Mike Potts reflects on the recent RSA conference and the lessons that need to be taken from it.
Another RSA conference is behind us, and as always, we overheard security professionals speaking their own language using terms like ‘APTs’ and ‘zero-day threats.’ While these words and numerous other terms sound like jargon, they represent important cybersecurity concepts that have typically flown over the collective head of C-Suite executives and board members: until today. At this year’s RSA conference, I noticed that cybersecurity is finally being recognised as a business discipline that directly impacts an organization’s business goals, which is causing the C-Suite to sit up and listen.
The string of damaging data breaches suffered by high-profile companies like Target, Sony Pictures, Home Depot and JP Morgan Chase have helped to elevate the issue of cybersecurity to the C-Suite and board levels. While the mechanics of identifying and remediating attacks may reside with the IT team, cybersecurity has become a company-wide effort that the leadership team must oversee.
With cyber security cast in this new light, CEOs need to consider three crucial questions:
- What must be done to provide security administrators with network visibility to manage both the internal and external security threat;
- What is the company’s incident response plan; and
- What will be done to minimise the damage done by the inevitable attack?
In fact, many Fortune 500 enterprises are forming board cybersecurity subcommittees to answer these questions, translating the cybersecurity discussion into business terms that directors and the C-Suite can digest and act upon.
Another observation I had at RSA is that the cybersecurity discussion is changing. No longer are we talking about if we’ll be attacked and even when we will be attacked. Today, we know that it is very likely that the bad guys are already inside the network.
To complicate matters, we’re on the leading edge of the Internet of Things trend. An increasing number of machines, encompassing everything from printers to refrigerators to heart monitors in hospitals, have their own unique IP address and can communicate with one another. This creates a new set of cybersecurity vulnerabilities that will affect virtually every industry.
Welcome to Security 2.0.
In the world of Security 2.0, attackers have become increasingly sophisticated and are capable of bypassing traditional network perimeter security defences; in fact, the threat of an insider attack is actually a bit higher — about 51 percent — than that from an outsider. That is why having a real-time view inside the network is so critical. I’m not suggesting that organizations abandon perimeter protection altogether. But, at the same time, companies and government entities alike cannot rely on perimeter protection tools alone and expect to adequately secure their networks. Outside attackers can too easily break through, and of course, it’s just as easy for the inside threat actor to open the door and walk out.
Insider threats, network visibility, device classification, Internet of Things: I realise that for a CEO this article may start to fall under the heading of ‘cybersecurity jargon I don’t need to understand.’ So let me revisit the three questions I mentioned earlier and provide some context. These are questions that you, and hopefully the new director of your board’s cybersecurity subcommittee, should be asking your security administrator:
1. Do you have visibility into activity going on across our entire network? This is a necessity in a Security 2.0 world, and your budget should focus on implementing technologies that provide this internal visibility as well as hardening the security perimeter around the network.
2. What is our incident response plan? This is the company’s response plan, not just an IT plan. How are employees trained to recognise suspicious external and internal activities and report those activities? How will you work with your marketing and legal teams to communicate the incident to employees and to the public? These just a few of the questions that must be addressed in a comprehensive incident response plan.
3. What is our remediation process? It is naive to expect an attacker will not penetrate the defences on your network. If the attacker tries 100 times and only succeeds once, he wins. With this in mind, cybersecurity best practices must also include how to quickly remediate an attack to minimise the damage, both in terms of compromised assets and damage to your company’s reputation.
Many companies that suffer a data breach don’t realise the damage has been done until a third party such as the Department of Justice or a bank alerts them. This is a clear signal that the era of Security 1.0, which had companies devoting their budgets to blocking outside threats from getting in, is over. We’re now in the era of Security 2.0 where the attacks are more sophisticated, the insider threat is very real, and the term ‘connected devices’ applies to an ever-growing variety of machines that are connected to our networks. It is also an era when the C-Suite and the board of directors are finally giving information security the attention it requires in order to maintain the company’s security posture while also recognizing its importance as part of the overall business plan.
Mike Potts is CEO, Lancope.