CISOs already have plenty of IT vulnerabilities to worry about, so when the Log4j vulnerability was announced in December—well, how significant can one more crisis be on top of your already-long list, right?
Wrong. Log4j is more than an urgent cybersecurity threat. It also neatly captures many of the IT security and compliance challenges that businesses face today. So even as CISOs scramble to remove all the Log4j threats in your IT ecosystem, we should also consider why Log4j is such a pressing problem.
It’s not because Log4j is a technical challenge; the patch you need to implement to address it is relatively straightforward. Rather, Log4j is pressing because companies need a disciplined approach to finding every instance of the vulnerability throughout your extended enterprise: your own data centers, cloud-based service providers, employees’ personal devices, and other third parties that move through your IT infrastructure every day.
That’s the real issue here. Log4j reminds us (yet again) that companies need a better approach to third-party governance to keep security risks in check and compliance obligations upheld. Because even after the IT community beats Log4j into submission, other vulnerabilities will follow. Businesses need a sustainable, effective way to address them all.
Moving From Patches to Cyber Governance
Companies do need to address the immediate crisis of Log4j, and that means installing a patch. The good news is that the Apache Foundation, which manages open-source software such as Log4j, already has that patch freely available to anyone.
Still, companies need more than the patch itself. They also need to ensure that the patch is implemented at scale — which is not easy when so many employees either work remotely thanks to the Covid-19 pandemic or use their own devices to process corporate data. Then comes the even larger headache of ensuring that Log4j has been patched among the third parties operating in your extended enterprise.
That’s a governance challenge rather than a technical one, so success depends on adopting the right governance structures much more than it depends on downloading the latest patch from the Apache Foundation. For example, your organization will need:
- Policies about device usage among employees. Do you, in fact, want to allow employees to use their own phones, tablets, and laptops to access corporate data? Do you want to require them to connect to your data center via a virtual private network? Those questions need to be answered, and the answers need to be stated as corporate policy. Then, employees need to be trained on those policies, and to attest that, yes, they’ve read and accept those policies.
- Policies and procedures for patch management. Companies will need policies to clarify that the IT department will implement all patches, or to specify what patching employees can do on their own. Companies will also need procedures and technical expertise to put those policies into practice (such as implementing patches remotely, or blocking unpatched devices from accessing critical systems).
- Documentation that patches have been implemented and tested. Documentation is vital so that your business can pass any necessary audits (e.g.,for HIPAA or PCI-DSS compliance) with minimal stress and so that your sales teams can promptly address any cybersecurity concerns that prospective customers might have.
Moreover, the above examples are just to address the risks of software vulnerabilities in your own organization. Companies also need to address those same risks among the third parties that work within your extended enterprise.
For example, you’ll need to be able to track those third parties—cloud-based service providers, contract labor accessing your data with their own devices, and others that interact with your corporate network. You will need to get attestations from them that they’ve addressed their Log4j concerns; and for mission-critical third parties you may want an audit of their cybersecurity efforts for extra assurance. You’ll also need a repository to store all that evidence, and a system to help you track all third parties and the evidence they’ve provided you.
How to Get Started
The first step to developing effective cyber governance is to understand exactly what it entails and who within your company will be responsible for it. So, as always, the first step is really about defining roles and responsibilities.
For example, the CISO could be responsible for cyber governance—but as we discussed above, the job goes well beyond technical tasks such as patch management or security audits. Cyber governance is also about deciding how cloud-based technology providers will support your business processes, enforcing policies for employees and third parties, and preparing reports to show your company’s regulatory compliance and risk posture.
Whether your company assigns all that to the CISO, a chief risk officer, or even several people reporting to a senior executive, those responsibilities will need to be defined and assigned. Then, the CEO and the board will need to hold those executives accountable for running an effective governance program.
You’ll also need to consider the capabilities that an effective cyber governance program will need. For example, modern governance programs will need to be strong in:
- Third-party identification, since so many third parties now come and go on corporate networks. Who are these parties? Why are they present? What data of yours do they access?
- Security risk assessment, to understand specific new threats, such as Log4j, as well as persistent, systemic weaknesses such as an inability to map all your critical data.
- Policy management and security education, to ensure that employees know how to behave while working remotely and that third parties know what is expected of them.
- Documentation, to keep track of attestations and audit evidence that might be needed in reports to senior management or external parties.
- Reporting, so that you can easily brief the board on risks, meet regulatory compliance burdens, or even just convince that lucrative customer prospect that, yes, your business is trustworthy.
Let’s be honest: this is a lot of work. It’s a diverse set of tasks and responsibilities to monitor, with a host of small details to track within each big category. Compliance leaders should consider whether you have the right technology to support such a complex endeavor—one that can track all those third parties, manage security assessment workflows, and preserve all the evidence you collect. Doing that via spreadsheets, email archives, and shared drives won’t inspire much confidence with your board.
That might be the ultimate lesson of Log4j, even as that specific threat recedes. Unless you want to spend all your time lurching from one emergency patch to another, you’ll need to address these issues in a more strategic way.
That more strategic way is a cyber governance program: one based on transparency, where your company has a clear understanding of all parties operating on your IT networks and whether those parties pose any risks you don’t want. It’s also important that you know what controls you have to mitigate the risks you care about, and to ensure that all parties responsible for executing the controls are doing their part.
Then, with that governance program in place, your company can move forward with its real goal: pursuit of business objectives, knowing that everyone (and everything) in your enterprise can be trusted to help on that journey.