There is a phrase that has become quite popular in information security circles and it goes along the lines of “there are two types of organizations, those that have been breached and those that don’t know they’ve been breached.”
I hear it quite regularly from industry commentators and speakers at conferences – the key message being that every organization has been breached and only those with good information security have been able to detect and respond to the breaches.
The other implication of course is that the CSOs in the companies that “don’t know they’ve been breached” are incompetent.
One of the main problems with this phrase is that anytime I hear it, the speakers never qualify what they mean by a breach. Does it mean that someone has penetrated the network and taken the organization’s prize data? Or does it mean that a computer virus infected a laptop with little or no value to the organization? My point is that without clarification on the context of the statement how are we to know how bad the problem really is?
I say this because I regularly talk to business people or senior management in companies who read the above statements and they say to me, “is it really true that our company has been breached but our CISO does not know about it?” Some have even asked “if every company is breached, why should I spend money on security at all?”
We cannot blame them for having that viewpoint when not only do “industry experts” regularly claim the battle against our adversaries has been lost, but their viewpoint is reinforced when they read about security breaches resulting from basic security measures not being properly utilized or not even implemented in the first place.
While some will argue that this is the reality we’re facing, I say that if that’s the case – what are we going to do about it? Are we simply going to surrender our networks, our systems and our data to whomever wishes to access them or are we going to work together as a community to improve the situation for us all? I will certainly be aiming for the latter and urge those of you reading this to do the same.
I believe we need to take several steps to help us improve the overall image of our profession and community. Some of these will take time and will require some hard work but if we work together we can make our networks safer and secure for all.
Here are my suggestions:
1. Let’s make sure we bring context into conversations. Remember that saying “there are two types of organisations, those that have been breached and those that don’t know they have been breached” is like saying “there are two types of shops, those who have been robbed and those who don’t know they have been robbed.” Robbery can range from staff stealing pens from the stationary cupboard, to petty shoplifting, to actual armed robbery. When making statements such as these, context is important to make sure the right message is understood.
2. Let’s focus on the getting the basics right before we start worrying about any new threats or the latest cool vendor solution. Ensuring that basic security controls are in place and working as they should is not an easy task, particularly for large enterprises. Remember: without the basics controls in place, the new headline grabbing threats are not what you should be worried about as you are more likely to be breached as a result of an existing threat. Also, if you cannot get the basic controls working what makes you think you will be any more successful with the latest and greatest vendor solution?
3. Communicate proactively and clearly to senior management and the business. Whenever you see news headlines that will raise questions at senior management level, make sure to put your context on that story and highlight what you have in place to prevent it impacting on your organization. Communicating regularly with the business will also cement you – and not the media – as the trusted source for information security news.
4. Ask questions! Every time you hear a vendor, a conference speaker or read an article that makes statements without providing context or gives statistics without providing the data, ask yourself what are they trying to achieve? Don’t be afraid to challenge these sources and get clarification on how they are using data to support their arguments. Always ask why.
5. Finally, let’s work together and share information on how we can better protect our networks, systems and data. If you’ve managed to successfully implement a solution to a particular problem, share it with your peers. Post it online in a blog post or as a white paper. Consider li presenting it at a conference. It need not be a major conference – start with your local chapters of ISSA, ISACA, ISC2 or OWASP.
Our job as information security professionals is a challenging and exciting one, but let’s make sure the work we do is based on facts and logic and not on hyperbole and headlines.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.