Practical Analysis: Time For A New Way Of Thinking About IT Risk
A colleague joked that a time capsule from 2000 would hold warnings against the hacking techniques Gonzalez used. His victims aren't laughing.
September 3, 2009
The information security business isn't just thankless--we're used to being ignored until something hits the fan. But for security practitioners, the schism goes deeper: There are weeks you feel at war with the very organization you're trying to protect.
That's why, when the mug shot of Albert "Segvec" Gonzalez, the malicious hacker behind dozens of high-profile breaches and the theft of more than 100 million credit card numbers from a veritable who's who of household brands, appeared on the home page of CNN, we should have had one of those collective "score one for the good guys" moments.
So why can't I get that voice in my head to shut up? You know, the one asking: What kind of security controls did these organizations have? Were the risks identified and communicated? And were those risks then ignored, misunderstood, or just accepted?
And aren't loss numbers supposed to be going down, not up?
But what gnaws at me most is this macro question: Is infosec succeeding? The concept of a perimeter is a thing of the past, and we're shipping data out to third parties at an accelerated rate via cloud services. Meanwhile, thanks to the failures of Wall Street barons, the business world is once again abuzz about the need to embrace the science of risk management. Problem is, there's no evidence that Gonzalez or his partners used any techniques that we don't already know how to defend against. At this rate, the next guy looking to cash in on corporate America's inability to protect its data will have plenty of room to maneuver.
I propose that the problems we face are now less technical and more communication- and process-based. We're not asking the right questions, and we aren't effectively communicating the answers we do have.
What do we need to ask? In "5 Security Lessons From Real-World Data Breaches" we explore lessons learned from real control failures seen in our practice, and in our InformationWeek Analytics report "Cloud Governance, Risk and Compliance", I discuss what organizations must do to manage specific cloud-based risks.
And yes, Neohapsis uses services in the cloud. For risk managers, deciding whether to sign off here boils down to one question: Can vendor X do a better job at task Y than our internal IT organization while staying within a set of risk parameters addressing security, performance and availability, business viability, and legal/compliance concerns?
Here's another piece of advice that hopefully we won't have to pull out of a time capsule in 2017: Build out your risk registries now. Work with business leaders to identify the systems, data sets, and processes that are most critical to the organization. Use these lists to prioritize assessment and control efforts, and get IT risks represented as part of the organization's overall operational risk registry. If we fail here, there's zero hope for success against determined attackers. But with them, we stand a fighting chance--and we might even get those grumpy security guys recognized.
Greg Shipley is CTO for the information security and risk management firm Neohapsis and an InformationWeek contributor. Write to him at [email protected]. And on Sept. 8, check out the new NetworkComputing.com.
About the Author
You May Also Like