I couldn’t find a suitable title for this post, in which I try to gather various ideas that have come to me in recent days and that I have planned, sooner or later, to discuss with Rocco Sicilia.

I start with the provocation: the world of Cybersecurity has certainly been under the spotlight for some years now. Provocatively (we’ll see the reasons later), I would define it as “trendy”. There are various hypes that follow one another in creating needs/fears with the aim of selling solutions and services. There’s nothing wrong with this, but we need to distinguish acting out of “trendiness” from strategic action.

Acting out of “trendiness” is an impulse, aesthetic, sometimes very personal, often done for emulation, but fundamentally it’s difficult to trace the motivation behind some choices. Because it’s precisely an impulse. Translated, for the purpose of this post, security measures chosen on impulse are not guided by a strategy and, as we have discussed several times already, they prove to be ineffective. This mode is extremely widespread and easy to identify: if I ask “why” a security measure (NAC, firewall, etc.) was installed, the answer tends to be (I exaggerate) “because”.

Strategic action (to summarize) starts with an analysis and inserts security measures into a higher design. Each measure is inserted with a specific purpose and measured as such. There may be exceptions, but they are well-documented and temporary. Because an exception risks invalidating the entire structure.

A real example that touches on fundamentals: the firewall. All companies have a firewall (impulse), perimeter, dual bastion… But almost no company defines policies; policies are made by technicians and are often hated because they limit others’ work. Strategic action starts from the purpose of one’s infrastructure, which is to support the business. As such, it must provide services that are translated into various servers. These servers, to function, have connectivity needs and therefore risks. Risks are mitigated by dividing the servers into areas, and these areas can communicate with each other only under certain rules, which are translated into firewall policies. In the ideal world, I should NEVER find systems publicly exposed but positioned in networks considered secure. However, I find them and often they are historical remnants, abandoned, uncontrolled but, precisely, exposed for “historical reasons”.

Because, in companies, security is done by technicians, there is no strength to bring the world of Cybersecurity to the corporate level.

And then the CISO comes in.

The responsibility for Cybersecurity is dumped on the CISO. And I mean “dumped” precisely: that is, the problem, previously relegated to technicians, is now entrusted to a manager so that the company can continue to ignore it. Let’s start with the basics:

• a CISO who does not report to the board is not a CISO;
• a CISO who does not have a budget is not a CISO;
• a CISO who does not have veto power is not a CISO;
• a CISO who is not informed before any technological choice is not a CISO.

It has been said many times: Cybersecurity is a corporate problem, but everyone keeps pretending otherwise.

Of course, there are many exceptions, but the dominant behavior I notice is the one I have described to you.

References