If you are among the CIOs who still believe maintaining a strong cyberdefense is the right approach to protecting your enterprise, consider this your wakeup call.
Either awaken from your nap and augment your reactive cyberdefense by implementing proactive, offensive cybersecurity measures -- both internally and externally -- or update your resume (excluding cybersecurity as a core competency) and consult a good executive search firm for help in finding your next job.
In fairness to all, our industry is filled with hype about cybersecurity, not too dissimilar from the deluge of information we get on other life-altering technologies and capabilities: cloud, big data, mobile computing, bring your own data, real-time analytics, etc. Living as we do amid this mountain of hype, it can be a monumental task to separate fact from fiction, to know the difference between today's "gotta have it" from yesterday's 8-Track or Betamax "glad I didn't buy it." But I'm dating myself.
A few of the greatest cyberdefense myths to consider
- Cybersecurity is an IT problem.
- If we hire enough really smart techies and buy the biggest, toughest firewall products and tools, we can keep the bad guys out of our enterprise.
- Cybersecurity is about keeping the bad guys out; we don't need to worry as much about staff or users inside the enterprise firewall.
- Use of state-of-the-art encryption techniques will solve our problem.
As we have been hardening firewalls and becoming more proactive in anticipating threats ... the bad guys have gone low-tech.
- As long as we run up-to-date antivirus and malware scans and mitigate the bad stuff on a regular basis, we will be just fine.
- My enterprise is not a bank, an insurance company or a government agency -- we don't have payments or any electronic records worth stealing.
- Ensuring passwords are properly managed and policies and procedures are in place that require users to change them periodically will keep the auditors happy; we will be able to sleep at night.
- We recognize our cybersecurity products and tools are a bit out of date and we have a plan to update them; we will be just fine.
- When recycling or disposing of end-of-life desktops, servers and processors, wiping the hard drives to Department of Defense standards will be sufficient to protect our company's confidential information.
If you find yourself agreeing with one or more of these statements, it's time to augment your cybersecurity defenses.
A few cyberdefense facts to consider
Based upon a recent study by Symantec, Internet Threat Security Report 2014, a significant percentage of data breaches are precipitated internally. Here is the breakdown:
The time and cost needed to resolve cyberattacks is increasing dramatically. A report from the Ponemon Institute, 2012 Cost of Cyber Crime Study: United States, showed the approximate number of days taken to remediate attacks by type:
The Ponemon report additionally showed that the average time needed to resolve a cyberattack in 2012 was 24 days, with an average total cost of $591,780, which represents a 42% increase from the prior year.
A senior staff member of the crime branch of the FBI recently shared with me the following qualitative insights:
- The bad guys are no longer kids in dorm rooms attempting computer break-ins as a sport to earn bragging rights. We are dealing, in many cases, with well-funded foreign government- and organized crime-sponsored cyber-terrorist attacks on a routine basis.
- The bad guys are not just looking for ways to illegally transfer money into their accounts. Theft of intellectual property (programs, data, patents, architectures, designs, processes, methodologies, etc.) is rampant.
- The bad guys are commonly looking for ways to bring down not just our financial and business systems, but to paralyze our critical infrastructure (telecom, electrical power, water, oil and gas, transportation systems, etc.).
- Cyber-forensic analysis of enterprise networks and systems performed by the FBI commonly reveal the presence of malware that had been embedded and was operational in host networks and systems and remained undetected by conventional commercially available tools for months, or, in many cases, years.
- A "paradigm shift" is occurring in the dark underworld of cybercrime. As we have been hardening firewalls and becoming more proactive in anticipating threats, identifying and mitigating increasingly sophisticated technology exploits, the bad guys have gone low-tech. Increasingly, social engineering emails (phishing, pharming and spoofing) have become the cybercriminal tool of choice.
- Senior executives and even members of boards of directors have increasingly become targets of these social engineering attacks, as they are often the least knowledgeable about the dangers and have the greatest access to the most sensitive and critical information.
- All of the most sophisticated tools that we have created to manage big data, perform advanced analytics, and provide precisely targeted business intelligence, are also being used by the bad guys to become better phishers, pharmers and spoofers.
Are we having fun yet?
The National Institute of Standards and Technology (NIST) issued their Framework for Improving Critical Infrastructure Cybersecurity earlier this year. While the framework was specifically designed for use by government technology professionals engaged in protecting the nation's infrastructure, it is highly applicable and easily adaptable to the needs of every enterprise that uses technology. It focuses on using business drivers to inform your cyberdefense and facilitates the inclusion of cybersecurity risks as part of the enterprise's overall risk management processes. The framework provides a common taxonomy for enterprises to:
A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.
- Describe their current cybersecurity posture.
- Describe their target state for cybersecurity.
- Identify and prioritize opportunities for continuous improvement.
- Assess progress toward the target state.
- Communicate among internal and external stakeholders about cybersecurity risk.
At its core, the NIST Framework defines five critical functions that form the basis of an enterprise culture that makes business decisions based on the risks appropriate for their enterprise. The five functions are:
1. Identify: To develop an organizational understanding of the business context, assets and risks associated with cybersecurity.
2. Protect: To develop and implement appropriate safeguards commensurate with asset value and business risks.
3. Detect: To develop and implement appropriate capabilities to identify a cybersecurity event.
4. Respond: To develop and implement appropriate activities to take action once an event has occurred.
5. Recover: To develop and implement activities and plans to maintain resiliency -- i.e. disaster recovery and/or continuity of business -- following a cybersecurity event.
CIOs and IT executives would be well-advised to download and review the NIST Framework document with their internal and external constituents to determine how to adapt key elements that are most relevant to their businesses.
Let me know what you think. Post a comment or drop me a note at firstname.lastname@example.org. Discuss, debate or even argue -- let's continue the conversation.