I’m not really sure what it is going to take for people to do Information Security basics well. Just how many multi-million credit card breach, PLA attacks a hospital company, hacktivists use insider to breach you headlines is it going to take? Seriously people, I feel like the boy who cried wolf. Except that I really am alerting you to the wolf and you appear to think I’m just making it up.
I’ve been writing and presenting on what is going on for years now. For example, there is this piece I wrote in July. In it I said that you could reduce 80-90 percent of the risk you face by doing the following:
- Patch and Update (yep, they listed it first)
- Good fundamental policies
- Security education
- Encryption where it’s warranted
- Serviceable perimeter protection
- Identity and Access Management
Based on the onslaught of breaches since then, this hasn’t sunk in yet. Nor the 14 other times I wrote some variation of that piece. In Jan, 2008 I gave this presentation to the ISSA CISO Forum …. notice that most of the things I call for Information Security leaders to do is still the focus of presentations being given today.
Today, I was reading an article in CIO that sparked this rant. This gist of the article is that 2015 will be much worse than 2014. Sadly, I agree with this. And that Boards will become very involved in what is now clearly a fiduciary risk. Worse, the CSO won’t be able to answer the questions asked by the Board. And the CSO won’t have done the fundamentals needed to build a good security program ALTHOUGH they will have spent millions on fancy next generation firewalls and end point incident detection (you know just who I mean, I don’t really have to name names, do I?). As the article points out:
There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don’t know how people have configured these assets. They don’t manage change, and they don’t know where their critical data is located. “If you fail in those four areas, you can spend $50M on security products, and it’s not going to help you because the underlying vulnerabilities that create risk are still there,” says Cole.
Once again I am going to get on my soapbox, the one I’ve been on for like a decade now, and tell you security executives to fix your s**t or you are gonna get fired. Get your basics in order. You need to patch your systems now. You need to know who is going to attack you and how. You need to have encryption in place.
Don’t complain to me that your organization doesn’t support you and your CEO doesn’t care. Frankly, you’ve been paid huge amounts of money to figure out how to get the support of your organization. You need to do your job. And I promise your CEO cares about security. He or she does not want to become Greg Steinhafel.
So get your stuff together, figure out how to collaborate, how to communicate the issues up, down and sideways in the organization. Design a plan to get the basic foundations of good information security in place. Build a capability to detect problems. Have a plan for how you will respond to a security incident. Be prepared to solve the problems. What are you going to say when your Board calls you in to answer their questions?
Do the security basics well.
Either do that or get a resume ready.
Okay, end of rant. Return to your daydreams of fancy systems designed to fight off the dreaded APT.
