The importance of ‘Report Responsibly’ for information security
- Published: Friday, 20 October 2017 10:17
Many security breaches are enabled by a lack of prioritization given to patching and updating. In this article Adesh Rampat explains why adopting a ‘Report Responsibly’ system will enable organizations to take better strategic and tactical decisions when it comes to vulnerability management.
With the recent data breach at Equifax, the question needs to be asked why organizations leave known vulnerabilities open to be exploited and only afterwards do we see all hands on deck working to plug the holes?
Let’s face it, IT professionals are faced with a barrage of fixes and patches to implement at any given time and have to go through an exhaustive testing process before implementing into the live environment. Then there is the possibility that when the patch or fix has been installed, the vendor re-issues another update to fix a previously unidentified problem. All these processes take time as implementing a patch or fix is not as simple as ‘patch and go’ and sometimes updates get pushed aside to deal with ‘more pressing issues’.
Within the past decade we have seen a number of major corporations suffer data breaches and arising out these events came various compliance standards and certifications. The problem is that when an organization is certified it does not mean that its IT systems are guaranteed to be safe; we all know in the IT industry how the landscape can change in as little as a month! Being compliant does not necessarily mean you are secure.
In additional to external compliance, most organizations have an internal audit team who provide an independent review of IT systems and report findings to the executive. Then you have individual certification, the ones where IT professionals must go through stringent testing of knowledge and certify that all necessary requirements are met.
All the above three areas (organization compliance, IT Audits and individual certifications) have one theme in common: responsibility. An organization being certified also implies that the IT or IS unit must be responsible in maintaining the systems in a secure manner. The internal audit team is responsible for highlighting and reporting deficiencies. The individual who is certified is responsible for ensuring that systems within his/her control are adequately maintained and secure allowing the organization to properly function.
Despite having these three protective layers and varying levels of responsibility, why are data breaches so common? One simple, but common, cause is the lack of upward reporting in many organizations.
I think that there needs to be a more collaborative approach when it comes to reporting to the executive about information technology; that is, using the Double R approach: ‘Report Responsibly’. If there are known exploits that can make an organization’s IT systems vulnerable, these should be reported alongside a timeline for implementing a fix and details of the consequences of not resolving within the given timeline.
Most organizational level certification assessment processes will ask the question “How are IT risks reported?” or “Is senior management aware of IT risks?” and of course responses would normally be tested by the assessor. However, I think that all the players in an organization’s IT ecosystem, if worked together with a common goal of responsibility, can assist tremendously in bringing forward the risks exposure to the senior management level and thus allowing for better decision making.
In summary, the problem is that knowledge of IT vulnerabilities often resides within the organization’s operational teams, but this information does not get passed to tactical and strategic management. This results in lack of resources and lack of guidance to operational teams; and directly causes the lack of prioritization given to patching and updating which underlies many successful information security breaches. Organizations that encourage a Double R approach to upwards reporting can take a simple, but large, step forward in effectively securing their information systems.