The Highest Risk Ever….. Not!


BlogWordleI just received one of my daily news reports about Cyber Security and it said something to the effect of such and such a Research group has found out that Application Security holes are at highest numbers ever and this number is expected to increase even further in 2016!  Companies really need to focus on fixing the risk incurred by these applications.  I thought, “Wow, Really”?  I mean yet another highest number, highest risk, most vulnerable, more danger than ever before message.  What a surprise it was to get yet another news feed about a Cyber Security vulnerability being the worst ever.  (that last sentence is dripping with sarcasm – just in case you couldn’t tell).   I really just want to shout and scream out that No It Isn’t the highest total ever!  None of these items being touted as worst ever are really the worst ever.  The simple reality is that we are still in our relative infancy when it comes to Cyber Security as a profession and as something to write about.  Being in our infancy means that we are still finding lots of this things that we couldn’t find before.

None of these vulnerabilities appeared overnight.  The vulnerabilities that we are now finding and that are generating these, at times horrific, Blog- Overnightreports about numbers of vulnerabilities have always been there.  Not only have these vulnerabilities been there but here is a secret I will let you in on – there are many more that we still haven’t discovered!  Companies, researchers, etc. now have the proper tools to discover concerning Cyber Security  vulnerabilities in large numbers.  These are items that in the past no one knew about even though they were there.  As more and better tools come out we will find even more of the worst vulnerabilities ever.

Vulnerable OS, vulnerable Webpages, vulnerable coding, vulnerable hardware or firmware,  these items have been around for decades and will remain around.  So while it is great that we can now find these and do something about fixing and remediation of these vulnerabilities they aren’t new.  Maybe newly discovered or newly recognized but they have always been there.   

Why am I going on about something that is basically hype, and in some ways good in that it publicizes exposure to these items so that Cyber Security professionals can use them to raise awareness, funding and support for remediation?  Because of the way the reports and news articles are written.  In too many cases these articles raise awareness and hype of issues that are much lower risk than the ones the organization’s Information Security team are already working on.  I have sat in many meetings where executive management has looked at the Chief Information Security Officer (CISO) and said “I know your team is really busy remediating core vulnerabilities across our Financial landscape but I read something yesterday about mobile devices being very vulnerable and I think we need to re-focus our resources….  the article really made this mobile risk sound like the most dangerous thing ever.”  

Don’t get me wrong,  I appreciate the awareness being generated but …. the WORST EVER …. no in most cases it really isn’t.  There are lots of Cyber Security items just as bad or worse that most organizations need to fix and the decision on where the highest Information Security risk sits inside of the company should not be decided by reporters and vendors but should rest on the shoulders of the CISO and the experts they have hired to analyze and determine what risk items need immediate attention.


About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s