The Job Of Cyber Security Is Presently Addressed As An Additional Duty

by Paul Garrin, CIO Partner, Tatum, a Randstad Company

Cybersecurity is an IT voice/data network vertical that keeps some CIO’s awake at night. The history of the office of the CIO has evolved over time. Early on, the CIO ran IT and simply managed the hardware platforms, computers, fire­walls, threat management gateways antivirus product(s) and the corpo­rate software of the organization. I myself in the early 1990’s was guilty of thinking that data security was considered an ancillary part of the business. As IT advanced to become literally the veins of an organization, some of the traditional CIO duties have been migrated to other titles such as the CTO/CISO and in some instances the CTO gets to manage the duties of cybersecurity.

What I have seen as a CIO/CTO and now as a C-Suite consultant is that in the mid-cap and small-cap or­ganizations, the job of cybersecurity is presently addressed as an “addi­tional duty” shared amongst groups or individuals within the IT organiza­tion. I have even seen some large-cap organizations treating cybersecurity as an “additional duty” or relinquish­ing it to a consulting firm. In my opinion when it comes to cyber risk, you can never outsource the respon­sibility.

Today, the network administra­tors check their firewall logs periodi­cally and conduct penetration tests on an ongoing basis. The web adminis­trators review access from foreign countries and attempts at denial of service “DoS.” Software is available to alert IT to potential hacks and DoS. In this present day, the digital footprint of businesses and individu­als has expanded to the point where any interruption of computing from a network, server or even an individ­ual’s laptop, can cost time and mon­ey. The mobile workforce is a grow­ing trend and their computers are constantly joining unsanitized Wi-Fi networks, which can introduce spy­ware and Trojans onto the corporate network once reattached. The reputa­tion of the corporate IT department and the company in the press may be jeopardized when an event is publi­cized.

In 2016 Hollywood Presbyte­rian Hospital paid $17,000 in ran­som to regain access to files locked by ransomware. We saw $81 million fraudulent transfer from Bangladesh Bank, which opened up inquiries into authentication vulnerabilities in the SWIFT financial messaging service provider, which may have opened up 11 other banks to similar attacks. Take for example the Ukraine at­tack where a denial of service attack was able to black out the Western Ukraine’s power grid. Security ex­perts say that the Ukraine attack came after six months of reconnaissance af­ter breaking into the utility’s network via a phishing attack. Of course last year saw the Democratic National Committee emails also released into the public domain. The leadership of the fore mentioned organizations all turned to their IT leadership and wanted to know “How and why did you let this happen to us?”

In a mid-market organization this individual will have a team but in a small-market organization this may be just one FTE or part of an FTE who has the title IT cybersecurity of­ficer. This title is a subset of a Chief Information Security Officer’s duty which is a senior-level IT executive responsible for developing and im­plementing an information security program, which includes procedures and policies designed to protect en­terprise communications, as well as systems and assets from both inter­nal and external threats. The CISO’s duties are very broad and yes this in­dividual is charged with the moves, adds and changes to company person­nel access to e-mail, voicemail remote and local network access. In some organizations these internal chang­es can take up most of a person’s day leaving no time left to focus on external vulnerabilities.

The CIO needs to dedicate some dollars to get the cybersecurity per­son or unit up and running with proper training. Of course you can try to hire an individual. Although, this new hire will also have a learning curve of anew hire he/she also brings new ideas to an organization. An ex­isting IT employee should know the organization’s vulnerabilities but this individual is not sure how to reduce or eliminate vulnerabilities without formal training. I recommend having the cybersecurity folks pursue their CISSP and the leader pursue the CISM certification.

I was recently at an IT conference with peers, the discussion quickly turned to cybersecurity and we start­ed to whiteboard out ways we could be more proactive in this area.

Here are some of the thoughts we discussed: IT could go on the of­fensive by testing employee knowl­edge of phishing. Send a bogus email to select employees asking them to click on the URL in the email which would send them to a harmless inter­nal server. For the employees who don’t notify the IT help desk immedi­ately, a reward is given out. For those employees who do click on the email, a cybersecurity training session is re­quired. One of my CIO colleagues already implements this process and others commented that this was an excellent idea.

Technical resumes are good but many of today’s threats can gener­ally be traced back to cyber adver­saries who specialize in a particular industry within a geographic area. Understanding the industry and what to look for makes sense. Attacking a U.S. bank demands language skills, business processes and regulatory knowledge that aren’t applicable for attacking banks outside of the U.S.

In the 1980’s and early 1990’s I worked for a Property and Casualty insurance company. As part of my employment I was required to take and pass two property and casualty industry specific classes called CPCU classes per year until certified. CPCU stood for Chartered Property Casu­alty Underwriter. Of course the na­ivety of IT folks myself included said that CPCU stood for “Can’t Produce and Can’t Underwrite.” This require­ment came from the company’s CIO. Even back then, there were forward thinking CIO’s who knew that IT employees who understood the busi­ness were an asset to the organiza­tion. Today this proves itself in the cybersecurity domain.

Another item we discussed was that in order to defend the data you need to think like your enemy. In healthcare, what would an enemy want? We saw ransomware at Holly­wood Presbyterian Hospital. Would someone want to hack the food ser­vice system or patient records espe­cially those of famous people. These threats not only come from external sources but from internal employees.

In conclusion, having a cyber­security unit and/or person in place is a great way to be proactive with the imminent threats to your busi­ness. The number of threats that cybercriminals unleash continues to increase exponentially. Since any or­ganization can be a prime target, it is vital to take all the necessary steps to safeguard business information, technologies and processes and build a cybersecurity unit now before your CEO and Board knocks on your of­fice door and asks the famous ques­tion “How and why did you let this happen to us?”