If you needed another reminder that you've been fighting a losing battle against the cyber bad guys, the Myspace, Tumblr and Fling megabreaches discovered this week should leave you in no doubt. The theft of more than 642 million passwords -- a string of breaches that dates back years but came to light only this week -- underscores how long and hard cybercriminals have been on the attack, and how unable we are to keep pace.
As troubling as this week's discovery and diagnosis? Security researchers have no easy answers: The latest and greatest security tools help, but they are not enough.
One big hurdle to catching up is the security knowledge gap in many enterprises -- among cybersecurity staff and the overall workforce. According to a recent report from nonprofit trade association CompTIA, nearly half (47%) of the 500 IT security professionals surveyed said their companies' existing security paradigms were good enough, a perception CompTIA characterized as perhaps the most serious problem in effectively combating cyberattacks. Additionally, the survey found that four out of 10 companies lack security metrics to gauge a workforce's security literacy. So, not only do many security professionals appear to be flying blind in the current threat landscape; many companies also have no way to gauge how uninformed or smart employees are about security.
Mark Morrison, senior vice president and CISO for State Street Corp. in Boston, said the knowledge gap sometimes goes all the way to the top.
"Board members, business [members] really don't understand the threat," he said at the recent MIT CIO Sloan Symposium -- this despite security now garnering more and more attention from the board and the C-suite. "They really understand that the level of sophistication, the amount of individuals that are involved in cyberattacks and their skill set have increased substantially in the last five to seven years," said Morrison, who's held executive security positions at the U.S. Department of Defense and the U.S. Defense Intelligence Agency before joining State Street in 2013.
One hopeful note: Security ignorance is not bliss for the majority of security professionals. According to the CompTIA survey, the 53% of security staff respondents who reported gaps in their departments' security skills said they wanted to be more informed in the latest cyberthreats, and about 40% feel they need to get better at educating end users, or that they need to know more about modern security technology.
One symptom of the current knowledge gap is companies' persistent practice of "chasing the elephant," or the now debunked approach of trying to stop a compromise from happening. That's an impossible task, according to Morrison. Instead, "focus on other parts of the kill chain, which is really detect, respond and recover," he said. He recommended enterprises take a page from smaller, innovative companies that are employing advanced big data analytics security tools, such as machine learning, to help predict hackers' actions and assess whether attacks merit action.
"The whole goal of this is to try to take human speed out of the equation and operate at network speed so you can stay in front of, or at least not too far behind, the adversary," Morrison said.
Security strategy: An inside job
Another major roadblock to catching up to the adversary? Relying only on outside security frameworks, or the old checkbox approach to security, as the end-all be-all of how you define your security architecture, said MIT CIO panelist Sam Phillips, vice president, CISO and general manager of Samsung Business Services.
Standards such as the NIST Cybersecurity Framework and ISO 27001 certainly do provide guidance to IT and security professionals for defining security policies -- they are, however, merely baselines, and solely depending on them is insufficient, Phillips told the audience. The challenge is approaching these guidelines strategically, prioritizing the ones that are most important for your company.
"It takes a long time for those [frameworks] to develop. So, once they come out, they are old news," Phillips said, adding, "You need to understand what you're doing, what the business is doing and the relative risks, and then be able to address those."
CIO news roundup for week of May 31
The Myspace and Tumblr megabreaches weren't the only big news this week. Here's what else hit the headlines:
- Google's been busy this week. The search giant acquired business tech startup Synergyse, which will train users how to use Google Apps using a virtual coach. The product rolls out later this year. Google can now also help you find your lost phone. The "find your phone" tool in Google's My Account hub allows iOS and Android users to locate their phone on a map and remotely wipe its contents.
- Oracle is in hot water. The company was sued Wednesday by a former senior finance executive, who claimed she was fired for speaking out about questionable accounting practices, such as improperly adding millions of dollars of accruals for expected business.
- Uber is turning to the Middle East for the big bucks ... The ride-hailing company said Wednesday it raked in $3.5 billion from Saudi Arabia's Public Investment Fund, the kingdom's main investment fund, in its latest funding round -- one of the biggest investments ever into a privately held startup, according to The New York Times. Uber was valued at $62.5 billion. But what does it mean for women drivers?
- ... and the rapidly expanding ride serve will also give grocery delivery a try. Wal-Mart Stores Inc. will partner with Uber and Lyft to compete with similar delivery services from Amazon and other rivals. The retail and grocery giant will test out deliveries in the next two weeks in Denver and Phoenix.
Check out our previous Searchlight roundups on Microsoft's curtailment of its smartphone division and 'coopetition' in the digital ecosystem.
CIO guide: Shifting security budgets to detection and response
'Brittle' security systems call for next-generation tools
Video: Five steps to a functional IT security roadmap