🤓 CISO: Hey want me to address the media on the cyber attack? 🏇 CEO/COO: Nah, I got this...Hold my "beer"!

Written By Andrew Amaro

🤓 CISO: Hey want me to address the media on the cyber attack?
🏇 CEO/COO: Nah, I got this...Hold my "beer"!

Yup.... and my favorite statement from organizations after a cyber attack, has to be:

"There's no evidence at this point that any sensitive personal information was accessed" - Often echoed by all members of the C-Suite when addressing the media.

Zero context and an obvious display of "Nothing to see here!".

But how is it that this statement is even slightly true, especially when the perpetrators have breached your system to the extent of declaring it a cyber attack?

Organizations face millions of daily attacks, many of which go undisclosed as they are unsuccessful or halted before causing harm.

However, a declared attack typically indicates a successful breach, where intruders have penetrated the network, established control, stolen data, and disrupted operations.

Considering the average duration of presence on the network (about 185 days), attackers likely obtained "personal and business sensitive information" during reconnaissance.

Their extensive efforts suggest a significant motive, given that cybercrime is a lucrative multi-billion-dollar industry, not merely the work of amateurs.

Instead of a default statement, we should inquire about the motives behind the attack and what was targeted for theft.

Moreover, why do CEOs or CFOs represent organizations in such matters, when technical experts like the Chief Security Officer or Chief Information Security Officer would be more apt?

It seems tech experts often remain secluded, never emerging from the proverbial basement, and CISOs are rarely included in high-level discussions.

These reflections arose from recent attacks on the Government of British Columbia and London Drugs, prompting questions about cybersecurity strategy and representation.

When will Cyber Security be taken seriously? I ask government, businesses and health care organizations. Security is a team sport, and it is always the Finals. Don't use your coach when you should be calling on your team captain!

Andrew Amaro
Previous

More needs to be done to protect our Military folks!
Next

CSIS in 2023... what a year for the history books, eh!?