Note to Executives, Legislators, and Consumers: Time For a More Serious Dialogue About Cybersecurity

Like everyone else in the cybersecurity domain, I’ve been pretty busy the past week or so.  First there was the UPS store breach, which was small change compared to the nefarious cybersecurity situation at JP Morgan Chase. The condition became a bit more whimsical when photos of naked celebrities floated around the web, but quickly became serious again with the breach at Home Depot, which may trump the Target breach when all is said and done. 

Here is a terse synopsis of what’s going on: we’ve gotten really good at rapidly developing and implementing new applications on new technologies. We can even do so at scale (with the exception of healthcare.gov, but that’s another story). Yup, we want immediate gratification from our technology toys but we really don’t have the right people, skills, processes, or oversight to actually protect them.

Let me be a tad more specific by putting security breaches in the context of a few cybersecurity concepts:

• Risk management. This is a mathematical formula where you try to figure out the frequency of threats and how vulnerable you are to these threats, so you can propose options for mitigating risk. The problem here is that executives are clueless about cyber risk and still view this discussion as an expensive and unnecessary burden. Additionally, many corporate security people don’t have the right skills to understand risks associated with new IT initiatives like cloud and mobile computing. It’s time to take the foot off the IT gas pedal and make sure that security issues around applications and IT projects are well understood and have ample protection before we throw them on the network.
• Prevention. We currently spend most of our time and resources on the prevention of cyberattacks. Nothing wrong with this per se, but our prevention methods are too generic and tactical. In other words, we implement firewalls, IDS/IPS, and endpoint security software in standard configurations across all industries, but hackers are attacking different industries with different attacks (note: see the Verizon DBIR report for more detail). Furthermore, we implement prevention controls on individual technologies when cyberattack kill chains cut across multiple technologies. Above and beyond standard best practices like the SANS top 20 security controls, we need to customize prevention for our applications, business processes, network flows, and industries. These will be unique for each organization and require careful research and planning. 
• Detection. The security industry warns that all organizations will be breached so it is important to invest in threat detection tools and technologies. Good advice, but the main problem with detection is that it requires a combination of strong IT and security analytics skills. Unfortunately, there is a global shortage of cybersecurity talent – ESG research indicates that 25% of organizations have a problematic shortage of cybersecurity skills (note: I am an ESG employee). To align our needs with available resources, we have to find ways for security professionals to work smarter, not harder. This requires a comprehensive investment in the collection, processing, and analysis of massive amounts of security data. There are numerous tools in this area (i.e. Blue Coat/Solera, Click Security, HP, IBM, ISC8, Narus, RSA, Splunk, etc.), but many organizations would be best served if they stop pretending like they know what they are doing and hand their security analytics over to reputable service providers (i.e. Dell, Sumo Logic, Symantec, etc.).
• Response. At a large enterprise organization, it’s not unusual to get thousands of security alerts each day. Which ones are most important? Which ones are real? What type of remediation activities should be prioritized? Based upon my experience, many organizations are addressing these critical questions with a common strategy: They are winging it. So what’s needed? Better visibility, data correlation, algorithms, and intelligence so that we are using technology to answer these questions with a high degree of accuracy. When we are confident in our security technology intelligence, we can actually get people out of the way and automate our responses. In my mind, we have to do this because even the best security professionals can’t keep up with the scale and sophistication of today’s threats.

While I’m on my soapbox, here’s a final and perhaps controversial thought on cybersecurity – we need more accountability all around. For example, consumers should stop paying with credit cards until the U.S. catches up with chip and PIN cards. More corporate boards and CEOs should lose their jobs when breaches happen under their reign. Voters should tell Congress to stop playing politics with cybersecurity or they will likely lose their seats in the next election, etc. 

I don’t expect a lot of changes from Washington or Wall Street, but if we see a few more security breaches, I wouldn’t be at all surprised if consumers start cutting up their credit cards. If this happens, we may finally see a response from federal and financial fat cats.