Chris Olson
Chris Olson founded The Media Trust with a goal of transforming the internet experience by creating better digital ecosystems.

Taking Charge of Malware: Why CISOs Should Be Responsible for Third-Party Code

Today’s online publishers and global organizations are faced with a serious problem: third-party code (3PC) now makes up more than 80% of the code executing across websites and mobile apps, including Alexa 500 domains. While much of this code is benign and even necessary for UX, some of it steals personal information, drops payloads, or redirects the user to malicious pages.

Whenever they visit social media, news, or entertainment sites, users unwittingly load into their browsers hundreds of scripts, forms, and cookies that completely bypass publisher-side AppSec and dev teams. Typically, 5 in 1000 of their web sessions are infected by malicious 3PC that drives the largest threats to Internet users, including mass data breaches leaking consumer credit cards and ransomware attacks on business, academic, and state or local government websites, and apps.

It’s clear that something has to be done, but the traditional structure of organizations has left them unprepared for 3PC. In order to slash the number of attacks threatening their revenue and customers, organizations need a change of mindset that prioritizes digital security.


The CISO: the Best Candidate for the Job

With a job description defined by information security, the CISO is best suited to protect the information flowing in and out of an organization’s digital platform. Plus, their role already encompasses the unique skillsets for combating malware.

Organizations have never been more dependent on their digital properties than they are today, yet websites and apps are typically segmented from other IT operations, which are the very teams that can protect these assets. As a result, security strategies too often overlook these assets’ vulnerabilities.

Every other potential “security candidate” in the organization occupies a sphere of business where revenue takes priority over security (Web Ops and CSO), or a traditional area of security which cannot be neglected for the sake of digital (CTO and dev teams).

Prioritize Digital Security

Too many organizations today see digital as ancillary to their overall business strategy. Websites are mere online billboards and therefore segmented from other IT operations. Their failure to appreciate the crucial role websites and mobile apps play in engaging and understanding their prospects and customers explains why these assets receive inadequate protection.

First—with the rise of consolidated infrastructure—digital is connected to and affects multiple systems, including IoT, remote access portals, and CMS. Second, digital drives mission critical objectives from marketing to revenue: all customer interactions are facilitated by digital, and 96% of B2B leaders won’t form a business relationship unless they can see online content first.

Malware that doesn’t result in fraud or data theft can drive latency, greater device battery consumption, and unwanted content, including fake news or political propaganda. For organizations, staying in control of their digital presence therefore means keeping control of their message and brand.

A website is much more than a billboard or calling card: it is a vital asset that directly impacts internal processes, public image, and bottom line.

3PC Is A Compliance Issue

If revenue and mission critical operations aren’t reason enough to control 3PC, organizations soon won’t have a choice: emerging legislation cracks down on data breaches, and holds organizations responsible for violations whether or not they originated with a third-party.

By now, the power of this legislation has been demonstrated.

GDPR regulators have handed down historic penalties to global brands that have suffered a data breach. Non-liability contracts are no defense: regulators aren’t letting companies off the hook for the actions of a partner.

In fact—aside from avoiding breaches altogether—organizations have little recourse for defense. According to the CCPA, organizations must use “reasonable security” standards to protect its customers, but without a definition for that term, organizations are likely to be accused of lacking them in the aftermath of an attack. With laws like the CCPA either now or soon to be in force, the situation in Europe has become the legal reality for organizations around the world.

Automation Will Not Control 3PC – The Human Element is Essential

Organizations that understand the threat posed by malicious 3PC have turned to convenient but ineffective solutions that overly rely on automation. So far, the results are disappointing: popular “blockers” are consistently behind the spread of malware—which has an average lifecycle of three to four days — leaving websites vulnerable to attacks when they are most active.

New digital threats cannot be automated away or blocked with conventional solutions: there is no way to bypass the need for constant human vigilance and control to keep malicious partners away while retaining the good ones. Delegating the responsibility to a C-Level executive is a good start—that’s why the CISO should be in charge.

The CISO meets the following criteria:

  • Cybersecurity and information privacy expertise – the goal of this role is to stop malware and prevent data theft by performing some type of vendor security due diligence
  • Knowledge of regulations and compliance – to deal with emerging legislation and prevent lawsuits
  • Digital forensics insight – will need to understand how malware propagates in the digital environment so they can find and block the source of an attack
  • Cross-department relationships – must collaborate with marketing, product development and executives to ensure everyone knows how their actions affect digital security

Delegate, and Delegate Soon

It may be objected that the CISO already has a lot on their plate—but that’s neither a big problem, nor is it the point. Some of their responsibilities can be shared with other security roles to lighten their workload: especially training, reporting, and similar routine tasks. Even the job of scanning code and vetting third parties can be shared with AppSec.

But more importantly – whatever the CISO does – the point of delegating the job is that someone qualified to solve the problem has to be in charge. Until 3PC is specifically addressed, it will remain neglected, leading to increased risk for organizations, their employees, customers and society as a whole. Taking responsibility is not optional, and it has to start somewhere.

And no matter where organizations do start, they should expedite their decision: the CCPA became active on January 1st, and nationwide privacy legislation may be rolled out by the end of 2020. When that happens, the threat of 3PC can’t be ignored. While the time to deal with it was yesterday – at least for now – we still have today.

The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety. is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats.