MD/CISO's question time

Seems I'm not the only ravenous shark circling the Travelex ransomware incident.

Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".

Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...

Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.

Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to address any unacceptable risks. Others may need to be prompted, gently prodded or goaded to address these issues, particularly given the broader context of the organization's other risks, concerns and business initiatives. They all have other things on their plates.

Another possible approach, then, is for the CISO, Information Security Manager, Cybersecurity Manager, Business Continuity Manager, Compliance Officer, Privacy Office, IT Audit Manager etc. (ideally working as a team) to seize the initiative themselves by launching an internal investigation/project, or at least preparing a briefing for senior management on the current situation, preempting those awkward questions from above. Most likely the organization is already ahead of the game in some areas, behind in others so hopefully it's not all bad news. This strategy has the advantage that the professionals set the agenda and guide the discussion in ways that will probably enable them to Do What Must Be Done, while senior management can influence the outcome according to the business context, a handy combination.

[Hinson tip: most if not all six of those question can probably be answered using relevant security metrics. If your organization isn't already measuring patch latency and proactively monitoring the effectiveness of critical controls such as network and system security monitoring, backups, business continuity and supplier security management, then your problems run deeper still. You're bleeding out while the great whites are closing fast.]

A third possibility, of course, is to do nothing at all. Nil. Zip. Nowt. Look the other way, completely ignoring the entire Travelex/ransomware episode, perhaps pretending or claiming that it 'is irrelevant' and 'doesn't apply here'. Flat denial may work for some, for example if an autocratic Big Boss doesn't understand the issues, is too busy with other matters ... or is terrified he/she already knows the answers to those awkward questions and would rather not poke that particular beasty in the eye right now (especially in a way that would then make it tricky to deny accountability if a similar incident occurred). That suggests a different concern again, a governance issue.

A fourth approach involves focusing obsessively and interminably on the tiniest of wee tiny details. This is a favourite of Yes Minister's civil servants and the military administration in MASH. Avoid actually facing up to anything significant by swamping it with trivia and burying it in red tape. Get real busy paddling fast while going nowhere. This too is a governance issue, another troublesome one if it is endemic to the entire management structure ... which perhaps explains why so many municipalities have been hit hard by ransomware. Maybe they are soft targets, more willing to pay the ransom (the "cybersecurity tax"!) and hope for the best than make a genuine effort to find and fix their vulnerabilities. Or maybe they are literally incompetent, under-resourced and over-stretched, facing an impossible task.

I could continue but that's enough of this conjecture for today. I find it interesting to be heading into the area of governance, business, security and risk management, and accountability from what was initially a straightforward malware infection. Thank you Travelex (and Sony, and Norsk Hydro, and ...)