With data breaches piling on in 2015, the focus in security circles is shifting from prevention to rapid detection and remediation. A recent article in Wired shared by Phil Agcaoili of US Bancorp proposes reframing the security conversation: “Let’s stop talking about ‘breach prevention.’” While a previous goal for information security professionals may have been to build cyber defenses that can prevent a breach, the Wired article goes on to suggest a new goal: “When you find your organization on the cover of the New York Times, make sure the story is about how you’ve done everything possible to make the breach a non-event.” The new reality is that companies need a robust breach response plan that includes how to contact affected customers, remediate any damage, and handle public relations.
— Phil Agcaoili (@Hacksec) June 15, 2015
A new security conversation calls for new vocabulary, and leading professionals like Andy Ellis of Akamai are moving away from “secure” to terms like “risk assessment.” Viewing security from a risk management perspective essentially acknowledges that nothing is 100% secure, and that security and functionality are inversely related. There is almost always a trade off between free movement of corporate data for business purposes and keeping data inaccessible to internal and external attackers. When Ellis uses the term “risk consultant,” he is referring to the fact that security teams can educate business units on the risk to corporate data, but ultimately the CEO will choose to accept a certain amount of risk. Of course, the risk owner is then accountable in the event that data is compromised.
Risk assessment is best done by the owner of the risk. Risk consultants are guides, not oracles. #NolaCon
— Andy Ellis (@csoandy) June 13, 2015
Who are the definitive risk owners? The board of directors is responsible for enterprise risk management, and they are increasingly turning their attention to cyber security. Jeremy Richard of Groupe ACTICALL shared five questions that boards should ask in light of the Sony breach. Not surprisingly, the list includes a question on staff training. In the vast majority of instances, employees have good intentions and do not want to compromise sensitive data. However, users do not necessarily have a solid understanding of corporate security policies. Simply educating employees on these policies and why they are in place translates to more sound risk assessment at all levels of the company. If you find yourself presenting your security program to the board, we’ve created a PowerPoint template compiled from real presentations CIOs and CISOs have delivered to their board of directors and executive team.
Five questions every board should ask after Sony Pictures breach https://t.co/wEosB3XNBu
— Jeremy Richard (@jeremy_richard) June 11, 2015
Today’s hackers are profitable organized crime groups. One role of the security professional is to eat into hackers’ profits until they hit zero. Andrew Jaquith of BAE Systems applauds this perspective on security. After all, one of the best ways to stop the majority of attackers is to reduce their incentive. Of course, 1400% ROI for malware attacks also shows that the security industry has a long way to go in this battle.
Malware attacks give criminals 1,400% ROI < Clever post. Kudos to Trustwave for thinking about the ROI. http://t.co/EP16cm2ttd
— Andrew Jaquith (@arj) June 16, 2015
Shifting the conversation away from prevention calls for a new security framework. Kees Leune of GIAC reinforces the important of anomaly detection, since preventative controls are not guaranteed in a world where millions of compromised credentials are available for sale on the Darknet.
Information Security Leadership: LastPass announced a breach. Three lessons learned. http://t.co/qhdhTWF6VQ
— Kees Leune (@leune) June 16, 2015