alphaspirit - Fotolia
Recent data breaches at JPMorgan Chase, Target Corp. and Sony Pictures Entertainment pointed to embarrassing weaknesses in the Fortune 1,000 companies' respective security programs.
As calls for breach accountability across industries grow louder, and the government introduces new cybersecurity initiatives, frustrated security experts say change will only occur when lawsuits from shareholders hold C-level executives and boardrooms accountable for lax security practices.
"Security was always a top priority but people's arms never reached their pockets," says Alan Shimel, managing partner of The CISO Group, a consultancy based in Boca Raton, Fla., that specializes in PCI compliance for the payment card industry. "We need to be more realistic around raising awareness and doing more end-user training."
After the rash of point-of-sale breaches in 2014, Shimel sat down with one retail client's development team. "We changed their entire architecture so that upgrades would be more secure," he says. "We wanted to try to eliminate the potential for file tampering, but we still could have some exposure to zero-day exploits."
While agreement on what "good enough security" entails is hard to come by, chief information security officers can take actions to mitigate the security and risk tradeoffs that can result from business decisions, to make their organizations less vulnerable to security threats.
"The term good enough security really is a moving target when threats come from multiple sources, both external and internal," says Tony Maro, CISSP and chief security officer for EvriChart Inc., a medical records management company in Roanoke, Va. "Determining how to properly secure your data and environment really boils down to the value of what you are securing and how much risk you are willing to accept."
More than checkboxes
Too often, good enough security is synonymous with "checkbox security," notes Shimel. Organizations implement just enough security to check off boxes on compliance forms in an attempt to meet auditors' requirements.
"The bar is pretty low, and doesn't really mean much," he says. "Even the latest compliance regulations are so watered down that it doesn't have much meaning. If I had to set the bar at a higher level that ensured that I wouldn't be breached, it would be a different story."
Tony Marochief security officer, EvriChart
"Security is like anything else in the modern business world," says Paul Bonner, an applications architect, who is based in Austin, Texas. "There is a set of things that you can do because they're effective, and there is a set that you can do to make it look like you're serious or to pass audits. Any overlap between the two is purely coincidental.
"I don't think you can have too much effective security," says Bonner, "but the resources wasted on [passing audits] buy you nothing and should be minimized."
IT security budgets can also serve as a smokescreen to prevent greater investment in data security measures, cautions Detroit-based contractor Eric Kimminau, a master enterprise architect who specializes in data center migrations. "It is also very expensive to put personal firewalls on every device and doing a full Layer 7 protection, even at your remote sites," he says. "The ongoing costs alone for the bandwidth to keep all these malware signatures updated are significant."
Part of the problem is what Dipto Chakravarty calls a "digital divide" between CISOs and compliance officers. "This has created more breaches than any weakness in the perimeter itself," says the security advisor to Altamira Technologies Corp., an open source technology provider based in McLean, Va., that is focused on the national security space. "The most secure systems are not compliant, and the most compliant systems are not secure."
One way to bridge the divide is to better define risks and understand their business implications, says Chakravarty. "We have to make risk transparent and more manageable by being proactive at understanding how risk maps into specific corporate goals."
Most CISOs didn't start out on executive career paths, however. "They were system admins and aren't really part of the executive club," Shimel says. "They aren't empowered within the organization to make changes happen; the best CISO is the one that comes into an organization after a breach happens, because they have a mandate to do so."
Some organizations view IT security and risk managers as the fulcrum between the IT department and the business divisions. "Our role is to balance business opportunities with risks and ensure the risks are reasonably accurate, understood and considered, even though these risks may be at odds with the business needs," says Lawrence Casey, an IT and risk manager, who works in the manufacturing industry.
Even if a security officer is well qualified, EvriChart's Maro says, "it is unlikely that just one person has all the knowledge regarding what data is on the network and the various outward-facing services that a company provides."
And while audits can be a good thing, they can also be rigged: "It matters who controls the scope of the audit," says Kimminau. "In one audit I was involved in, the company didn't even tell their auditors where they were storing their data, and the auditors didn't know that the data wasn't encrypted at rest -- they ended up passing their audit when they should have failed."
Part of the good-enough security problem is that some companies think they don't need to improve their security posture, even in the healthcare industry. "There are still businesses who mistakenly think they are too small to be a target for hackers," Maro says. No matter your size, he says, "you still need to be constantly monitoring the threat landscape to understand what is going on."
On a positive note, the health information management provider is seeing better products from security vendors, as software and hardware products ship with more secure default configurations.
A lot of organizations are living like it is still 1999, agrees CISO Group's Shimel. "They don't have anything in the cloud, they are still using local Exchange servers, their Web servers aren't integrated into their back office operations and they have entirely flat LANs," he says. "It is only when you start changing this architecture and using clouds and more mobile devices that it makes sense to change your security model."
Thankfully, the dynamics around good-enough security practices are changing after the recent data breaches, and moving the bar higher for what the minimum protection should be. One reason: "The financial and health regulations are changing and becoming more stringent," Kimminau says.
"Expectations are a lot higher these days for what is needed," agrees Bob Matsuoka, the chief technology officer of CityMaps.com, a New York City-based startup. "Almost all of my colleagues use VPNs and some are starting to make more use of encryption, too. We all know that anything you put out in public will be eventually breached, and so the threshold has to be much higher now," says Matsuoka, who has weathered a few incidents himself.
One of CityMap.com's development servers needed to have some files available to a remote team. "We opened up some ports on the server as a quick workaround, and it was breached within a day," he says. "Luckily, we just lost a bit of time and nothing serious was damaged, and probably the time it took us to handle the breach was about the same as it would have taken to develop a more secure access for this one-off situation."
Many IT managers and CISOs are trying to balance access controls with traditional perimeter and network protection. According to Maro, organizations really need both, and security professionals should look more closely at these technologies to ensure that they have sufficient protection. "Personally, I believe that multiple layers of security are important so that if one layer is somehow compromised, there are other controls to help contain the incident," he says.
"Network design is really important," agrees Matsuoka. "We use client certificates for all of our access control, because passwords are just useless these days. We haven't yet gotten to two-factor authentication, but we are thinking about it. It is only a matter of time before all of our developers will be using 2FA in production."
What constitutes good-enough security can also be influenced by physical security considerations. "We work in some very insecure places that can be dangerous," says David Goodman, the CIO for the International Rescue Committee, a New York City-based nonprofit, whose staff is located in offices in many of the world's trouble spots.
"We have a global safety team [whose members] are more worried about personal security and the implications of what data resides on someone's phone or laptop and whether that puts any of our staff at risk," he says. "When information gets to the wrong people, bad things can happen. It becomes a matter of life and death."
With the recent data-breach incidents, many IT managers have taken notice, and they are reformulating their security practice. "I'm seeing a shift from thinking about incidents as individual response episodes to thinking in terms of continuous response," says Casey. "For me, that means monitoring the behavior of the environment, in addition to the traditional prevention and detection practices."
Still, information security practices aren't changing fast enough, Chakravarty says: "A lot of security teams implement what is in the manuals and are more compliance-driven rather than practice-driven. And just because the CFO and lawyers say some technology is needed doesn't make your IT infrastructure more secure."
About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.