How Should The Government Get Involved?

Compliance & Security Are Not The Same Thing

This week I’ll be speaking to CISOs in Raleigh, NC on this topic (Thanks for The Teneo Group and Check Point for hosting this event.) Security is not a simple thing. And it would seem that companies like Sony are on their own when it comes to defending against cybercrime.  Will Obama’s new proposals bring us greater security?

What is an act of war? What is organized crime? And how can a government defend Sony, Home Depot, JP Morgan, or Target? In some ways it’s like a bomb was dropped on these companies – but in some ways it’s not. Is this a war? Who should respond? Sony can’t really respond. They have no recourse. Will the government? No, they can’t really either. It’s a gray area.

When the government gets involved, it usually means more bureaucracy, not more security.

In N.C. where I live, it’s illegal to plow your field with an elephant. Who made that law and why?  These are the types of laws government responds with when something goes wrong. It appears to be action – a response to a problem that needs attention.  But compliance is not security and it’s not making us more secure. It’s a hard issue because we don’t always know who initiated the attack. The losses are big – so it seems like someone needs to do something. But more laws are not the answer.

From what I can see, these laws are just costing businesses more money. They get hacked and then our government hits them with a bunch of expensive laws to comply with. What should we do?

What If Companies Were Required to Report A Breach In One Day?

Will companies be more secure if they report breaches within 30 days or…what about one day? It doesn’t matter – they won’t be more secure. From a consumer point of view I’d like to know, but faster reporting does not mean better security.

There are several problems that should be addressed. First, most of the security budgets are being spent on keeping hackers out. That doesn’t work. In my book, The House & The Cloud I explain in simple terms why companies are losing the battle. Like all physical security, it is real-time detection that stops breaches. This is true in your house, and it’s true in the cloud. 80% of the security budget is still being spent on the wrong stuff!

There is also a need for better technology. The fact that we use credit cards in the U.S. that can be reproduced in seconds is just wrong. It’s not hard to fix this problem – and it will be fixed, but I’m not sure why we’ve waited until now to get this moving. Then there’s education. The people creating and using the data are often completely unaware of how they expose data.

On Thursday I’ll be walking through some of the biggest threats we face in 2015. Most of them are technology mindsets that have developed with the use of social media, cloud, and the smartphone.  Like handling a gun, some training should be required before an employee gains access to data with their iPhone. I will also be showing Security officers how detection strategies should be applied, and why most assessments are not providing the right data. The average assessment leaves business leaders guessing as to what to do next. Intelligence is needed. These leaders need more than FUD. They need a measure of likelihood – what are the odds they’ll be attacked in their current state, using the types of data associated with their industry.

Like a basic blood test, without the expert analysis, most of us would be clueless.  About the only number I understand on my last test is the cholesterol number. That’s because that’s the number insurance companies are always beating us over the head with. Everything else is a mystery.

What Should Technology Providers Be Doing?

If you’re a security solution provider, you can help. Your clients need education. The problem is, they may not know it. They might think they’ve got it covered…they might think this is just a technical problem, and IT should handle it. But the truth is, we need executive support. The budgets, policies, and strategies must start at the top – with education and support for making a change. The longer we wait, the more bureaucracy we’ll see. While Obama’s plan might sound good – it really just means less freedom, more oversight, and more compliance costs – which don’t equate to more security.

© 2015, David Stelzl