Last week, I talked with Wall Street Journal reporter Ben DiPietro about the persistent communications gap between the data center and the board room when it comes to recognizing and tackling security threats:
In almost every breach situation after his company completes a forensic analysis, Mr. Dakin said the chief executive or chief financial officer pulls him aside and says if he had better information earlier he would have made smarter and quicker decisions. “They are intimating that their tech teams are just not talking about cyber risk in terms of business impact.”
But when he speaks with the IT people, Mr. Dakin said he gets a different story, “that my boss just doesn’t get it and we are stuck here with outdated tools, outdated systems and we are not prepared to defend ourselves.”
This “communications breach” persists across many industries and countries. In April, the Ponemon Institute released a study of IT security practitioners that found 48 percent “believe their board-level executives have a sub-par understanding of security.” Eighty percent of respondents also said senior executives don’t see the revenue risk of losing confidential data, despite multiple surveys finding consumers will take their business elsewhere after a high-profile breach.
These are tough conversations, because security professionals often approach the issue from one perspective (technical, risk-focused), while company leaders have another (business drivers, costs).
To that end, a great resource just became available. Staff for the Senate committee on Commerce, Science, and Transportation put together a blow-by-blow report of the breakdowns that allowed cyber attackers to steal the personal and financial information of more than 100 million Target customers.
As a C-level education document, the report succeeds on multiple levels:
Attacks, defenses and missed opportunities are described in plain English, with minimal technical details to disrupt the presentation.
As the story unfolds, it becomes clear that IT security can’t be achieved and checked off. It’s an ongoing, continuous effort that requires CEO and board-level leadership to move from mere compliance to true risk management.
The authors place appropriate emphasis on the importance of defense-in-depth, a key component of modern cyber defense. Start with a firewall to keep most threats out, but also use dynamic monitoring programs, internal barriers between systems, and other controls to detect and defeat malware that makes it through the first line of defense.
The report is especially strong on point #3:
Instead of installing static defense tools and waiting for the next attack … network defenders should continuously monitor their systems for evidence that attackers are trying to gain access to their systems … When a defender analyzes the actions of attackers, finds patterns, and musters resources to address capability gaps, “it raises the costs an adversary must expend to achieve their objectives”… While the attacker must complete all of these steps to execute a successful attack, the defender only has to stop the attacker from completing any one of these steps to thwart the attack.
For all the things the report gets right, it does need some context. The Congressional Report indicates that Target’s security team missed some chances to stop the breach before it affected consumers, but they also did a lot of things correctly. They had a good security program and tools in place; they were compliant with payment card standards; and significant investments in security had been made. Most important, the security team we met at mutual training sessions throughout the years was top notch in both focus and skill.
The truth is that there are a great many companies that don’t come close to having in place the protections Target’s team did. When evaluating their own businesses, executives need to begin by assuming the worst – that a breach has already happened. Get a truly independent assessment and act now on what it recommends.
# # #