Information security, or a lack thereof, grabbed more than its usual share of headlines during the first half of...
2011. The period was notable not just for the prevalence of network break-ins, but for the roster of marquee names that were victimized by a growing number of skilled and sophisticated attackers. Not only did the breaches appear to be more common, they were also at organizations regarded as information security role models. To make matters worse, the news media often reported the incidents before the individuals affected were fully informed. With a lot of time still left on the calendar, 2011 seems likely to be remembered as the year of the data breach.
The greatest challenge facing information security professionals is the nature of the attacks themselves. The incidents that impacted Sony, Citigroup, Epsilon, RSA, and others earlier this year were not the work of hackers having fun or trying to stir up trouble. Rather, the data thefts were the work of organized, well-trained and well-funded groups with specific commercial, albeit it criminal, goals in mind. Attackers today are in it for the money or to cause a very specialized form of chaos for organizations they dislike or find easy to penetrate.
A fundamental shift in information security philosophy is needed to meet this growing threat. For years, the mindset of security executives was like that of guarding a fortress or a bank vault. The information security ideal was to build as strong and impenetrable a network as possible.
However, any outside facing network will eventually be breached by a determined attacker with the right combination of smarts, patience, motivation, and resources. The information security profession needs to understand that the model which has been in place for years is getting tired. Now is not the time for a few adjustments or changes, but for a completely new data security model.
Based upon what we have heard from our clients, IANS proposes something new. This data security model is based on two simple concepts. First, accept that attackers will break into your network and, second, realize your primary goal is to limit what data can be compromised and extracted. By adopting and implementing this model, security professionals can focus resources on protecting the data that is of greatest value and would cause the greatest harm if compromised.
A philosophy similar to this new approach is retail loss prevention. Retail organizations have known for years that preventing theft is impossible. They developed the philosophy of shrinkage, which acknowledges the inevitability of loss while prioritizing protection of the most valuable merchandise. It is only logical that securing a $5,000 watch is much more important than protecting a $3 pair of socks.
With some work, the retail loss prevention model can be adapted for the information security industry. Just as retail organizations do, security professionals will need to decide what data is most critical and thus deserves greater protection. Much like the expensive watch, an organization’s most valuable data must be identified and have stronger security measures developed to ensure its protection.
This new model does not represent a retreat. On the contrary, it acknowledges that securing all data in a Fortune 1000-size corporation is no longer possible, and security professionals must change their thinking accordingly. In the new information security reality, executives must decide what data is most important and take steps to protect it.
The events of the first half of the year were proof that the information security landscape has changed. While the flaws that led to the individual breaches may have been unique, the true cause of all of these breaches is the antiquated notion that information security’s efforts can make a large network impenetrable. To prepare for an evolving and more dangerous foe we need a new strategy. Let’s face it, the old model is getting tired. New thinking is required!
Phil Gardner is founder and CEO of IANS, a provider of security research and consulting. His security career began with the U.S. Navy and includes work at Goldman, Sachs & Co. and McKinsey & Company. Chris Silva, a former Forrester Research analyst, conducts research at IANS. Send comments on this column to firstname.lastname@example.org.