In his recent CSO Online article, 7 Security Incidents That Cost CISOs Their Jobs, writer Dan Swinhoe looks at some of the most high profile breaches in recent history that resulted in the CISO either leaving or being fired. In the article, Swinhoe quotes Dr. Steve Purser, head of core operations at ENISA, who says of his time spent as a CISO, “the big lessons, even in those days, was how do you communicate successfully when you're under pressure? How do you concentrate on the right things, exchange the right information, and make sure that you are doing things in a prioritized order?”
Interestingly, the heart of his comment is not about vulnerabilities or security tools. What he’s really saying is that the most difficult part of the CISOs job revolves around communication and team prioritization.
If we apply better communication and prioritization to each of the 7 incidents, could there perhaps have been a different outcome? Let’s take a look.
- Capital One - This breach of over 100 million customer records was the result of a hacker exploiting a vulnerability in an application firewall protecting an Amazon Web Services (AWS) account operated by Capital One. Given the large amount of customer data stored at rest, better prioritization should have highlighted this firewall and AWS account as mission critical, giving top priority to patching these assets.
- Equifax - A comedy of errors, including unpatched software, poor identity practices, expired certificates, and poor communications resulted in this breach of 143 million customer records. In the wake of the incident, Equifax’s CSO, CIO, and CEO all departed. Prioritization once again rears its ugly head - an emphasis on patching critical assets like the exploited web server that gave attackers a foothold, as well as a focus on improved identity strategies, would have had a good chance of protecting against this event.
- Uber - In this breach, hackers accessed Uber’s private GitHub repository, unearthing login credentials for an AWS account that stored personal information on nearly 58 million drivers and riders in S3 instances. Strikingly, neither the GitHub repo, nor the AWS account had multifactor authentication enabled. Score another one for prioritization of a sound identity strategy for mission critical assets.
- Facebook - Facebook’s CSO, Alex Stamos, left the company as a result of differences in opinion with senior management on their handling of the Cambridge Analytica scandal. Chalk this one up to communication, though it’s not clear that Stamos had the power to change the company’s handling of this incident either way.
- Target - This one’s going back a few years, but this breach of credit card details for 40 million customers resulted in the CIO and CEO both leaving the company, and in Target appointing their very first CISO as a result of the incident. In this case, criminals targeted poor security in an HVAC vendor’s systems, using that as a jumping off point to get into Target’s network. Yes, third party vendors in your supply chain are part of your attack surface and their security needs to be prioritized as well, especially if their systems have access to the same networks on which payment card processing systems reside!
- JP Morgan - 83 million customer accounts, unpatched vulnerability in an internet facing company website, CSO and CISO both terminated. Seems like a pretty simple fix when prioritized properly, especially for a company that spends $600 million per year on cybersecurity.
- San Francisco State University - A known unpatched vulnerability in an Oracle application server that contained student data, financial aid data, login credentials, and more. Interestingly, in this case, shortcomings in the Oracle Database were known, but were not resolved due to budget constraints and IT security risk acceptances. This one seems like a combination of prioritization and communication.
Amazingly, 6 of 7 security incidents, resulting in combined losses of billions of dollars, are mostly the result of not patching critical assets and/or bad identity practices. While the article goes on to cite data showing that CISOs who have been battle tested by surviving a breach can be more attractive to employers, there are clearly lessons to be learned from these 7 tales, and others. Prioritization and communication for the win.