Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240002913
Who's guiding your business' information security program?
In the wake of this month's LinkedIn password breach, rumors began circulating on Twitter that the social network lacked a chief information security officer (CISO), leading many commentators to posit that the company hadn't treated its information security program with sufficient respect. LinkedIn, however, quickly clarified that while it didn't have a CISO--or synonymous chief security officer (CSO)--job title on its org chart, there was indeed a senior-level employee in charge of its information security program.
The security facts of the LinkedIn breach, including how attackers managed to obtain databases with possibly 10 million or more access credentials, as yet remain unanswered. But the "lacks a CISO" criticism of LinkedIn--however misguided--is a reminder that senior executives must keep close track of their organizations' security postures, as well as the risk it poses to the business.
[ LinkedIn isn't the only company on the line for its information security practices. See FTC Sues Wyndham Hotels Over Data Security Failures. ]
Here are 9 techniques for ensuring that CISOs can best help businesses maintain highly effective information security programs:
1. Deploy CISOs In Advance
When it comes to putting a CISO in place, "it's not a silver bullet," said Patricia Titus, VP and CISO of Symantec, speaking by phone. Titus is an authority on the role of the CISO, having served in that position for the past 10 years, including six years at the Transportation Security Administration (which is part of the Department of Homeland Security), and three years at Unisys, before joining Symantec.
"We're not the big flak jacket that stands out in front of the organization and takes the bullet." In other words, to get the most benefits out of a CISO, deploy one in advance of suffering a major breach.
2. Acknowledge How CISOs Reduce Security Costs
The Ponemon Institute's annual "cost of a data breach" report, sponsored by Symantec, this year found for the first time that in the United States, the cost of a data breach had dropped. "Our research has shown that organizations that have a CISO responsible for enterprise-wide data protection can reduce the cost of a data breach by about $80 per compromised record, which is about 35%--and that's a pretty notable stat," said Titus. "The decrease in the cost of a data breach is the U.S. study, so we're still seeing an increase in the rest of the globe."
Why does having a CISO help reduce breach costs, at least in the United States? According to Titus, it has to do with many U.S. businesses and government agencies now having more mature information security programs in place. "Instead of everyone wondering what to do, everyone knows what to do, and it's a repeatable process that's also defendable, if you're audited or have to prove compliance," she said.
3. Allow CISOs To Help Guide New Technology Decisions
Security groups previously gained a reputation for always saying no, but Titus said that as the people staffing CISO jobs have become "more well-rounded individuals" who balance both business and technology acumen, the role has been becoming increasingly proactive. "We're leaning into technology, versus saying no to it," Titus said. "Saying no just isn't going to get you anywhere. The technology is coming, and if you're going to say it's not, well, it's already here," she said, citing the bring-your-own device movement as just one example.
4. Make CEOs Demand Security Posture Details
What's a business' current information security posture? Given the prevalence of data breaches, today's CEO should be able to immediately answer that question. But in many organizations, the CEO hasn't a clue, and for organizations that want to better prevent LinkedIn-style breaches, such an attitude needs to change.
Earlier this year, for example, security vendor CORE Security commissioned a survey (conducted by Research Now) that found a widespread lack of communication between CEOs and the person in charge of their businesses' information security programs. According to the 100 CEOs and 100 security chiefs surveyed, in one-third of companies CEOs never receive updates on their company's security posture from the CISO, while in about one-quarter of businesses, security communications with CEOs happen only on a "somewhat regular" basis.
5. Treat Information Security As A Risk
Jerry Johnson, CIO at Pacific Northwest National Laboratory (PNNL), said a failure to demand regular status updates was the root cause of a breach suffered by PNNL in July 2011, after one of its business partners was hit by a spear-phishing attack that allowed attackers to obtain a privileged account on shared computing resources. After the breach, "we basically did a causal analysis and the root cause was that executive management, and that includes the board, had not recognized cybersecurity as being a significant risk to the organization, and consequently they allowed the cyber program to degrade significantly," Johnson--who's also in charge of the lab's information security program--said via phone.
Accordingly, watch CISO lines of reporting. After the breach of PNNL, for example, the lab modified Johnson's role so that he reports to the lab director--the two meet every week over coffee to detail the organization's security posture--and also to ensure that he gets exactly what he needs. "I have the authority to do whatever I need to do to protect the information resources at the laboratory," he said.
6. Consider A Placeholder CISO
For businesses that currently lack a CISO, Tom Patterson, practice director for the commercial security division of CSC, noted that his company offers a CSO residency program which will put a temporary CISO in place literally tomorrow. The program also helps an organization define exactly which CISO capabilities it requires, and then hire a permanent employee of the job. "It's a lot cheaper to be proactive--the PR hits on these companies [suffering breaches] are bad for business, and bad for valuations for public companies," Patterson said via phone. "So for companies that don't have a trained CSO, we can put one in, and they come with a full book of policies and procedures."
7. Identify Crown Jewels
Security resources are finite. Accordingly, it's up to CISOs to detail the most important data in the company so that it can be best secured. "This gets into defense in depth: knowing what it is you have of value, and making sure those are the things you're protecting the most," said PNNL's Johnson. In the case of LinkedIn, for example, "the password file they had, the level of protection they had on it when they had 1,000, 100,000, or even 1 million users had a certain value, and the amount of encryption they had on it may have been fine." But as the social network grew to sport millions of users, "the potential value of that password file became much higher," he said, which should have triggered a corresponding increase in protection.
8. Beware A False Sense Of Security
CSC's Patterson recommends that all organizations commission an annual, third-party risk assessment to ensure they understand their security postures and the biggest threats facing the business. "Companies should review that risk assessment at the board level, not the IT level, because generally the IT person is not the person charged with deciding if that company should live or die," said Patterson.
One benefit of a risk assessment is obvious: it helps businesses identify blind spots. "A company may have this false sense of security, because they've got a really high-end security architecture and implementation, but if they bought that four or five years ago, it's absolutely not safe against the threats that are out there today," said Patterson.
For example, many organizations fail to appreciate encryption nuances. "Companies feel that if they encrypt, they're safe. But the key to encryption is key length, if you salt, what level of SHA you use," he said. "A few years ago people used a SHA1 implementation, and it hadn't been broken by common thieves back then, but now it has. Now, you don't have to be a rocket scientist to break this stuff."
9. Treat Advanced Threats As Common
Likewise, the state of advanced persistent threats (APTs) has become such that signature-based defenses alone will no longer protect a company, warned Patterson.
Furthermore, APTs are fast becoming not just the provenance of nation states, but criminal gangs. "We've traditionally thought that the most challenging threats are the APTs, but the criminal sector is now picking up APT techniques and applying them as well," said Johnson. "For all I know, [the LinkedIn breach] was Russian mafia or a criminal group that may be using the same type of techniques that APT groups used in the past." Just as the attack state-of-the art continues to evolve, so must security programs. Look to CISOs to lead the charge.
More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)