undefined | Better HN

0 pointsAncalagon2y ago0 comments

In a way is this not an appropriate response for multiple breaches? If I was CSO and my company was plagued by breaches that came about because of my lack of oversight when it was my job I’d fully expect to be fired.

I don’t believe a single incident is equivalent in this case to what happened to the MAX platform, to much has gone wrong

0 comments

bombcar2y ago

The usual problem is that the CSO is given things to do, no budget, and no authority.

Which, again, if you go in open-eyed can be fine.

Veserv2y ago

Untrue (in general). The CSO is frequently given lots of budget and authority. Having talked to some of the big bank executive teams, they have thousands of employees and hundreds of M$ budgets with wide latitude to enforce restrictions. It is just that the best commercial cybersecurity processes and “best practices” are useless against professional attackers with even minimal budgets and staff.

Any technically competent CSO knows they are totally screwed even if they implement everything feasible perfectly (i.e. no inane solution like shutting down the whole company). It is not a problem of resources or commitment (though you could also have those problems), it is a problem of impossibility due to the incompetence of commercial IT cybersecurity processes.

The only way to survive in a environment where you literally can not do what you were ostensibly hired to do is to lie and take the fall. The only other alternative is being too stupid to realize you are screwed, but every bank cybersecurity executive team I’ve ever met knew that someone could go in and steal all of their documents for less than 1 million dollars (you could also change things, but the out of band cross-checking makes that hard without intimate knowledge of the specific financial checks, more a question of knowing how banks work than hacking, the 1 M$ gives you full access rights, but you need to be careful not the drive the tank through the wall of the general’s office).

bdunks2y ago

Banking and financial services average 8.1% of revenue on IT Spending. Industries like industrial manufacturing, food and beverage, retail, and energy average 1.2% - 1.9%.

Many security leaders (CISOs or otherwise) do not have the budget or authority to meet their board's or CEO's expectations, but it may be outside your sample of big banks.

I'm otherwise aligned with your comment. The successful CISOs I've interacted with, regardless of industry, educate their leadership team on the trade-offs and risks of investment levels, set realistic response and recovery times expectations based on those investments, and turn it into a business decision, rather than promising the impossible.

1 more reply

illiac7862y ago

This changed a lot in my perception. Security teams have now more authority — and it's driving everyone else nuts.

dave3332y ago

Back in the day there were moderate bounties offered ($100s) for finding security holes. It was far more cost effective than organized security review and testing.

j / k navigate · click thread line to collapse