Security captures headlines. Companies elevate concern to the board, increase spending. And breaches are on the rise.
When do we make the pivot? Change our approaches to drive different outcomes?
That question drives Keith Lowry (LinkedIn), Senior Vice President, Business Threat Intelligence and Analysis, Nuix. It also frames the finds from a study conducted with select Fortune 500 corporate security officials that looks to gain insight on current and future plans to reshape & reprioritize information security practices.
Those findings are available in Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices (link).
I asked Keith to share his experience and perspectives on the research.
Based on your experience and research, what do we need in order to improve security?
We are facing dynamic threats that cannot be countered with static responses. Organizations must understand that cyber security and specifically countering insider threats are not merely accomplished by compliance measures. Improving security means that senior leadership must recognize the dynamic nature of today's threats rather than looking at the problem from a static viewpoint. Moreover, senior leadership must begin to advocate the move from a defensie IT centric security approach towards more robust holistic risk management perspective.
Most organizations believe threats can be countered by increasing the IT budget, or purchasing a piece of software or a specific “tool” along with completing a compliance checklist. Today’s threats are not always identified by static compliance checklists. Compliance methodologies alone lead to a false sense of security.
Seems a lot of people equate “security” with “I bought a solution for that.” How do we break the cycle?
Cyber security in the 80s and 90s was focused on perimeter defenses. Making sure that routers were correctly locked down, and ports closed. Software patches were a promptly installed to keep hackers from exploiting weaknesses. In retrospect, IT departments were conducting security efforts dictated by the threats of the time.
Security now encompases much more than an IT department is equipped to conduct. IT professionals are great at IT, but the threats have become much more sophisticated. The days of “fixing” an identified threat after the attack has occurred is leaving organizations exposed. it seems as though some organizations are still thinking about security in terms of Newtonian instead of Quantum Physics. The world is changing and security must adapt to meet the dynamic nature of the threats. Too often, organizations continue to organize and spend resources on threats from decades past.
Once an organization understands the depth of the threat, and that this is a risk management problem, then budgets can be allocated appropriately. Assumptions in the security budgets being valid; budgets being focused on IT issues without understanding the threat; and burying budgets where the resources are being spent on solving incorrect problems are things about which senior leaders should be concerned and questioning.
How can a security leader act on the information in this research report? What is something they can do to get started?
The simple three steps to begin:
- Know your data
- Set priorities
- Go beyond technology
Know your data. Most organizations are unable to answer the following questions: what is their critical value data, where it is located, who has access, and what to those with access do with the data? Without knowledge of what you are attempting to protect, the threat cannot be managed.
Set Priorities. As a risk management problem, the solution begins in the boardroom and with the senior executives. Executives should appoint a senior level individual and organization responsible for cyber security, and must hear information directly from the responsible senior leader, and not filtered by other subordinate organizations. This senior leader must be backed by the advocacy of the Board, CEO and COO.
Go Beyond Technology. Once organizations recognize the depth and scope of the threat, they will change the way these threats are viewed, and enlarge the scope and breadth of the responsible organization. Additionally, since this is not merely an IT problem, organizational policies, processes, procedures, training, and other parts of the program must be in place, in addition to what “tools” or “software” is selected to discover, and mitigate.
What do you see as the potential consequences of waiting too long to act?
A saying used in law enforcement has merit in this discussion. “Bad law enforcement actions lead to bad laws.” If an organization stalls or discounts the importance of prioritizing and implementing good overall security standards, then they expose themselves to legal decisions forced on them resulting from government intervention or rulings from courts.
Recent US Court decisions being issued show that the Courts are willing to allow plaintiffs to sue for negligence when an organization did not follow a current cyber security standard of care. Additionally, US Courts have granted the FTC authority to regulate cyber security issues. Stalling or lack of resources in security does not appear to be a good risk management decision.
What does it take to prepare our organizations for a more dynamic threat?
The average amount of time between a successful cyber security threat (event) and an organization discovering that the event occurred is between 180 and 220 days. Do executives and board members feel comfortable that their critical value data has been taken, altered or moved without their knowledge for that amount of time?
Organizations and executives must awaken to the knowledge that these threats are real, successful, and omni-present in the data centric world of today. The threats come from witting and unwitting employees, organized criminals, non-state, and state actors across the globe. If the organization has anything of value, then they are at risk.