I hear it quite regularly from industry commentators and speakers at conferences - the key message being that every organization has been breached and only those with good information security have been able to detect and respond to the breaches.
The other implication of course is that the CSOs in the companies that “don’t know they’ve been breached” are incompetent.
One of the main problems with this phrase is that anytime I hear it, the speakers never qualify what they mean by a breach. Does it mean that someone has penetrated the network and taken the organization’s prize data? Or does it mean that a computer virus infected a laptop with little or no value to the organization? My point is that without clarification on the context of the statement how are we to know how bad the problem really is?
I say this because I regularly talk to business people or senior management in companies who read the above statements and they say to me, “is it really true that our company has been breached but our CISO does not know about it?” Some have even asked “if every company is breached, why should I spend money on security at all?”
We cannot blame them for having that viewpoint when not only do “industry experts” regularly claim the battle against our adversaries has been lost, but their viewpoint is reinforced when they read about security breaches resulting from basic security measures not being properly utilized or not even implemented in the first place.
While some will argue that this is the reality we’re facing, I say that if that’s the case - what are we going to do about it? Are we simply going to surrender our networks, our systems and our data to whomever wishes to access them or are we going to work together as a community to improve the situation for us all? I will certainly be aiming for the latter and urge those of you reading this to do the same.
I believe we need to take several steps to help us improve the overall image of our profession and community. Some of these will take time and will require some hard work but if we work together we can make our networks safer and secure for all.
Here are my suggestions:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.