Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Its Time to Treat Your Cyber Strategy Like a Business
Newest First  |  Oldest First  |  Threaded View
kevinbear
50%
50%
kevinbear,
User Rank: Apprentice
7/22/2020 | 3:17:15 AM
Re: Risk Management
What a wonderful article post you have done a great job such a brilliant information post i really impress this stuff i love it dear 

John Dutton Jacket
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/9/2015 | 10:08:12 AM
Re: Sample mission statement
So, a friend of mine has a business providing mobile medical portal applications for helathcare chains...Here's a paraphrase:

We strive to deliver the most convenient, private and secure ways to manage your personal health information on the most widely-used mobile devices available. We are committed to building and budgeting security into every thing we do, whether it be software development, data handling, our internal people processes and our customer relationships so that you, our customers, can be assured that every employee at _______ considers your security part of his or her job.

 

It continues to discuss forthrightness in cases of incidents, etc.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/9/2015 | 9:50:03 AM
Re: Sample mission statement
By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense.)


Couldn't agree more. but I'd still like to see a cybersecurity mission statement boiled down to the essential 25 (50, 100?) words..
PZav
50%
50%
PZav,
User Rank: Author
1/8/2015 | 5:56:34 PM
Technical Challenge
Based on this post it seems like in your experience, most businesses look at information security in the same way they look at maintance or even infrastructure. If I do/fix A then I will solve problem B. However, cyber security really isn't that simple is it? I think most leaders will be better off treating security as a desired but impossible state. The focus should shift towards damage control.

Limiting damage is a partnership between security, executive leadership and marketing. There are of course technical requirenments, but there is also a need for proper spin control. For instance, Sony having the FBI and FireEye claim that the attack was unique and could've breached 9 out of 10 companies (when we all know it was a standard attack) was good spin. Of course its true, but nothing about this attack was so unique that such a statement was used for any other reason than to let Sony off the hook. The key is to limit the damages and demonstrate pro-active responsibility. In that area there is still a gap to be filled.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/8/2015 | 3:42:04 PM
Re: Sample mission statement
Marilyn,
Well, cyber mission statements (or mission statements that weave in cybersecurity objectives) are, as I point out, largely nonexistent for most companies I have encountered. I am beginning to see folks assert their commitment to security and safety in some nascent companies who get it (and for whom security is part of the identity), but for the most part we're still dealing with the much larger cyber-related disease in corporate America we all know as "Ostrich Security."

That said, as we're seeing in retail and banking and even healthcare, daily cyber security concerns are actually becoming intertwined with a company's core offerings and products. These concerns are linked in real ways to the things that make the business fail or succeed. The point to make from this Part 1 (there's more in my second part of this post that expands on what's here around mission statement) is that cyber is become so pervasive a concern to organizations that is deserves to be elevated into the very core mission of the company itself alongside what makes them "them" as far as their products, services, delivery, discriminators and - most importantly - their employees go. There's a bank out there with the mission statement of becoming, and Im paraphrasing to protect the innocent, the most respected provider of financial transaction services. It would seem to me to make sense that "secure" and other words setting serious security objectives be rolled into that too to drive home for their customer and employees that "secure" is who they are.

For example, let's take the mission statement of a very well known national retail chain:

Guided by relentless focus on our five imperatives, we will constantly strive to implement the critical initiatives required to achieve our vision. In doing this, we will deliver operational excellence in every corner of the Company and meet or exceed our commitments to the many constituencies we serve. All of our long-term strategies and short-term actions will be molded by a set of core values that are shared by each and every associate.



I wont say who that is, but let's just say cybercrime is not their friend of late.

For the most part, it's high-level, vague and could apply to almost any organization, selling or offering almost anything. Do the leaders and employees take this kind of mission statement to heart? Does it make them more diligent or more responsible as far as the performance of their daily routines? Does it make them care about product or service delivery by imbuing their daily routine with any extra reflection on what make them better, different or, in the case if cyber security, more safe? Does it even drive to their employees any ideal in particular? Our sense of quality? I say no.

What I'm getting at here is that all companies in this day and age must begin to really appreciate the risks they face each day in this hyper-connoted world of constant cyber attack and cybercrime. By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense). That it is a part of everything they do and, hopefully, it even seeps, in small ways, into their subconscious routine each and every day when carrying out their work.

One thing is clear today. Business leadership may not get it yet, but customers are starting to.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:26:56 AM
Sample mission statement
Interesting idea, Jason. But I'd like to hear some real word examples of cybersecurity mission statements. Do you have any you can share?
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/8/2015 | 9:23:00 AM
Risk Management
So basically we just continue to work on risk management as we have always done.

Jack was great at leading people, lets just leave it at that.


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...