- Security TWENTY
- Women in Security
The Sony breach of 2011 is, so far, thought to be the largest ever. The more recent Target breach impacted some 40 million customers and caused sales through its stores to drop by almost half in the weeks following the disclosure. Are these just the cost of doing business or are there lessons to be learnt? asks David Evans, pictured, CEO, Global Aware International.
In the case of both organisations, although they had the means and the money to invest in appropriate levels of security controls and processes, such controls were found to be lacking. In the case of Sony, in doling out a fine of £250,000, David Smith, the Information Commissioner’s Office’s Deputy Commissioner and Director of Data Protection stated “It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.” In the aftermath of the breach, it emerged that Sony did not even have a senior security executive with sufficient clout to oversee security operations and procedures in the form of a chief information security officer and software was left out of date and unpatched. In the case of Target, the breach involved the theft of credit card information from its network—even though it had been certified as being PCI compliant.
Organisations don’t have the information they need
It is true that attackers are getting much more sophisticated in the techniques they deploy and their attacks are getting ever harder to defend against, often taking weeks or months to discover, according to Verizon Business. But, as these breaches show, organisations can and should be doing more to protect themselves.
Whilst these breaches indicate that neither Sony nor Target were adequately prepared, those organisations are clearly not alone. Recent research from the Economist Intelligence Unit shows that just 17 per cent of organisations feel fully prepared to handle a security incident. For many, the lack of relevant information is to blame, as 41pc state that a better understanding of potential threats would help them to be better prepared. Organisations also lack the ability to translate security incidents into business outcomes, since half of the respondents indicated that they feel unable to predict the business impact when a breach occurs. In the case of Target, the business impact was pretty severe.
Without having sufficient information regarding threats and the ability of their network systems to withstand them, business leaders cannot align information security with overall business goals, forcing them to make decisions more on gut feel than fact.
With the stakes getting higher every day, organisations need to devise strategies that more deeply integrate security both into the decision making process and into the design of business technology systems.
Security executives getting more say
As a recent survey by CSO Online shows, things are changing, with many organisations reporting that their security budgets and head-counts are up on previous years. Perhaps as a result of breaches such as Sony that have shown that senior security executives are not given sufficient clout in the organisation, the survey found that three-quarters of security executives are now spending more time advising C-level executives, which should allow them to reduce vulnerabilities by more deeply integrating security into decision-making processes.
That is a good start. But many still lack sufficient authority and influence. In many cases, security is still seen as a non-revenue-generating expense. There is often no central security budget and security is diffused throughout the organisation. In many cases, security executives still report via the head of IT, who is in charge of making technology systems available, not necessarily secure.
Need for further investments
Given sufficient authority and a separate budget, security executives will be in a much better position to not only recommend ways to improve security, but to put in place systems that are effective in the face of today’s challenges. Data and information are the crown jewels of organisations and must be kept protected—not just for the tick box mentality of many compliance programmes but for protecting the organisation from financial losses and reputational harm.
The IT function, tasked with keeping systems running, is not always in the position to give the relevant information to the board. What recent breaches show us is that organisations would be better served by giving greater power to their security experts.
According to Colin Tankard, Managing Director of Digital Pathways (www.digpath.co.uk) and a long-time security practitioner, by giving greater power and budget to security executives, organisations would be better able to ward off security risks at the same time as contributing to the organisation’s overall risk management and compliance objectives. Their efforts should balance IT. IT professionals put in place systems to allow the business to run efficiently; security professionals should be given the power to put in place complementary systems that ensure those systems are running as they should, constantly monitoring everything to ensure that security vulnerabilities are not being introduced that could affect the overall business.
Tankard recommends a data-centric approach, continuously monitoring all IT systems to determine what data is flowing through them and who is accessing what. Any unusual incidents can be alerted to security administrators for investigation and remediation before a breach can occur, or, to minimise its impact. Such tools will provide the auditing, analysis and reporting capabilities that organisations need in order to make informed decisions regarding the risks that they face so that vulnerabilities can be reduced. They will provide separate, unbiased verification that the organisation’s IT stack is working according to the needs of the organisation. That organisation would be more easily able to identify where security vulnerabilities, such as systems left unpatched, are putting the organisation at risk. And that information would be more easily available to management in a timely and efficient manner to aid in overall decision-making.
Every organisation today should assume that they have been breached and should have in place processes to respond in an appropriate manner. The stakes are high and only by making security a high enough priority and putting in place appropriate technologies can any organisation be prepared to defend itself in an adequate manner.