Experts Warn of AI Cybersecurity Risk

15 May 2023

New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker. This isn’t science fiction, it’s an actual attack that has […]

Paradise Wanes

13 May 2023

Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin. I want to make sure I’m staying on top of my New Leaf, which is to […]

Keys to the Kingdom

8 May 2023

. . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]

The Pits and APTs

6 May 2023

How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago. It was one […]

Mutiny! The Malicious Insider Threat Webinar Registration

2 May 2023

Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]

To the Blog