Thanks to Konsultek for sponsoring yesterday’s business leaders’ luncheon focusing on Information Security in Chicago…
The truth is, without a change in strategy, companies will continue to lose big. My keynote focused on a number of trends to be watching out for this year – and on the heels of Heartbleed, there’s more than usual to be thinking about.
In case you missed the article published in Wired a few days ago – Heartbleed is still a major issue. The big guys have their servers patched, but it turns out that thousands of devices are still highly vulnerable, and many of these devices sit in the smaller companies and homes of unsuspecting, non-technical people. I’m talking about routers, switches, printers, and even firewalls. How will these devices get patched? Many are owned by people who have no idea what Heartbleed really is, and who don’t know where to start unless someone from the product manufacturer contacts them and walks them through some sort of patching process. I don’t see this happening.
At the end of our session, Konsultek offered their guests a complementary assessment to review some of the critical areas we touched on in the meeting. From my brief observation, every single attendee agreed to take this next step.
Wrong Mindsets Prevail
This most common mindset out there is the “Compliance” Mindset – compliance centric security strategies prevail, and they’re dead wrong. Getting the boxes checked off is a requirement, but it’s far from secure. It seems ironic that a company can be said to be compliant – then it get’s hacked. And suddenly, they are no longer compliant. Does that mean the initial audit was wrong, or do the “compliance police” think that a compliant network can’t be hacked? All networks can be hacked – I don’t care how compliant they are.
The other wrong mindset is the, “We’ve got it covered” mindset. This mindset bubbles up from the IT group in hopes of creating some sort of job security. Notice that Target has now replaced their CIO – is that because the CIO screwed up? Might be. The way Target was hacked was preventable, but was the hacking of Target preventable? The answer is no. If they can access NASA and the Pentagon, they can get into Target. They’ll simply find another door (whoever “They” is.)
Building the Right Mindsets
While security is often a losing battle, companies can gain a lot by simply building the right mindsets into the minds of those who create and use data every day. Making a company stronger than a nearby competitor can at least make it an easy choice for the hacker to go next door. That’s a bit like being a little faster than your friend while being chased by a bear, but it works.
The right mindset involves knowing you’ll be compromised at some point, and watching every moment until it happens. At that point, the response plan should be strong enough to keep the perpetrator from gaining access to critical data – in Target’s case, POS systems. We covered seven important mindsets in our discussion – mindset that are easily built, starting at the top, and which will go a long way in keeping things secure. While nothing is iron clad in this business, fixing 80% of the problem is worth doing. But buy-in at the leadership level is required, or it just won’t happen.
© 2014, David Stelzl
P.S. If I can help you get this message into the hands of your customers, give me a call, I’ll be happy to share some ideas with you.