CISO Tips & The Board

The CISO has always had a bit of a challenge with the board of directors and successfully prioritizing cybersecurity. The reasons for these challenges are many, but one of the most common ones is the fact that there is not a dedicated board-level cybersecurity committee.  This puts security in the backseat at meetings, which means when vulnerabilities like Log4j come up they are downplayed to just the latest flaw of the month.  This couldn’t be farther from the truth and creates a huge risk for companies.

When we look at a recent Gartner report, it finds that 88% of the board of directors sees cybersecurity as a business risk and not a technology risk.  However, only a fraction of this percentage dedicates a committee focused on cybersecurity.

The Log4j vulnerability is a library of open source code that allows hackers to run code on any system that is vulnerable to it, and a system that runs on the Apache Log4j framework.  This vulnerability is also called Log4Shell and is a serious issue that still causes problems for companies.  When it arose we saw the federal Cybersecurity and Infrastructure Security Agency (CISA) issue guidance on remediating it and the Federal Trade Commission (FTC) said it would take action if companies didn’t take steps to protect from the vulnerability.

With previous vulnerabilities CISOs have always addressed the board of directors in a certain way, but Log4j is different. The Log4j vulnerability requires a new approach that depends on comprehensive runtime analysis to detect, make a priority, and remediate all cases of the Log4j instances.

The first tip for CISOs when addressing the Log4j vulnerability and cybersecurity with the board of directors is to let the board know that it brings the company’s security posture to a whole new level.

Reframing the importance of the Log4j vulnerability is tip two. A CISO wants to emphasize the fact that Log4j can be nesting in the corporate networks as they speak and that it is one of the most critical zero-day vulnerabilities in recent history.

Tip three for CISOs is to make sure the board of directors know that Log4j affects some of the world’s biggest IT companies and technology vendors like Amazon Web Services, Cisco, IBM, VMware, and others.

The next tip for CISOs is to ensure it is clear to the board that the spread of Log4j is like a Russian nesting doll, that this vulnerability can hide in multiple transitive dependencies.  This very aspect is in and of itself what renders remediating the Log4j vulnerability complex.

Furthermore, the flaw will not be disappearing anytime soon, which means it puts the company at risk of data breach, productivity loss and more if it is not addressed for the short-term and long-term.

The last tip for CISOs is to make sure the bigger picture makes its way to the board of directors.  They need to understand that the Log4j vulnerability is mutational one and therefore security is essential to prevent intrusion as the variations of Log4j arise.

If you need help with cybersecurity and the Log4j vulnerability schedule a free consultation here: https://calendly.com/ncxgroup