While there are many vendors and consultants trying to outdo each other on the how's and why's of the breach, for IT departments who are wondering if they're next, there's a strategy to use this breach to get ahead. Credit: Thinkstock Yes, most (if not all of us) are going to be impacted one way or another because of the Equifax breach. And class action lawsuits, credit monitoring tools, individual credit freezes will escalate. But there is another important dimension to this calamity, that might yield some positive upside if approached properly. What am I talking about? I am talking about the chasm between the Infrastructure Ops, Security Ops and Compliance and Audit that exist in every enterprise today (and wrote about it here) and how that might have contributed to this fiasco.But, this is not an Equifax issue I would hazard. Why can I state this confidently? Because I heard this loud and clear at #BlackHat and more recently at the #StructureSecurity conference in San Francisco. In fact, a comment by John ‘Four’ Flynn – CISO at Uber – really drove this home ‘The #1 risk most organizations face today is the Windows 2000 server sitting under Bob’s desk that needs to stay up and therefore is not patched, rebooted or changed in any manner as no one wants to assume the risk of it going down’. And this trumps any security hygiene or compliance dictate.If you are in IT Operations, this presents an opportunity that does not come by very often. Most well run IT Ops teams may think they have a handle on security and may even be aware of ‘Bob’s server’ and other vulnerable systems in their environment (cloud adds another degree of complexity but let’s tackle that in the next article). But, the fear remains what if there are more systems than anticipated and maybe even to try a tool that exposes the risk they have. Actually not. They don’t want to hear it because if they do and then don’t act and there is an incident, heads will roll. So, they would rather play dumb and NOT EVEN entertain the dialog with a vendor or two. But, that does not reduce the risk and they do end up spending sleepless nights!But with Equifax – and the un-patched Apache servers – the quantifiable cyber security risk that an organization faces is becoming a board level conversation. And I would argue that this is the time that IT Ops can actually go up to the CIO (or CISO) and make a case for ‘risk assessment’ tools that would materially expose, quantify and reduce the cyber risk any organization faces For instance in a recent GAO report the five identified areas of weaknesses were in the areas of ‘limited access controls, limited configuration management controls, limited to no segregation of duties, lack of contingency planning, siloed security management’. I would argue that no IT organization would be magically accorded budget to identify tools that would help expose the risks in these five areas and further take corrective action on any given day. But we are not talking about any given day. This is the day (or the week) that the largest and most impactful breach in US history has happened and attributed to poor patch management governance. That is the opportunity. Don’t let this crisis goto waste my fellow IT brethren. With the CEO having to step down as a result of this, the budget will appear magically in most regulated industry verticals. One needs to know what to ask for and why.So, let’s take advantage of what happened at Equifax and go and secure budget for the tasks that you always knew you had to (update Bob’s Win 2K server) and given the heightened awareness, there would also be more latitude toward any issues post-upgrade since the primary driver is to patch the systems. On the contrary, if we pretend that this just yet another breach and sink into hubris, and god forbid if another attack were to happen, the tolerance for any kind of IT snafu would be very low. So, let’s ride this horse to the finish line and seek budget and deploy tools thatIdentify and expose riskHighlight the risk in a language upper management understandsApply the solutions reduce the risk to bring it to the acceptable levelConstantly monitor the environment for any changeRinse and repeat.As someone one said – “Never let a crisis go to waste.” Related content opinion Have you been ransomware’d yet? You need to understand why this is one of the most potent attacks – what you must do to avoid becoming a target. By Ashwin Krishnan Aug 20, 2019 5 mins Data Breach Ransomware Hacking opinion Is the cloud lulling us into security complacency? In other words, can reliance on cloud services cause us to be less secure than before? By Ashwin Krishnan Jul 31, 2019 4 mins Data Breach Cloud Security Security opinion The CSO and CPO role just dramatically expanded overnight How two high-profile incidents highlight the changing definition and scope of security and privacy. By Ashwin Krishnan Feb 25, 2019 5 mins CSO and CISO Data Breach Data Privacy opinion Take time to think about security amidst the greatest gadget show on the planet – CES Let us put our thinking caps back and ask the right questions. By Ashwin Krishnan Jan 08, 2019 5 mins Technology Industry Data Privacy Application Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe