RSA recently published its inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.
It would appear that the lack of focus on information security is a top-down problem. TechDirt reported this week that the United States' CIO ordered all government web sites to implement SSL by the end of next year. SSL is not exactly a new idea, and yet the U.S. government is just now getting around to it, and may fix it by next year, if the deadline does not get extended, and if they don't use a vulnerable version of SSL/TLS. I have also spoken to a number of customers with known web application issues, who just have not gotten around to fixing them. Folks, we have a problem.
The revelations above, along with the recent news about the government employee breach, made me wonder why corporate America is not fixing their cybersecurity problems. If I had a major revelation on this topic, I might be able to write a book and retire comfortably. I would offer, however, that part of the problem is simple and fundamental (there goes my book deal), stemming from the perception on the part of company management that good security requires the expenditure of large sums of money. As a result, some companies throw money at the problem, and don't get the return they expect. Others decide they can't spend the money, and hope becomes their security plan.
A few years ago, I managed security for a busy and highly regulated and audited credit bureau, with no recorded data breaches and a very modest security budget. What I have learned from experience is that good information security only has an indirect relationship to the amount of money spent. You can't win by throwing money at it, any more than you can by ignoring it.
So, how can you have a secure operation without emptying the corporate bank account? It starts with good fundamentals, and a daily focus. The following are some of the elements:
Involvement by company leadership
Security maturity begins in the boardroom. Company management must acknowledge information security as a priority, and support the IT team in its implementation. While a fortune is not required, it isn't free either, so they must come up with some money to address the issue.
Someone in charge
There must be someone, staff or service provider, with whom the IT security buck stops. This job is not a good candidate for shared responsibility, as it requires far too much focus. At present, this responsibility often falls on the IT head. Having been an IT head for many years myself, I recognize the futility of this approach. An IT director or VP must by definition be a generalist. Such a person cannot also be a security specialist.
A defined budget
While maturity is not defined by the size of the budget, the infosec budget must be segregated and discreet from overall IT expenditures. If it ever comes down to choosing security or purchasing new laptops, security will always lose.
Good art work
By this I mean network and data flow diagrams making clear how data moves in an organization. The importance of this cannot be underestimated. I have been working this week with a PCI customer on a firewall review. I was struggling to get a clear picture of how their many firewalls fit into the operation, until they sent me their network diagrams, which I printed on large paper in full color. They answered more questions that would fit in 100 email messages.
One of the key principals of data protection is knowing what assets you have, and what they are worth. A picture in this case is truly worth a thousand words.
Tools that get used
Too often, we treat information security like the game "he who dies with the most toys, wins." Beyond the basics like firewalls and malware software, expensive tools are not essential. Such investments must be viewed as automating what can be done manually. When the tool becomes less expensive than the equivalent cost of man hours, you buy the tool. Regardless of what tools you buy, however, they must get used. In a recent post, I mentioned the term "shelfware," defined as security tools that sit on the shelf, or are not used to their full potential. If you buy it, get the full return on your investment.
Detailed recordkeeping and planning
At times, I think that terms like "incident response" and "incident management" scare people away unnecessarily. The basic concept is very simple, however, requiring just that you keep good records about what happens, and know in advance how you will deal with problems when they occur.
Testing, testing, and testing
Test your systems and application, and keep testing them, even when nothing changes. Find your issues before a hacker does, and then fix them.
Involvement by everyone
Everyone in the organization must accept that their responsibilities include information security. It has been my experience that most employees, once someone explains the high stakes, will do their part. The few that won't are a liability, and should be directed to alternate employment opportunities.
The bottom line -- security maturity is not measured by the amount of money you spend, but by how well you handle the fundamentals. It is all about focus.