First, let’s agree that information security management is difficult. It is fraught with many unknowns and lots of empty promises from technology vendors pledging to solve your security woes.
These variables force you to make tough decisions, and often result in you extending inappropriate trust to your staff, employees, partners, and customers. For anyone who dealt with application performance issues circa 1998-2001, this is going to sound familiar.
|View the Entire Series|
Misconception No. 2: Believing the Hype of Technology and Tools
Misconception No.4: Assuming Secure Software is Costly
Misconception No.5: The “Recency” Trap
If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.
Information security is taking a rather similar approach to application and network performance; those few short years ago that seem like a distant memory now (I think I’m just blocking out the pain.) It’s a difficult process where developers are not sure how to code or test for security. Management views it as part of their job and assumes they will figure it out, unaware that it’s a special (and mostly new) skill set and as such needs investment and time to develop in their teams.
Meanwhile, hardware vendors are telling you to just throw some more iron or another appliance at the problem and you’ll be fine. Suddenly firewalls and IPS systems sound a lot like the network load balancing solutions of the late ’90’s.
There is an absence of acknowledgement when it comes to information security. All too often, organizations assume their network or IT staff has adequately protected them because they’ve got the latest anti-virus or firewall installed and running.
This false sense of security is partly due to vendor misdirection and over-promising, but that’s only a small part of it. People want to believe their information systems are secure, but consumers with that false sense of security are rather ignorant to some of the most dangerous threats their systems face.
Specifically, the dangers of insiders (both malicious and unintentional) and the sophistication of organized attacks on your information systems.
As much as I love compliance regulations because they keep the consulting world gainfully employed, too many CIOs have been duped into thinking that compliance means security. It does not.
Take the recent data breaches at Stop & Shop supermarkets. This company is a poster child for PCI DSS (the payment card industry’s data security standard). They are more secure than most companies I’ve worked with and yet they were still breached.
Much to their credit, they disclosed right away and cooperated with the proper local and federal authorities leading the investigation. (Incidentally, there was an arrestarrest in this case just this week.)
The Stop & Shop incident was more of a physical security issue than a digital one, unlike TJX Companies who made a series of people assumptions and got themselves into a heap of trouble as a result.
First, TJX didn’t have a CISO role (someone solely responsible for information security); organizationally, they do not place great importance on such a role. Further, TJX decided to hide the fact that they had incurred a loss of customer data instead of dealing with it directly and immediately.
These bad choices ultimately led to their CEO resigning and two class action law suits: One from their customers and one from the banks who issued the credit cards. I suspect an FTC (federal trade commission) law suit is soon to follow.
Education and Inertia
Education is the next big people mistake organizations make. Not only are computer science graduates coming out of school with little or no information security know-how, but they are not getting security training on the job either. This is especially true with application security and development teams.
We have noticed over the past few years working with our Fortune and Global 500 clients there is a huge demand for application security education. Everything from risk management teams to audit teams. This is a very encouraging trend, but the majority of companies still believe they don’t need to educate their teams on information security.
Inertia is a huge culprit, too. There is always resistance to change particularly when you are limited to time and budget as most of us are. Money is always the biggest driver.
When making budget decisions, you also need to consider the risk of not making an investment. TJX might have been better served buying a web-application firewall to protect themselves against common SQL injection attacks instead of paying the bank of lawyers and incident response consultants who helped them make the decision to hide their security problems for years and break disclosure laws in the process.
Know Thy Enemy
We all know there are malicious users, and they have become more sophisticated and more anonymous. A disturbing trend is the organized, targeted attacks on specific companies.
You’ve undoubtedly heard about net-bots, or bots. These nasty little pieces of ingenuity enable anyone to completely outsource an attack on a certain company, with complete anonymity.