It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.
For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:
- We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
- We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
- The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.
One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).
The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.
With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.
And grab a shovel, we need help digging this grave.
As the owner of an information security firm, I am frequently faced with the challenge of figuring out who to deliver our message to. Most security practitioners would respond that security is everyone’s responsibility, and I don’t disagree. However when you’re in the business of marketing security services, and not just implementing, that shotgun mentality will just make a big, messy hole.
Yesterday I overheard my business partner on the phone with a prospect, a Compliance Officer for a large credit union. As my partner’s pitch raised to a crescendo, he was suddenly interrupted, replying “so that’s not your responsibility? So… I should talk to IT?” No matter how successful you are, you’re going to get your share of objections, rejections and denials. But deflections are different, particularly in security. Let me explain.
For a long time, information security was considered an IT problem. Why? Because the solutions – things like firewalls, antivirus software and access control lists – were only available from IT. This system worked for a while because the controls were well matched for the threats. But it created an unfortunate precedent, one that would eventually disarm businesses everywhere.
Fast forward to 2011. Today’s threats don’t look or act the way they did ten, five or even two years ago. And even though today’s threats are still rudimentary in nature, they cleverly outwit traditional security controls by avoiding them altogether. The firewalls and antivirus software that made IT synonymous with security are failing, and it’s causing a new problem – an identity problem. IT is not your security team. But if IT doesn’t do security, who does?
It’s not an easy answer, but if you can find the risk owners, you’re on the right track. Here are some suggestions, in order of greatest liability:
- At the highest level, business owners are responsible for the health and welfare of their employees, clients and businesses, and as such are implicitly accountable for ensuring the security of business assets. Whether it’s awareness training or data protection, the buck stops here. Of course, each business has unique risks, and every security program will, and should look different. Business owners are the primary risk owners.
- Next come asset owners. This is a term borrowed from ITIL and other organizational frameworks that seek to identify the chief decision makers for information and other systems. Asset owners, after business owners, are next in line for risk accountability, because they make decisions about business assets. The Human Resources Manager, the Comptroller, the Director of Development – these are all good examples of asset owners. This could be a large group of individuals, depending on the size of the organization.
- The next in line would come those involved with compliance or audit. After all, it is these individuals that are measuring how well regulatory, statutory, commercial and other legal requirements are being met.
- Last are the employees of the business. Each and every member of the organization has a role on the security team and is a cog in the security machine. It is the responsibility of each individual to understand their role and responsibilities and implement the required behaviors to the best of their ability. Employees are the organization’s biggest, brightest and most capable security control – when they fail, it becomes a major weakness.
So where does that leave IT? As a service provider, your Information Technology team is simply doing what they are asked to do. Whether your security program is strong and mature or non-existent, remember that it wasn’t (or shouldn’t be) IT that made it that way. IT’s job is to provide technology services that meet specific Service Levels to their clients – the departments, end users and asset owners in your business. They’ll be happy to secure your assets, but only after a business leader, asset owner or Compliance Officer has made the critical decision to do so.
So the next time someone calls you and asks if you’d like to talk about information security at your company, you know what to say.