What Should the CIO Be Doing in 2014?
Mike McConnell’s article published in the WSJ on Feb. 4th, 2014 was excellent – commenting on What CISOs should take away from Target’s recent loss – which is unknown, but might be measured in Billions of Dollars in losses. Let’s not leave this event without some lessons-learned.
It turns out that Target’s malware problem persisted up to 15 days after the malware was cleaned up…this came out in a hearing yesterday.
One sound bite that came out of this: Malware often sits dormant on a system for up to 200 days before being used maliciously! Another quote from the FBI – it takes an average of 14 months for companies to detect an attack.
What shouls C-Level leadership be being in the area of security? Strategy and business growth are key leadership responsibilities, but as stated in one of my earlier posts, all of these forward thinking things require technology, and if the technology isn’t secure, the customer soon won’t care that you have a new line-busting application, or that you offer some type of Telepresence interaction to help decorate your home.
Proactive Leadership Is Required
Cybercrime, as we’ve just witnessed will be a growing cost to organizations around the world – but expect the U.S. to be particularly hard hit without chip and pin technology in place. And this is just one example of a weakness in security measures.
McConnell states in his article – business leaders must have a proactive response in place, know what to say to their customers the moment it happens, and “Determine the right steps to take to ensure damage to the organization is fully contained.”
He goes on to talk about remediation, stating, “Even the best remediation efforts fall short if the organization operates from an outdated security model.” What is that outdated model – that is one of the key points from my 2007 edition of The House & the Cloud. Somewhat before it’s time, some people thought I was making some outrageous claims in my book, but here in 2014 they don’t seem so bold. The key point is that, Perimeter security always fails eventually, and besides, the data isn’t really sitting in the data center anyway. I wrote this in 2007 as well, but now with BYOD trends, no one can argue differently.
McConnell recommends companies move quickly to a “Predictive edge to sense and preempt coming attacks.” This fits well with the detection strategy I’ve recommended in my book. I go on in The House & the Cloud to discuss what the response plan must look like. McConnell agrees with these insights, stating that this is more of a “Tradecraft” than a degree or education. We need people with experience.
His article calls on CISOs to “Accept and understand that remediation-centric cyber defense is not enough…Organizations need to change their entire security model from one of compliance (meeting basic standards for data protection) to a holistic multifaceted program…” This is what my book calls, The Coverage Model.
Many of these steps are being taken in the largest banks and energy companies. But what about the mid-market and SMB companies. While plenty of innovation is taking place in smaller companies – meaning there are large high-valued repositories of data in these companies, they can’t really afford the kind of technology McConnell is promoting – nor can they staff the people with the tradecraft he recommends.
This is clearly an opportunity for the solution provider…consider Virtual CISO services, detection oriented managed services, and a well trained response team that works with companies not only after the fact, but prior to an incident to establish a proactive plan.
© 2014, David Stelzl