CIO Cyber & Risk Network March 2021
On the Cyber & Risk Network March call, the CIOs and guests spoke about:
1. Patching policies and differentiating between internet facing and non internet facing. Often, the differentiation is driven by an IT department recognising that it needs to prioritise its efforts, and so internet facing software will get priority.
2. Similarly, if a vulnerability is being actively exploited, then that gets patching priority, and most organisations will aim for 48 hours to have that vulnerability patched.
3. As services move to Cloud providers, the CIOs raised the issue of how to gain assurance that their Cloud vendors are also doing the right thing with patching. With larger and more Cloud-oriented vendors it may be more automated, but many businesses rely on niche providers, and the operational maturity of these smaller providers may not be at a level the CIOs are comfortable with.
4. This raised the topic of open source dependencies, as well as software sprawl across business units, and how to keep track of what software is being pulled down from various repositories, such as GitHub.
5. Responsible disclosure statements are an important first step in moving toward bug bounty programs.
5. The efficacy of dark web monitoring services and the relative value from these.
5. The dual value in decommissioning software and services. The removal of phone bridges which have effectively been replaced by online video conferencing was used as an example of reducing both costs footprint.