The November 2023 ransomware attack that crippled 60 credit unions across the country has received much press attention, prompted renewed discussions regarding supply chain software vulnerabilities, and gave opportunity for cybersecurity vendors to promote all manner of cybersecurity approaches, tasks, and tools.
Along with putting credit unions in the middle of the broad ransomware and supply chain cybersecurity conversation, the event even prompted National Credit Union Administration (NCUA) leadership to renew the call for greater authority over third-party vendors.
We are to assume, I guess, that “doing more of the same but with more organizations” will help to make things better.
That request for broader oversight adds to the ongoing discussion regarding broader regulatory oversight across industries and the economy, all driven (we need to admit) by our collective failure to defend our digital environments and assets.
All of this (and the latest letter I received notifying me of a major data breach) got me thinking about the value received by the programs, tools and processes we have put in place to bolster our cybersecurity.
I asked myself what must change for us, if we are going to defend successfully against the people who are bringing the “fight” to us? My conclusion?
We need to be held to account, if we are going to do what must be done. Why? Because absent “professional and organizational accountability” we will never fully embrace the effort needed to “fight back” against the cyber-war being waged against.
More regulation is inevitable because self-regulation promoted by both our institutions and our cybersecurity solution providers is failing us.
In the case of NCUA’s recent request, more regulation may come in the form of a broader supervisory umbrella covering a larger number of our industries participants – specifically third-party vendors. As reported recently, NCUA Board Chairman Todd Harper took the opportunity presented by this latest cybersecurity breach to express the need for Congress to renew the NCUA’s third-party authority.
“It has been more than 20 years since the NCUA had the necessary statutory authority to examine third party vendors for risks such as this one,” said Harper.
“As the result, the NCUA’s ability to analyze and assess risks posed by third party vendors in the credit union system remain limited. And when incidents and outages like this one occur, the agency’s lack of authority limits our ability to respond effectively and quickly, which negatively impacts credit unions and their members,” he added.
Should we be surprised by NCUA’s response? I don’t think so. As noted from the keynote stage of a recent national cybersecurity conference, “Self-regulation is not working.” Because I agree with the sentiment, I won’t be surprised when additional regulations arrive, including significant penalties for institutions. It’s coming to all industries and organizations because our efforts to date have not brought the needed results.
What should be our response to calls for more regulation of cybersecurity risk management? Bring it on!
But we should ask for nuanced regulation that understands and accounts for the “on the field” challenges we face, while also making dramatic change to how we perceive the challenges and how we address them.
While regulation needs to be nuanced, we need to be focused and act with urgency. Regulators need to be level-headed in terms of who should be held accountable for keeping people and their data safe, and they need to consider the realities of how data breaches and their containment play out on the ground. But so should all of us.
A regulatory push for accountability, and our own sense of responsibility, should drive us toward a greater urgency. We are going to be held more accountable in the future. Our response must be a whole-of-company focus. It’s time we respond to the attacks upon us with an appropriate “war footing.” Our “business as usual” approach to defending institutions from cyberattacks isn’t working.
We need to move from managing to leading, even fighting. Over the last decade we’ve been trying to manage the attacks against us, and the subsequent damage done, or the vulnerabilities revealed. But managing, rather than leading a fight to defend, has brought us to a place where we are working to “check the boxes” and “pass the audits”, rather than “win the fight.”
The pivot is coming. We are now seeing the departures of senior cybersecurity folks at institutions that have been breached. And the SEC is beginning to act against firms that failed in their security efforts. Cyber programs focused on managing the challenge are being exposed, and the pivot is coming — more boards, CEOs, CIOs, and CFOs are starting to ask if they’ve funded a show pony cyber program and if it’s time to pivot, to make rapid advances in defense of their assets.
Being breached brings clarity. CISOs get fired after breaches, not simply because they are the scapegoat but because they “own the breach”, because their programs didn’t work. I recall conversations with CISOs who told me they expected to be breached and it was part of their job to prepare “a defense of their actions” to protect their job, even after that failure. I appreciated the honesty at the time.
But that attitude and approach hasn’t worn well. A clearer understanding of the fight we are in, and the need to act outside our normal organizational behaviors, has never been more necessary.
What we can learn from those who have failed. In a breached organization, it turns out, the CEO or CIO is more likely to realize they don’t need a manager, they need a wartime leader who can get things done quickly. They need a leader who sets a clear vision of victory and then executes on that vision with violence of action. Why? Because being breached makes the war “real.” It brings clarity.
The programs we’ve built over the last few years have done too little to counter the attacks being perpetrated upon us. Ransomware groups are beating corporate cyber teams. What we are doing isn’t working. It’s time to pivot. It’s time to change. It’s time to focus on countering the attacks and defeating the enemy, rather than building a policy and process machine that “fits” but doesn’t “fight.” It’s time to break our own rules to get things done.
One industry insider recently pointed out, “if you’ve worked in an organization ‘post breach’, you know what it means to have wartime leaders fighting the fight. Any task that’s not critical to winning the war is a task that’s ignored. Process, policy, and unwritten corporate rules are broken, daily, for the sake of speed and winning the war. Anyone who deviates from the stated objectives or slow walks work quickly finds themselves looking for a new job. Winning is the first, second, and third most important goal. Things you were told you couldn’t do before the breach will be things that get done in weeks or days. Non-performing tools and people will both exit the organization.”
The pivot must come. If this gentleman is right, and I’m betting he is, change is coming. Results are going to take precedence over process, tools, and audits. Organizational leaders must demand this shift, this pivot, because we are losing the war that has been brought to us. The days of cybersecurity programs built to “pass audits and satisfy management boards” must end.