Effective Security Requires Involved Leadership

Note from Eric Byres:  As cyber threats directed at industry become more common, it is important for top executives to become involved with their organization’s cyber security policies.  The following article by Ernie Hayden comments on the situation from an IT perspective.  My point of view is that today’s threats to operational systems merit the same degree of management attention.  Enjoy Ernie’s article and make use of the data in Verizon’s excellent report.

In reading about critical infrastructure protection and cyber security issues every day, I’m beginning to see a theme in our industry that is of special interest to me – cyber threats.

When I attended the RSA Conference at the end of February, the first day of the conference included an announcement from Carnegie Mellon and RSA about the results of a survey conducted by Carnegie Mellon’s CyLab regarding governance of enterprise security.  Using the Forbes Global 2000 list, the CyLab survey revealed that most corporate executives and external boards of directors are still not involved in governing their company’s cyber security strategy.  A good summary of the results and some thoughts from Kelly Jackson Higgins of Dark Reading can be found here.

Sadly, the CyLab survey is on the mark and we need more leadership from corporate boardrooms and executive suites to help our fellow chief information security officers be successful in this very dynamic world of cyber threats.

That theme is underscored by this recent item in Insurance Daily under the headline: “Directors must wake up to cyber threats.”

Not only should corporate boards grasp how exposed their companies are to the digital threat environment, but they should gain some understanding of the cyber threats they face and to make sure adequate procedures are in place to mitigate the consequences of a serious data breach.

So, what does this mean?  Leadership from the top is vital in setting cyber security policies and defenses. It is important for all employees and corporate contractors to be diligent about protecting the corporate assets – including data and information. 

At Verizon we have found that this sensitivity cannot be easily “pushed up” from the CISO but really needs to have the tone set by the CEO and board.

I don’t think anyone would ever say that cyber security would be easy. However in today’s environment of attacks and threats from cyber criminals, nation-states and the disgruntled employee should be top of mind with corporate boards and the executive suite to make sure every employee remains at the front line of defense.


The 2012 Verizon Data Breach Investigations Report (DBIR) report indicates that remote attackers are the most common vector for malware. 

While the DBIR covers many industries, the recent
RISI 2011 Report substantiates this trend for the
control industries.  It Indicates 35% of ICS security
incidents were initiated through remote access.


Verizon recently released the 2012 Verizon Data Breach Investigations Report (DBIR), the company's landmark report series that examines the state of cyber crime and data breaches around the world. Be sure to get copies to your board members, your CEO and executive team so they can gain a perspective of the global security trends and how to better protect your enterprise.

How informed is your leadership team on cyber security?  Let us know your challenges and perspectives.

http://www.tofinosecurity.com/sites/default/files/erniehayden2.jpg http://www.tofinosecurity.com/sites/default/files/verizon.jpg

  Ernie Hayden, CISSP, CEH
  Managing Principal - Energy Security
  Verizon Global Energy & Utilities Practice

 Practical SCADA Security thanks Ernie for this article.

Related Content to Download

"2012 Verizon Data Breach Investigations Report"


This report covers 855 data breach incidents across a broad range of industries. Download it and learn:

  • Who is behind data breaches and how they occur
  • The motives of external agents
  • The top 10 threats against larger organizations, and how to detect and mitigate against them

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed



The statement below is, to my thinking, the single most important message in this article.

"...should be top of mind with corporate boards and the executive suite to make sure every employee remains at the front line of defense."

We just HAVE TO Recognize that in ICS/IACS security that the people are a most critical part of the solution.

They have to be trained to help enforce security and to not do "insecure" things.

Technology can help but without the people helping we will not get the level of security we need.

I couldn't agree more - people are a most critical part of the solution. But as I have noted in other blogs, technology can have a major influence on whether people make good or bad security decisions.

Take passwords as an example - I believe the reasons that people do dumb things with passwords (such as password reuse http://www.tofinosecurity.com/blog/password-reuse-%E2%80%93-control-netw...) is that passwords are an inherently poor security technology. If we want controls engineers to stop their poor password habits, the most effective way is to get rid of the passwords and pick a better authentication technology.

In summary, I believe that the whole security solution is a multi-leg stool - do any one thing poorly and the whole system will fall over.

Almost 8 years ago while being interviewed for a CISO position, I was asked what I thought was the most important aspect of security for a company. In brief I said that in my opinion the most important element of security is the individual employee. Specifically, the individual is the first line of defense. Their actions (or inactions) can substantially affect the security of a company.

For instance if they double-click on the "I Love You" virus -- even if they were told to NOT DO THAT -- then they immediately caused a breach of the first layer of defense.

Alternatively, if they stop someone from trying to sneak into the building or they notify the Service Desk when they see something strange on their workstation, then they are adding to the company's layers of defense.

In summary, I heartily agree with your comment!


Add new comment