Catalyzing Change: Transforming Cybersecurity Beyond Assurances

Calvin Nobles, Ph.D. Bob Zukis David Finn continues to inspire me with insights on how cybersecurity must improve, and cybersecurity is a paramount business function and not a sub-section of IT. I have long held these positions and welcome that more and more groups are waking up to this.

Below, I summarize my thoughts on opportunities and how we can change. I present actionable strategies to elevate cybersecurity from mere assurances to tangible protection. Let’s explore how embracing Change—both in mindset and practice—can fortify our digital defenses.

1. CISO Reporting Structure: Beyond Tradition

Problem Statement

The traditional reporting structure, where the Chief Information Security Officer (CISO) reports to the Chief Information Officer (CIO), has limitations. While this arrangement ensures alignment with IT functions, it may inadvertently relegate cybersecurity to a mere technology concern.

Cybersecurity Beyond IT: A Strategic Imperative

Cybersecurity is not solely an IT function; it’s a strategic imperative that permeates every aspect of an organization. Here’s why:

1. Business Impact: Cyber incidents have far-reaching consequences, affecting not only IT systems but also financial stability, brand reputation, legal compliance, and customer trust. The fallout from a significant breach can weaken an organization, making cybersecurity everyone’s concern.
2. Supply Chain Risks: Organizations operate within intricate supply chains. Cyber threats can propagate through suppliers, partners, and vendors. Thus, cybersecurity extends beyond IT boundaries to encompass the entire ecosystem.
3. Regulatory Compliance: Compliance with regulations, laws, and industry-specific standards (e.g., HIPAA) involves more than IT. Legal, finance, and operations teams collaborate to ensure adherence. The CISO must engage with these stakeholders.
4. Risk Management: Cyber risk is a business risk. It affects revenue, market share, and investor confidence. The CISO’s role is to quantify and manage this risk, aligning with overall business objectives.

Solution

Let’s challenge the status quo. Forward-thinking organizations elevate the CISO’s role by placing them under the CEO or the Board. By doing so, cybersecurity becomes an integral part of overall risk management. We must advocate for a seat at the C-level table, where the CISO can influence strategic decisions and drive a security-aware culture.

2. Board-Level Engagement: Making Cybersecurity a Business Imperative

Problem Statement

Cybersecurity discussions often occur in silos, detached from broader business objectives. The board and CEO must recognize that cyber threats pose significant risks to the organization’s reputation, financial stability, and competitive advantage.

The Change Healthcare Breach: A Wake-Up Call

In February, hackers targeted Change Healthcare, a subsidiary of UnitedHealth Group. They stole health and personal data from what UnitedHealth says is “potentially a substantial proportion” of patient information. The attack exploited vulnerabilities within Change’s IT environment, leading to data theft and the deployment of ransomware1.

CEO Andrew Witty’s Testimony

UnitedHealth Group CEO Andrew Witty testified before Congress, shedding light on critical aspects of the breach:

1. Legacy Technology Amplified Impact: Change Healthcare’s technology systems, including those for medical claims and payment processing, dating up to 40 years ago. Before the attack, UnitedHealth was in the process of upgrading and modernizing these legacy systems. However, the attack locked up backup systems developed within Change before the acquisition, significantly delaying recovery efforts. Witty emphasized the need to move toward a more secure cloud-based environment.
2. Stolen Credentials Unlocked Access: The attacker gained entry through Change’s remote access server using stolen credentials. The lack of multi-factor authentication (MFA) allowed lateral movement within Change’s systems, data theft, and encryption. This incident underscores the importance of robust access controls and MFA implementation1.
3. Incident Response Efforts: UnitedHealth swiftly engaged seven incident response firms and third-party cybersecurity experts, including Mandiant, Palo Alto Networks, and Bishop Fox. These experts provided critical support during recovery and advisory efforts. Additionally, Google, Microsoft, Cisco, and Amazon were on-site to assist with testing and recovery. Witty highlighted their expertise, stating, “We have the most elite cybersecurity advice available,” and acknowledged their role as board advisors.

Conclusion

The Change Healthcare breach is a stark reminder that cybersecurity is not solely an IT concern but a strategic imperative. Boards must actively engage, allocate resources, and prioritize risk mitigation. Having cybersecurity experts at the highest decision-making level ensures a resilient organization in the face of evolving threats.

3. Trust but Verify: The Limitations of Security Questionnaires

The Illusion of Assurance

Security questionnaires—often used during vendor assessments or compliance audits—provide a snapshot of an organization’s security practices. However, they come with inherent limitations:

1. Surface-Level Insights: Questionnaires capture responses based on policies, procedures, and self-assessments. They don’t delve deep into the operational effectiveness of security controls. Organizations may provide reassuring answers without necessarily implementing robust security measures.
2. Assurances ≠ Reality: When organizations complete questionnaires, they often emphasize their security posture, highlighting compliance with standards and regulations. These assurances can be helpful in legal proceedings or contractual disputes. However, they don’t guarantee actual protection against threats.
3. Lack of Context: Questionnaires lack context. They don’t consider an organization’s unique risk landscape, threat vectors, or specific vulnerabilities. As a result, the responses may not align with the real-world challenges faced by the organization.

The Gap Between Assurances and Action

The problem lies here: Organizations may pass security questionnaires with flying colors yet remain vulnerable to cyberattacks. Consider the following scenarios:

1. Inadequate Implementation: An organization claims to have robust access controls, encryption, and incident response plans. However, investigators find these controls poorly implemented or not consistently followed when a breach occurs.
2. Misaligned Priorities: Questionnaires don’t reveal whether an organization prioritizes security over convenience or cost-cutting. A “yes” to a security practice doesn’t guarantee effective implementation.
3. Static Assessments: Questionnaires are static snapshots. They don’t account for changes over time—new vulnerabilities, system updates, or evolving threats. An organization may have been secure six months ago but is now exposed due to unpatched software or misconfigurations.

Moving Beyond Questionnaires

To bridge the gap between assurances and action, organizations should:

1. Continuous Monitoring: More than relying solely on questionnaires is required. Implement continuous monitoring, vulnerability assessments, and penetration testing. It would be best to validate security controls to ensure they remain effective regularly.
2. Risk-Based Approach: Tailor security efforts based on risk. Understand critical assets, threat vectors, and impact. Allocate resources where they matter most.
3. Third-Party Validation: Independent assessments by external experts provide a more objective view. Penetration testers, red teams, and auditors can identify blind spots that questionnaires miss.

Conclusion

While security questionnaires have their place, they should complement—not replace—active risk management. Trust, but verify through ongoing assessments and a holistic security strategy. Remember that true security lies beyond checkboxes and promises.

4. Human Factors in Cybersecurity: Bridging the Gap

1. Understanding Human Factors

Dr. Nobles clarified the definition of human factors, pointing out its systematic approach to optimizing human performance. By fitting the system to the user, rather than forcing the user to adapt, cybersecurity can become more intuitive and less prone to human error1.

2. Leveraging Human Factors Programs

Dr. Nobles emphasizes leveraging human factors programs to mitigate cybersecurity blind spots. These programs focus on understanding how humans interact with technology, identifying cognitive biases, and designing systems that align with human capabilities and limitations.

3. Reducing Human Errors

Human errors remain a significant challenge in cybersecurity. Dr. Nobles advocates for influencing human factors to reduce these errors. By considering factors such as usability, training, and situational awareness, organizations can minimize mistakes that lead to security breaches.

4. Holistic Approach

Dr. Nobles’ research underscores the need for a holistic approach. It’s not just about implementing robust technical controls; it’s about creating an ecosystem where human behavior aligns seamlessly with security protocols. This involves designing user-friendly interfaces, providing adequate training, and fostering a security-conscious culture.

Conclusion

Incorporating human factors into cybersecurity strategies is essential. By understanding the psychology behind security decisions, organizations can build resilient defenses and empower their workforce to safeguard critical assets actively.

Remember, cybersecurity isn’t solely about firewalls and encryption—it’s about the people interacting with those defenses. Dr. Nobles’ work reminds us that a human-centered approach is critical to a secure digital future.

1. [Calvin Nobles Appointed Dean of UMGC’s School of Cybersecurity and Information Technology - UMGC Global Media Center]
2. [Redefining CyberSecurity Podcast - Integrating Human Factors Engineering in Cybersecurity]
3. [IFT598 Human Factors in Cybersecurity - Arizona State University]
4. [IFT598 Human Factors in Cybersecurity - webapp4.asu.edu]
5. [Calvin Nobles - Google Scholar]
6. Change Healthcare cyberattack: 5 technical takeaways from UnitedHealth CEO’s testimony - Cybersecurity Dive
7. [Should the CISO Report to the CIO? - Cisco Blogs]
8. [The Devastating Business Impacts of a Cyber Breach - Harvard Business Review]
9. [The Human Factor in Information Security - ISACA Journal]
10. [ISC2 Workforce Study 2023].

#Cybersecurity #ChangeMakers #TrustButVerify #CISO #leberconsultingllc