Wednesday, September 27, 2017

Equifax: Case Study in Poor Leadership

The former CISO of Equifax has been criticized for her lack of STEM academic background but, forgetting anyone's college major(s), the real issue here is the leadership deficiency blatently running up and down Equifax's management team.

Wired paints a grim picture of Euifax's team, and response, as the article should.  At the end of the day, no one wanted to fall on their sword, and now they all are.  Reminscint of the movie Margin Call, executives want to survive to fight another day, but there are ways to do things in the business world and Equifax did anything but that. 

Sunday, September 17, 2017

Your Third-Party Security Review Process is a Mess

Regardless of the control framework and / or process you utilize, most third-party review processes are poorly designed & inefficient.

On top of that, most orgs ask their vendors to maintain a level of security that said orgs cant follow themselves.

Amidst the Equifax breach, orgs will look to insert more vigor into their third-party review process, though few if any continuously monitor the security of their business ecosystem.

Instead of spending cycles completing matrices / spreadsheets, firms should invest in the following:

  • A vulnerability scan / penetration test (of limited scope) before any legal documents are executed.
    • An agreed upon remediation plan should be agreed upon too.
  • A continuous monitoring / assessment agreement to ensure governance during the course of the contractual agreement.
  • Recurring audits / spot checks on the security governance established / expected.