How to take advantage of the Adobe breach to advance the conversation about security in your organization

Change the approach to explaining and responding to security breaches to engage in productive conversations about security at an individual, organizational, and industry level

Breaches aren't new. Learning this week that Adobe experienced and disclosed a recent security breach isn't surprising. And if it's not surprising for us, then it barely registers with most people.

Worse, the responses are predictable: provide little information  (due to ongoing investigations; I respect that), downplay the risks, and showcase the positive actions underway.

That means people easily move past. No impact. Or worse, they throw up their hands and explain "nothing can be done." It's business as usual.

To use this recent breach to advance the discussion in your organization requires a different approach. No need to blast an email to everyone. Don't waste your time sending the same messages everyone else has issued and readers ignore.

What we (think we) know

Looks like attack landed credit card information, passwords, and source code. On initial impression, the source code could be troubling. The obstacle, and our opportunity, is to translate our technical experience with these challenges into functional understanding.

This is an opportunity to ask a few different questions and engage in the conversation.

I see three areas of focus: individuals, organizations, industry. 

How this could impact individuals

Just telling people about it doesn't work. It presumes that someone else should care because you do. And it implies that they'll appreciate the impact -- without the experience to interpret the events. 

Instead, think about why someone should care.

Getting it right means demonstrating value to the individual -- in alignment with the organization.

This as an opportunity to learn how to talk about these issues to our colleagues and families. It's a chance to advance.

A few considerations:

  • Start a conversation instead of making an announcement. Invite people to engage and ask questions. In return, ask them questions. Draw people in. It's okay to not know the answers.
  • Focus on one element at a time. Instead of trying to explain the potential implications of the entire attack, break it down into a short series. That makes it easier to connect actions to impacts. Especially the actions they may be used to taking. But put the impacts in the experience of the audience.
  • Focus on distilling and translating the information. For example, how to explain a zero-day attack, a trojan horse, how to check if the software is authentic/signed or not. These are all advanced/complex topics.

Using this as a conversation starter in the organization

Here are five questions to start a conversation within the organization. It's not important to have answers at the outset. Be prepared to listen, consider, and then work together in pursuit of the right answer.

  1. If the breach happened in August, and they found it in September… that's impressive by current findings. Let's give credit where credit is due. Conversation starter: could we do that here?
  2. Breaches will happen. If this happened to us, how would we handle it? 
  3. The 10-Q Adobe filed with the SEC suggests no impact to the bottom line. Could we do that? Keep in mind that consumers and corporations alike may lack credible alternatives to Adobe. Especially if their operations depend on Cold Fusion and Acrobat. If you're already invested, what is the cost of changing?
  4. If attackers got access to our core (source code, intellectual property, etc.) - what future damage could they do? How would we assure our customers and reliably demonstrate they can trust us?
  5. What changes do we need to consider in light of the security breach at Adobe? What does this mean for patch management? Specifically, for testing the patches and updates that come from Adobe.

Advancing the industry dialog (including Adobe)

It's early in the process. Hopefully Adobe will share more information. Instead of having a conversation about "changing passwords," and looking out for "something really complex we can't explain in an understandable way," let's use this to advance the discussion of security.

Seems to me that the access to source code means the attackers likely have more knowledge and insight. Given time and proper incentive, that likely means more attacks. And the attacks maybe harder to detect and more devastating. Depending on what they actually got, should we be looking for compromised copies masquerading as legitimate?

While the questions swirl, we have some steps we can take:

  • First, we have to focus on working collectively to translate what just happened into language, situations, and outcomes that other people understand.
  • Once we understand the affected software, leverage the marketing from Adobe to learn how to explain the technologies to people.
  • Then build on that to explain the connection between potential actions, impacts, and consequences? This is an area where Adobe could actually help with the conversation.

This is a chance for us to work together. Send me your ideas. Or your frustrations and challenges.

By working together, we can start to use security breaches to advance the conversation and drive to solutions. 

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)