BitSight Security Ratings Blog

View all posts

Subscribe

Vendor Risk Management

We were curious about what CISOs and security managers have on their minds these days—so we searched around online and asked a few to share their thoughts. Below, you’ll find some interesting insights and observations to get a good conversation started in your office. 

1. “HOW CRITICAL IT IS FOR SECURITY TO WORK WITH THE BUSINESS TO ACHIEVE REQUIRED GOALS.”

“There are still too many CISOs out there running ‘security in a vacuum,’ where they fail to take into consideration the needs of the business. When security is conducted in a vacuum, it results in ineffective controls that waste resources and does not effectively move the business forward. Traditionally, security and business were seen as being ‘at odds’ with each other with the business wanting things fast, cheap, and easy to use, while strong security controls can go too far in the other direction, resulting in controls being slow, expensive, and not user friendly. Neither end of the spectrum is optimal. The trick is for security and the business to work together in a partnership to find the right balance of controls so things are secure enough to protect what's really at risk while helping the business achieve its goals.”

Celia Baker
CISO, IntelliGRACS Group, Inc.
LinkedIn: https://www.linkedin.com/in/celiabaker/

2. “Strong authentication.” Reporting-Cybersecurity-To-The-Board

“Usernames and passwords are no longer strong enough to properly authenticate an authorized individual. Password databases are leaked almost daily, and oclHashCat can now brute-force passwords up to 55 characters long.

Moving to 2FA authentication seems absolutely required these days, but 2FA tokens need to be secured adequately, too. iCloud backups are regularly broken into, Authy accounts can be hijacked alongside a cellular phone number, and companies that use SMS as a second factor of authentication are learning that enabling SMS 2FA actually decreases the security of accounts, thanks to cellphone providers' lack of security measures.

Anyone can call a cell provider, impersonate an account holder, and request a new SIM card to replace their old one. The attacker can then receive the victim's text messages even though the victim is still holding their handset. You can enable a verbal password on your cellphone account, but not all providers enforce them. T-Mobile and Sprint seem to enforce passwords well; however, Verizon doesn't seem to enforce verbal passphrases on support calls at all.

Our company has made the decision to move all 2FA tokens onto hardware devices (like Yubikeys) and forbid anyone from using a cellphone provider that does not enforce verbal passphrases if they need that cellphone for business.”

Michael Perklin
CISO, ShapeShift
LinkedIn: https://www.linkedin.com/in/perklin/

3. “How do we get ahead of the cybersecurity threats?”

“In general, cybersecurity seems to be reacting to threats after they appear. How do we get security systems in place that anticipate coming threats or can address a significant number of certain threat types?”

Dr. Jim Sullivan
Senior Director Of IT, Pharmaca Integrative Pharmacy
Twitter: https://twitter.com/DrJim1717

4. “The speed at which vulnerabilities are exploited to create cyberweapons.”

In a recent Inc. article, contributor Joseph Steinberg interviewed Lou Modano, CISO and global head of infrastructure services of Nasdaq, regarding his fears about keeping Nasdaq safe from cyber incidents.

“It is no secret that, in recent years, hackers have become much more adept at creating cyberweapons to exploit vulnerabilities and that the time between the disclosure of a particular vulnerability and the creation of a weapon that exploits it has dramatically decreased… While businesses can work to make their patching and change management process extremely efficient, even doing so does not fully solve the problem—especially in situations in which vulnerabilities are announced before patches are available, in which cases criminals often create cyberweapons that exploit the vulnerabilities even before the associated patches are released by vendors… Lesson: Make sure you have an efficient process for obtaining, testing, and deploying security fixes, and be aware of when you may be at risk even with such a process in place.”

Joseph Steinberg
CEO, SecureMySocial
Twitter: https://twitter.com/JosephSteinberg

Note: To learn more about the impact a vulnerability could have on your network, take a look at this article on the MongoDB vulnerability.

Can you effectively share what’s on your mind to the board? 

Cybersecurity is something companies today prioritize—all the way up to the boardroom. But do you have the tools you need to present it effectively? This guide helps you nail down your presentation goals and style, select metrics your board will care about, and more. Download it for free today.

New Call-to-action

EXPERIENCE THE BITSIGHT SECURITY RATINGS PLATFORM

We’d love to show you how you can simplify your risk management and take charge of your cyber security with these intuitive and powerful solutions.

Request Demo