Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Security and the Board


Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes of the meeting to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).

The client Director of Security and I waited patiently outside the Board Room while the “real” business of the Board was conducted inside. As is the case with many organizations, Information Security was not really taken seriously there, and the security team reported into IT way down the food chain with no direct representation at the ‘C’ Suite or the Board level.

The organization’s CMP had “evolved” over the years from anti-virus, patching and firewall management, into other domains of the ISO27002 framework but was by no means complete or taken seriously by those at the top. Attempts to build out a comprehensive holistic security program over the years, had met with funding and staff resource constraints, and Directors of Security had come and gone with nothing really changing.



The current Security Director was enthusiastic, young and bright. He had memorized the magic quadrant leaders for each and every security tool that he felt he needed to round-out security across the organization. His approach to security was a shopping list of “shiny objects” each of which was a best-of-breed point solution. There was no strategy for integrating them and little understanding of the costs and efforts that would be involved. Proposed solutions were only loosely tied back to business objectives and drivers.

Right on time, an Executive Admin opened the double doors to the boardroom and we were ushered in to our seats; printed color copies of the Executive Brief I had prepared were uppermost on a stack of papers in front of each member.

Like many healthcare boards, the membership was a mix of active physicians dressed in their whites and greens ready for their day shift, the CEO and his Executive team, and a collection of what looked to be retired Generals and corporate chieftains from various industries including one notable banker.

The CIO introduced me and I spent the next eight minutes walking the Board through the recommendations of our report, leaving two minutes on the clock for questions.The Executive Team and most of the younger physicians nodded in agreement and understanding at each recommendation and the reason for it. Some of the older members required further explanation and a deeper understanding of the risk management context, which formed the basis of the suggested revisions.

All was going well and it looked at this point that funding would be approved for an update of the security program. Then one of the older physicians asked a question about a particular security application and the Director of Security who hadn’t said anything thus far, saw his opportunity to jump in and be heard. Unfortunately the language he used was full of technical security jargon that might just as well have been Double-Dutch for all the good it did in communicating his point. The Physician looked on with an irritated stare and I had to rescue the meeting before it deteriorated quickly.

It was at this point that I realized why all previous attempts to build out a robust holistic information security management program had met with failure. Security and the Board spoke totally different and highly incompatible languages and it had taken a seasoned consultant to bridge the chasm and to act as arbiter.

The importance of establishing a formal Cybersecurity Management Program written in neutral language that both sides could understand, and that was structured so as to address underlying business objectives rather than the latest security fads would be absolutely critical at this customer if it was to secure its business.

Fortunately the CMS was approved, but this example is all too typical of the interaction of information security professionals and boards of directors - especially in organizations afflicted with low levels of security maturity. There is a difference in language and often a generational gap that hampers understanding on both sides. Each views cybersecurity through a completely different conceptual lens.

Security professionals all too often attempt to explain risks in language that senior executives may not fully comprehend, using alien concepts and terminology. They fail to translate and communicate cybersecurity threats and vulnerabilities in terms of business enterprise risks and the potential future impact to the business unless mitigated. This is compounded by a lack of trust and a long-standing historic pattern by security professionals of using Fear, Uncertainty and Doubt, otherwise known as ‘FUD’ in these conversations.

Instead of muscling decision makers into procuring desired security tools with FUD, security professionals should define the probable costs of inaction, in comparison to the costs and benefits of action. This should include objective conversations about regulatory compliance, protecting corporate brand image and potential penalties, cleanup and restitution / compensation costs of breaches, including loss of reputation and brand damage.

Boards need to view cybersecurity as a critical business function and a critical business-enabler in an increasingly inter-networked digital world. They need to educate themselves so as to be able to make informed decisions on security strategy and policy and spend. Security needs representation at the senior executive level and to make regular reports to the Board so that the Board can make appropriate enterprise risk management decisions.

There is a wide lack of quantitative risk assessment and reporting across the industry to enable executives and their boards to view and weigh cyber risks in the format of a more familiar looking balance sheet rather than in a subjective report with only limited business risk context.

Above all, organizations need a formal cybersecurity management program in which security purchasing decisions can be understood from the context of addressing enterprise risks while following a previously approved cybersecurity management plan.

A newly published Cisco whitepaper lists 10 key success factors to building a successful cybersecurity management plan. These apply not only to organizations constructing their very first formal CMP, but also to those looking to update or to maintain their existing program. When followed in order, these will position the organization well for success.

The introduction of a CMP affects virtually every individual or group in an organization, so it’s essential that the final cybersecurity management program best address everyone’s needs.


This blog is also posted at http://blogs.cisco.com/security/security-and-the-board and
https://www.linkedin.com/pulse/security-board-richard-staynings

Health Insurers Under Attack




January set a new monthly record for the largest US healthcare breach to date in which the personal records of 80 million individuals were compromised. It also marked an apparent change in focus from attacks on delivery organizations to healthcare payers. A few weeks later, two additional health insurers reported that they too had been hacked, resulting in the possible compromise of a further 11.25 million personal records. In a period of less than 3 months, the US has seen over 91 million records and personal identities stolen from healthcare insurers alone.

The health insurers appear to have been the target of highly sophisticated cyber attacks thought to be perpetrated from China, which involved the use of advanced persistent threats (APTs) and spear phishing. This allowed them to gain administrative credentials that were used to exfiltrate stolen data via the use of common cloud data services.

Why the sudden focus on healthcare?

Combatting Cybercrime Cisco White PaperAs a new Cisco Healthcare white paper shows, healthcare has been in the crosshairs for several years. However because of the relative lack of sophistication of healthcare information security to detect attacks, most have gone unreported. The theft of someone’s bank balance doesn’t go unnoticed for very long. The theft of a large number of credit card numbers triggers banks to look for a common point of purchase (CPP), in order to identify the compromised merchant(s). The theft of someone’s personal health information (PHI) or personally identifiable information (PII) takes much longer to be noticed. Unless the FBI is involved there is no single body to correlate all the identity thefts, and medical insurance frauds, etc., in order to identify the source.

The second factor has more to do with the market valuation of stolen data. The wholesale value of stolen credit cards on the dark net has declined rapidly over the past nine months as markets became flooded with card numbers. At the same time cyber criminals have discovered lucrative new avenues for the disposal of stolen healthcare information by parsing the data into market categories such as personal identities, prescription information, or insurance information. Criminals are able to make much more money by selling these buckets of information to different groups, rather than selling the medical record as a whole.

Market values of stolen information vary greatly each day. The price of a medical record continues to increase, while the price of a credit card number continues to decrease. By some estimates, a stolen credit card has a value of less then one dollar, while a complete medical record can fetch in excess of $45.

What does this mean for the healthcare industry? This means that there is little question now, that US healthcare organizations are being targeted by sophisticated and highly organized cybercriminals. What’s more alarming is that based upon evidence gathered so far from recent attacks, these are not merely opportunistic thefts perpetrated by the usual collection of Eastern European gangs, but lengthy, costly, advanced persistent attacks that may have been orchestrated by state actors. The investigations of all three attacks are not yet conclusive, but it is safe to assume no matter who the perpetrators are, that healthcare is now being targeted. This is especially true in the United States, where personal records contain so much valuable information.

The targeting of healthcare is something that cybersecurity experts, including myself, have been warning against for several years. Healthcare is so poorly protected compared to other industries and ranks close to the bottom in information security spend. It is unsurprising that the information systems of payers, providers and bio-pharmaceutical organizations are considered low-hanging fruit by cyber criminals.

What’s more alarming is the inability of the industry to respond to this now widely acknowledged threat. Healthcare simply does not have the people, processes or the technology to protect itself quickly against the onslaught. Furthermore it lacks the financial resources to hire the expertise needed to fix information security programs or to purchase the advanced security services and tools needed to protect its non-public data. According to ABI Research, healthcare cybersecurity spending will reach only $10 billion globally by 2020. That amounts to less than ten percent of global spending on critical infrastructure security today.

What is needed, is a better understanding of the threats, vulnerabilities, and necessary transformations of the way healthcare is run and funded. This should include a much greater emphasis on cybersecurity and the protection of the information that individuals entrust to their doctors and healthcare insurance providers.

Read more on the changing threats to healthcare and the challenges facing the industry in Cisco’s white paper: Combating Cybercrime in the Healthcare Industry.

A shorter version of this blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Security World

Richard Staynings Keynote kicks off the Security World Conference in Hanoi

I had the honor of presenting the Keynote at "Security World" yesterday in Hanoi, Vietnam to a packed house of government Ministers, Generals and other military staff from Vietnamese and other ASEAN nations, corporate chieftains, and security and privacy professionals drawn from all over Asia, Australasia, the USA and Europe.

In fact I had the honor of presenting twice - the morning keynote on how the Internet of Everything will change security for the next 25 years, and a session in the afternoon on securing the next generation data center.

I would like to thank the organizers and the government Ministers and other officials who gave me such a warm and appreciative welcome, and all of the attendees whose well thought out questions showed great knowledge and insight, and who obviously paid very close attention to every word I had to say. I was glad to share my knowledge, experiences and opinions with each and all of you.

An English translation of the official Vietnamese website covering the event can be found here.

A gallery of the official photography can be found here.