{"id":45269,"date":"2022-02-11T15:00:00","date_gmt":"2022-02-11T15:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/what-cisos-should-tell-the-board-about-log4j"},"modified":"2022-02-11T15:00:00","modified_gmt":"2022-02-11T15:00:00","slug":"what-cisos-should-tell-the-board-about-log4j","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/what-cisos-should-tell-the-board-about-log4j\/","title":{"rendered":"What CISOs Should Tell the Board About Log4j"},"content":{"rendered":"
<\/div>\n

Cyberattacks on corporations are now a common and increasingly frequent occurrence, which should lead their boards of directors to take notice and recognize the need to increase funding and enable other security measures. But a recent Gartner report<\/a> finds that 88% of boards of directors view cybersecurity as a business risk, not a technology risk, yet only a fraction have a dedicated, board-level cybersecurity committee, which means cybersecurity isn’t viewed as a critical executive function.<\/p>\n

With Log4j taking up a lot of security attention in the last month, it is imperative to revisit not only the cybersecurity funding conversation but also how to get the board to pay more nuanced attention to cybersecurity.<\/p>\n

Log4j is a library of open source code that lets hackers run any code on vulnerable systems or hack into applications that use the Apache Log4j framework. The vulnerability, also called Log4Shell, is indeed a serious issue, so serious that the federal Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance on remediating Log4j<\/a>. The Federal Trade Commission (FTC) also said it would take action against companies<\/a> that don\u2019t take steps to protect consumer data from exposure due to this vulnerability.<\/p>\n

The FTC\u2019s announcement appears to send a warning to boards more than security practitioners about the need for them to do their due diligence and take corporate ownership of risk impact. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates\u202flaws including, among others,” the FTC stated.<\/p>\n

So it behooves CISOs to get in front of their boards of directors<\/a> and explain the potential implications of complacency and inaction. Most people (security practitioners included) are likely experiencing cyber-breach fatigue and may be inclined to downplay Log4j as just the flaw of the month. To do so would be dangerous and irresponsible.<\/p>\n

Boards never want to hear “I don’t know” or \u201cIt’s not my responsibility\u201d from their CISO. And CISOs certainly don\u2019t want to appear before the board and give the impression that an issue isn’t under control. But the Log4j vulnerability<\/a> requires a new approach that relies on comprehensive runtime analysis to detect, prioritize, and remediate all instances of the Log4Shell instances. CISOs should reframe this as an opportunity to elevate security posture as a whole.<\/p>\n

How to Get Board Buy-In On Log4j\u2019s Importance<\/strong>
<\/strong>An increasing number of CISOs now present to their boards<\/a> on a variety of strategic topics because security is no longer seen as just a technology function. The key is to speak in layperson\u2019s terms and get some salient points across. The first is to emphasize that Log4j slowly but surely nests in the corporate networks and is one of the most critical zero-day vulnerabilities in recent history.<\/p>\n

Board members aren’t interested in the operational or tactical aspects of cybersecurity; rather, they are focused on the holistic impact of the risk that the vulnerability poses.<\/p>\n

What will also get the board\u2019s attention is that this vulnerability affects some of the world\u2019s largest IT companies and tech vendors<\/a>, including Amazon Web Services, Oracle, Cisco, IBM, Fortinet, VMware, and others.<\/p>\n

There is widespread deployment of Log4j, from simple, everyday devices to high-end space vehicles. The proliferation of Log4j is akin to Russian nesting dolls; boards need to be aware that instances of the vulnerability can be hidden with multiple transitive dependencies, making remediation equally complex. And what they don\u2019t know can hurt them.<\/p>\n

Boards should also understand that Log4j is a growing and complex security problem that promises to be around for years to come. CISOs need to explain that not taking this flaw seriously could result in a data breach, data loss, productivity loss, and ultimately, loss of reputation.<\/p>\n

Some key questions that the CISO should ensure can be addressed with the board include:<\/p>\n