5. Treat Information Security As A Risk
Jerry Johnson, CIO at Pacific Northwest National Laboratory (PNNL), said a failure to demand regular status updates was the root cause of a breach suffered by PNNL in July 2011, after one of its business partners was hit by a spear-phishing attack that allowed attackers to obtain a privileged account on shared computing resources. After the breach, "we basically did a causal analysis and the root cause was that executive management, and that includes the board, had not recognized cybersecurity as being a significant risk to the organization, and consequently they allowed the cyber program to degrade significantly," Johnson--who's also in charge of the lab's information security program--said via phone.
Accordingly, watch CISO lines of reporting. After the breach of PNNL, for example, the lab modified Johnson's role so that he reports to the lab director--the two meet every week over coffee to detail the organization's security posture--and also to ensure that he gets exactly what he needs. "I have the authority to do whatever I need to do to protect the information resources at the laboratory," he said.
6. Consider A Placeholder CISO
For businesses that currently lack a CISO, Tom Patterson, practice director for the commercial security division of CSC, noted that his company offers a CSO residency program which will put a temporary CISO in place literally tomorrow. The program also helps an organization define exactly which CISO capabilities it requires, and then hire a permanent employee of the job. "It's a lot cheaper to be proactive--the PR hits on these companies [suffering breaches] are bad for business, and bad for valuations for public companies," Patterson said via phone. "So for companies that don't have a trained CSO, we can put one in, and they come with a full book of policies and procedures."
7. Identify Crown Jewels
Security resources are finite. Accordingly, it's up to CISOs to detail the most important data in the company so that it can be best secured. "This gets into defense in depth: knowing what it is you have of value, and making sure those are the things you're protecting the most," said PNNL's Johnson. In the case of LinkedIn, for example, "the password file they had, the level of protection they had on it when they had 1,000, 100,000, or even 1 million users had a certain value, and the amount of encryption they had on it may have been fine." But as the social network grew to sport millions of users, "the potential value of that password file became much higher," he said, which should have triggered a corresponding increase in protection.
8. Beware A False Sense Of Security
CSC's Patterson recommends that all organizations commission an annual, third-party risk assessment to ensure they understand their security postures and the biggest threats facing the business. "Companies should review that risk assessment at the board level, not the IT level, because generally the IT person is not the person charged with deciding if that company should live or die," said Patterson.
One benefit of a risk assessment is obvious: it helps businesses identify blind spots. "A company may have this false sense of security, because they've got a really high-end security architecture and implementation, but if they bought that four or five years ago, it's absolutely not safe against the threats that are out there today," said Patterson.
For example, many organizations fail to appreciate encryption nuances. "Companies feel that if they encrypt, they're safe. But the key to encryption is key length, if you salt, what level of SHA you use," he said. "A few years ago people used a SHA1 implementation, and it hadn't been broken by common thieves back then, but now it has. Now, you don't have to be a rocket scientist to break this stuff."
9. Treat Advanced Threats As Common
Likewise, the state of advanced persistent threats (APTs) has become such that signature-based defenses alone will no longer protect a company, warned Patterson.
Furthermore, APTs are fast becoming not just the provenance of nation states, but criminal gangs. "We've traditionally thought that the most challenging threats are the APTs, but the criminal sector is now picking up APT techniques and applying them as well," said Johnson. "For all I know, [the LinkedIn breach] was Russian mafia or a criminal group that may be using the same type of techniques that APT groups used in the past." Just as the attack state-of-the art continues to evolve, so must security programs. Look to CISOs to lead the charge.
More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)
