Data breaches happen to all companies. However, the demand for better executive accountability is on the rise as seen in the recent cases of Uber and Drizly. Regulators continue to get more serious about enforcing data protection rules, and the severity of penalties issued against enterprises who fail to secure their customer data continues to grow. Fines have recently ranged from $85 million (Yahoo) to $1.19 billion (Didi Global). While these fines are sizable and represent a crackdown on the companies, executives have historically avoided personal liability or accountability for failures of their security programs.
Yet now we have a cyber leadership community on edge. Rather than a slap on the wrist and a fine, we’re seeing personal accountability for massive data breaches. Many current and former CISOs are openly wondering about their own possible indictment years down the line, with some scrambling for E&O policies that offer extended tail coverage.
What does this mean for the future of corporate accountability? Executives will be forced to up their cybersecurity due diligence game; translation, it’s time to take the task of compliance seriously and forgo the traditional mindset of compliance-as-box-checking exercise. Real-time compliance has never been more critical to business survival as it is today.
As a reminder, the Uber attack involved basic social engineering techniques to bypass the multi-factor authentication (MFA) mechanism used as an additional control against password compromise. Although consistently demonstrated as susceptible to this very type of bypass, MFA continues to be seen as a standard “enhanced security” measure and a control requirement of virtually every widely adopted compliance and security framework.
Far too many enterprise security groups rely on the false sense of security offered by a point solution like MFA, to the exclusion of the larger perspective on their overall risk posture. Taking a classic compliance-based approach, practitioners come to believe that checking enough “boxes” will assure adequate resilience.
Unfortunately, hackers don’t care about checkboxes. They care about attack patterns and exploiting deficiencies in your company’s cyber defenses. Hackers move in real-time while cybersecurity teams look over their shoulder at the last compliance report. When a breach does occur, it’s too little too late.
Designing a comprehensive security program that is based on an honest and unflinching threat model of your environment is hard enough – but it’s only half the job. Keeping a constant watch over the state of your defensive apparatus, inclusive of people, processes, and technology, is the other half. Building it right and keeping it running is the name of the game.
If you expect to monitor the inbound threats in real time, why not the state of the controls deployed to stop them?
EO14028 and M-21-31 are examples of such developments in the federal IT ecosystem. As private sector firms comprising the Defense Industrial Base come further into scope of the new CMMC 2.0, we’re sure to see the trend towards proactive and continuous control monitoring extending to other commercial enterprises.
Remember those old public service ads on TV? “It’s breach o’clock. Do you know where your controls are?” If you can’t answer that question with confidence – and with real-time evidence – you’re probably not prepared for the onslaught of threat management challenges that will continue to get worse and more complex to manage. The growing cadence of high profile lawsuits charging companies with false security posture claims serves as a reminder that hope is not a strategy, and neither are traditional, paper-based approaches.
It’s time to challenge the status quo, now, before legacy cybersecurity processes become an inherent risk. We invite you to check out our new Rethinking Compliance executive guide that dives into the idea of “Convergence,” where risk, security, and compliance converge for a transformative, effective and efficient approach to managing cyber risk.