Every CISO or IT leader has experienced the tough conversations informing the C-Suite and Board of Directors that their company has been breached. I’ve been there and it’s nothing new in the life of a CISO. Even worst is the situation where the CEO informs us that we’ve been hacked. Unfortunately, the practice of “IT or security teams discovering the breach first” no longer applies causing much hair-pulling and sleepless nights.
I’m sure the recent Microsoft Exchange attack raised major concerns and had organizations scrambling to see if they got hit like many of our customers did. So, I asked my circle of security experts how they would approach working with C-Level management and the board when major attacks hit like this one and SolarWinds.
Jack Leidecker, CISO at Gong
I think it’s easier that you have more organizations getting hit all at once. As ridiculous as that sounds, it leads to a numbness factor which is not what you want because ultimately it doesn’t lead to good decision making. RiskIQ found that 69,548 Microsoft Exchange servers remain unpatched (as of 3/14/21) with nearly 17,000 servers located in North America. That’s a whole lot of major numbness and head shaking going on.
As a first step, I would talk with my board and discuss the following:
If we didn’t get breached, the discussion turns in to how do we avoid future attacks?
Despite initial finger pointing, both parties will need to take joint responsibility and move forward. There’s going to be fall out and it’s up to the IT and security leaders to best respond and build a strategic plan to ensure modern security tools are in place to protect the company’s business and brand reputation.
Sean Cordero, Founder at Cloud Watchmen
This leads to another interesting angle, organizations will compare why they were impacted while other companies were not, especially those running in cloud environments. These companies will claim their environments weren’t exploitable as Microsoft Office 365 was not impacted. This will lead other companies to rethink their entire strategy around messaging solutions and shift towards cloud or hybrid cloud solutions.
Brandon Hoffman, CISO at Netenrich
With the recent increase in remote work and rise in major attacks (SolarWinds), is this the opportune time for security professionals to push their board to invest into a more proactive mindset and digital transformation initiatives?
John Bambenek, President of Bambenek Consulting
Despite the immediate “reactive” need to fix the exchange situation, the reality is security professionals will not make headway in convincing their board to invest in change. Historically, we have used technology as an industry in dividing the haves and have nots. The larger companies can afford to scale and implement modern security practices with their boards approval. For the majority of organizations, they’re left behind lacking budgets, resources and expertise.
The exchange attack also shows that network security and application services remain a big target for attackers. It was hidden for a while because the web became a much richer target environment.
Jack Leidecker
This leads to another important point “Does your company need to re-evaluate what they’re doing from a security infrastructure perspective?” One of the easiest things to do but very few companies do it well is threat detection and exposure assessments to really understand what’s going on in their networks. I’ve been a big proponent of “What’s our threat model using a MITRE Attack framework?”
Brandon Hoffman
Our panel also shared their “in the trenches best practices” to working with executive leaders and the board.
To learn more from our panel, watch our webinar and drop us a line if you need help. See our previous blog entitled “Microsoft Exchange Attack, What You Need To Know And Do Now.”
Also take a read on how Netenrich’s Resolution Intelligence Cloud™ solutions can tackle the questions CISOs and boards face. We can help transform your digital operations to gain improved visibility and intelligence across your IT, security and cloud environments.