Let’s think this through . . . .
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . and this is one of those posts Dan sat on for a few weeks before he finally convinced the team . . . . yes, we can release this!
At the time I heard of a book by John Mueller (Overblown, 2007), which made a case that our reaction to 911 cost more lives than the actual terror event itself, I probably wasn’t ready politically to accept the premise. Still, his question, “which is the greater threat, terrorism or our reaction against terrorism,” stuck in my mind.
I registered “over-reaction” as a subcategory of my threat, “a false sense of security,” which, by the way, I’ve always maintained was the greatest threat we face.
Now . . . before you read on . . . please consider that I have always blanket-classified threat likelihood. Sure, it’s different for every situation, and it changes over time; but because it’s inherent risk, I maintain that the likelihood of a threat exploiting a vulnerability can USUALLY be seen from a blanket-approach. In other words, I can walk into any organization and tell them what their top ten threats probably are, inherently, without much analysis. Thus, we can shortcut the threat analysis process, and get down to the business of calculating residual risk, based on control structures.
Anybody selling you threat-analysis services would say this is a dangerous approach and I agree. I’m just proposing that, at a high level, we can assume at least ten threats to every organization.
And because of this, I’ve been able to come up with Dan’s Top Ten Technology Threats. And if you’ve seen any of my presentations since about 2004, you’ve probably seen an iteration of this list when I discuss awareness as 9/11’s of the battle:
10 – Professional Cybercriminals
9 – Script Kiddies
8 – Vandals
7 – Scammers, Opportunists, and Fraudsters
6 – Nosy neighbors and ex-spouses, enemies of our customers
5 – Insiders
4 – Our customers (as an accidental threat. Mad customers end up falling into 8, 7, or 6 above.)
3 – Our examiners and auditors (as a compliance threat, or a security threat if they aren’t competent.)
2 – The technology itself (Our use of technology, heightened when we deploy new technologies)
1 – A false sense of security
Again, the above is a blanket list, and does not apply to ANY organization at a detailed level, while at the same applying to ALL locations at a high level. There are specific threats not included in the list, but everybody’s list would include the above threats, in many flavors. (Have I qualified that enough?)
So . . . . what’s the point? I have always maintained there is a much higher likelihood we are hurt by a false sense of security, than a professional cybercriminal.
All this cyberbuzz is a good thing for sure.
However, and I know I’m probably not making many friends by sharing this: this time I am disturbed by the buzzword mania. I am watching hundreds of companies jumping into the field, offering what may be good solutions. [At the request of “good sense,” I have removed a laundry list of companies who started selling cyber-products since 2013.]
And while I, of all people, should not rue the sound of heads popping out of the sand, I still feel compelled to utter the cautious words, “slow down.”
Think this through.
The “guidance” was released on June 30th. It is not even a guidance. But it was released about a month ago: your examiners don’t know yet what it really means for you. It is a great tool. As stated in the CEO Overview, “the Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time.”
The key words there, to me, are “over time.” It’s what makes the tool so usable . . . . maturity is something that occurs over time, not overnight.
So let’s think this through. Let’s not over-react, moving resources before we fully understand priorities. Every conference and convention we attend for the next year or two will have advisors sharing their take on the subject. Let’s find a basis we can study from, to make these presentations more valuable to us.
And that basis?
The actual documents themselves.
I’m getting bombarded with questions about issues that aren’t even in the Cybersecurity Assessment Tool, raised in some cases because a vendor somewhere has pitched a service as a cyber-service.
Gosh, if I wanted to sell a trash can to a bank, I would be more successful if I called it a cyber-trash can.
I’m sorry. The previous sentence was in the first draft of this post, and I had pondered its removal since I first wrote it. But I obviously feel it needs to stay. I don’t mean it to be condescending, and yes, we should be praising our management teams for coming to the table. But let’s realize that nothing changed on June 30th. Other than we now have a map. And there’s only one map for banks now, and that’s a good thing.
But the threats are still the same. Cyber is real, but it is still #10 on my list. And we still haven’t fully protected ourselves from #2 through #9. And if we don’t recognize this, then in a rush to address #3 (compliance) we’ll be a victim to #1 (false sense of security).
Let’s roll up our sleeves, yes, but let’s do so in a focused, balanced, THOUGHTFUL way. We do not need to rush into this.
So my advice about the Cybersecurity Assessment Tool? Read all of the documents located here. Go ahead and attend the myriad of seminars, webinars, and such on the subject. And yes, we’ll be providing webinars too. Quite frankly, CyberCyber is a boon for our business! And we’ll be having many talks on the subject, and an Examiner Panel, at the IBA’s Cybersecurity Conference, that we renamed Cybersecurity for the very reason I just warned against. (To get you to come to it!)
But don’t waste time attending my webinars if you haven’t read the documents.
And sure, read articles about it. Like this one. But don’t read ANYTHING, including the rest of this article, until you’ve read the actual documents, located here.
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.
