A lack of metrics or key performance indicators associated with IT maintenance is often to blame for CIOs ignoring concerns and requests posed by infosec leaders, according to Joshua Kuntz, CISO at the Texas Department of Licensing and Regulation. To correct this problem, businesses should consider developing KPIs that motivate CIOs to prioritize security-centric tasks such as vulnerability management, he said at the 2023 InfoSec World conference in Orlando, Florida.
“The CIO has three jobs: innovation, operations and maintenance. And the thing they get most measured on is innovation: Can you bring… new value to the business?” said Kuntz in a one-on-one interview a day before leading a presentation on this very topic. “Maintenance is the only thing that they’re not measured on and the only person who really cares is the CISO.”
That can lead to clashes with IT leaders, particularly around the handling of application security and vulnerability management, said Kuntz. For instance, Kuntz said that at his last job, his messaging and concerns weren’t “making it to the top” — an issue that he ultimately had to address directly with upper management.
Too often, he said, the attitude around AppSec is that problems can always be fixed in a future version release — and as a result, the company punts repeatedly on addressing bugs. And a similar attitude is too often prevalent when it comes to vulnerabilities: “Maybe I’ll roll the dice one more time and kick that can down the road. Because if [a breach] happens, it’s terrible, [but] if it doesn’t happen, then I didn’t spend any money fixing it,” said Kuntz, describing this faulty thinking.
To shift this mindset, Kuntz recommended that companies institute performance metrics that measure both the percentage of known bugs that get corrected, and how quickly vulnerabilities get fixed. For instance, Kuntz told SC Media that at his last job, the set goal was to correct 70% of all known vulnerabilities each month. Deadlines for fixing them were established at 15 days for critical bugs, 30 days for high-severity ones and 90 days for medium-risk ones.
Of course, there are some caveats. Any expectations that are set must be reasonable and attainable, and upper management must be willing to making this part of the performance evaluation for the office of the CIO.
And there’s a flip side as well, said Kuntz: CISOs should not engage in hyperbole or act as a “Chicken Little” doomsayer over every little vulnerability they want to see addressed. “You have to be able to weigh the operational impacts versus the security needs,” said Kuntz. “Everything can’t be critical.”
Additionally, it’s important to engage in security awareness discussions with non-security IT leaders and make them aware of how a major cyber incident will seriously impede the areas that they do passionately care about, like innovation and operations. “Just look at Clorox,” Kuntz remarked. Their production line stopped because of a security incident.”
For more perspectives from Kuntz at InfoSec World, watch the video embedded within this story.