The question of whether a data system will be breached is no longer relevant — the issue is when that breach will take place. Boards, CEOs and Chief Information Officers need to accept that
CIOs by nature resist outside testing, review and evaluation of their security. If outside testing is done, the CIO generally wants to oversee and control it. CEOs and Boards that succumb to the CIO's pressure to control the process are simply inviting unnecessary risk. Hackers know the typical security implementations of CIOs; therefore a key element of effective IT security is to approach it from a hacker's perspective. The CEO and Board must demand this approach if they want to ensure the highest possible level information security.
Although most lenders have very good perimeter security, such as firewalls, hackers
A robust testing mechanism is usually conducted by an outside expert company because these experts are highly knowledgeable about the current exploits attempted by hackers. They will scan company systems using a variety of techniques, including identification and activity within every network node. They will attempt multi-vector attacks on various attack surfaces, from both outside and inside the company's perimeter. This is one of the most effective ways to ferret out the "unknown unknowns" in your security infrastructure. Exploits evolve quickly, so testing must be done periodically.
In addition to insisting on outside security experts, formalized criteria, processes and policies around information security will improve information security in a cost effective and compliant manner.
Effective cybersecurity must look at unknown unknowns, such as day zero malware — code that hasn't been seen before — that has become ridiculously easy for serious hackers to create and that easily defeats signature-based malware detection. If it hasn't been seen before, it likely cannot be recognized by signature-based detection. Sony, Anthem, Target and others found this out the hard way. The honest CIO cannot be certain whether there is any day zero malware within any given system. If the CIO maintains there is no malware, information security assessment and testing responsibility should be removed from the CIO immediately, and a robust third party testing regimen begun.
Security Incident and Event Management is the way security incidents are detected, classified and elevated to appropriate executives. If the CEO is not already receiving SIEM reporting on a regular basis, the SIEM protocols in place are probably not best in class.
CIOs also need to document how the company monitors data and information exiting the company perimeter. Exfiltration tools should monitor all outgoing data for personally identifiable information (such as social security numbers) and other sensitive information in order to halt suspicious data exfiltration.
An exemplary risk management function
Additionally, all hardware devices attached to the company's networks, and software on devices, should be known to the CIO. Mapping and monitoring every node is a must.
Resilience is attained when a company can quickly restore normal operations after an attack. CIOs should be testing company business continuity plans on a periodic basis by outside expert companies who report directly to the Board and CEO.
James M. Deitch is CEO and Co-Founder of Teraverde.