Information Security: Assess Your Risk and Protect Your Company

By Dan Srebnick

The headlines are everywhere. Breach after breach has hit companies and government agencies that ought to have the resources to avoid them. You may know about incidents that have involved Equifax and Capital One. You may not know about many other incidents, involving FEMA, American Medical Collection Agency or Georgia Tech. There is a resignation among C-Suite executives and tech employees alike that either a massive breach is inevitable no matter what they do, or that massive amounts of money need to be invested in security, and it might not matter anyway. This is a short-sighted point of view that will wind up costing companies far more than an investment in information security. It doesn’t have to be difficult or break the bank!

I once worked for a municipal government agency head who truly believed that the inconvenience of improved security was not worth it. His point of view was that all of our information is already out in the wild and the sky has not fallen. The economy has not collapsed because of it and life continues. On a personal and behavioral level many would seem to agree. I have long held that the public has become desensitized to the need for improved security because of all the reports of breaches of their personal data over the past decade.

Data breaches can be expensive and have the potential to bankrupt your business. The cost of a data breach may be in the range of approximately $140 – $200 per record, depending upon whose figures you use. How many records can your organization afford to expose at that price? What is the executive or board member to do?

One reaction might be to call in one of the major cybersecurity vendors. While this may be a good decision as part of a comprehensive planning effort, the vendor’s objective is to sell you lots of “stuff”. They will feed you information about the likelihood of advanced persistent threats and urge you to use their products to fight those threats. They will then come up with test scenarios and reviews that show how their solution is the best on the market. Of course, the other vendors you speak with will take exactly the same approach leaving you to throw darts at the magic quadrant and see where it lands.

There’s other stuff. Free stuff. We all like free stuff. But free often comes at a cost. There are many capable packages in the open source world that together can create a very secure system. These open software systems will stop phishing attacks, spam, and prevent many other types of attacks. However, these systems are not enabled by default and require a high level of implementer expertise. You’ll have to spend money to hire or contract with some staff to implement, maintain, and monitor these free systems.

There’s also the government. In this case, they really are here to help, in the form of guidance published by the National Institute of Standards and Technology. Their guidance provides a starting point for the self-motivated to take a hard look at business practices and continually assess and improve. Do you have the staff or time to invest in this research?

A lot of security is really about people. Why did the recent Equifax mega-breach occur? All the tools were there to keep customer data safe. However, the settings that protected a key database were not set securely. An employee noticed this and later exploited this negligence for personal gain. Tools are great, but a full toolbox doesn’t make you a skilled carpenter. Training is a key component of a comprehensive security program.

Everyone in your organization has a role in securing the company’s information. It may surprise you to learn that some employees, at all levels, understand this, however, many, even at the highest levels, do not. We have all been trained to ‘say something if we see something’. The same maxim should be applied to the work environment. Require that all employees be educated about how to spot potential issues, and create a culture where they feel free to report those issues outside of their chain of command, if needed.

Security is also about basic system hygiene. Do you have a patch management program? Is it effective? How do you know? The same thought process applies to new deployments and software development. I am a big advocate of a Secure Software Development Lifecycle. You’ve probably embraced aspects of Agile Development to speed up processes. How does security design and security testing fit into your Agile processes? Do not overlook this important assessment.

Your organization should have a firm handle on risk. You probably understand your legal and financial risk well. How well do you understand your cyber risk? All too often, I have heard an engineer accept risks that ought to be elevated to the C-Suite for acceptance. C-Suite leadership must be willing to understand how certain risks will affect their business. This should be part of a formal governance process that flows right up to the board level.

If you don’t know where to start, engage a security professional who is not aligned with any particular hardware or software solution. The most important factor for success is to understand the company and the cultural tolerance for risk. Security is a journey that will not be completed overnight. So short term, achievable objectives with measurable outcomes need to be established and reviewed. This is the type of invaluable planning that a virtual chief information security officer (V-CISO) can facilitate as they help you navigate all of the “stuff”.

Dan Srebnick is an Eleven Canterbury executive expert specializing in IT and Infosec Strategy. He is the retired Chief Information Security Officer for the City of New York.