I hear it quite regularly from industry commentators and speakers at conferences - the key message being that every organization has been breached and only those with good information security have been able to detect and respond to the breaches.
The other implication of course is that the CSOs in the companies that “don’t know they’ve been breached” are incompetent.
One of the main problems with this phrase is that anytime I hear it, the speakers never qualify what they mean by a breach. Does it mean that someone has penetrated the network and taken the organization’s prize data? Or does it mean that a computer virus infected a laptop with little or no value to the organization? My point is that without clarification on the context of the statement how are we to know how bad the problem really is?
I say this because I regularly talk to business people or senior management in companies who read the above statements and they say to me, “is it really true that our company has been breached but our CISO does not know about it?” Some have even asked “if every company is breached, why should I spend money on security at all?”
We cannot blame them for having that viewpoint when not only do “industry experts” regularly claim the battle against our adversaries has been lost, but their viewpoint is reinforced when they read about security breaches resulting from basic security measures not being properly utilized or not even implemented in the first place.
While some will argue that this is the reality we’re facing, I say that if that’s the case - what are we going to do about it? Are we simply going to surrender our networks, our systems and our data to whomever wishes to access them or are we going to work together as a community to improve the situation for us all? I will certainly be aiming for the latter and urge those of you reading this to do the same.
I believe we need to take several steps to help us improve the overall image of our profession and community. Some of these will take time and will require some hard work but if we work together we can make our networks safer and secure for all.
Here are my suggestions:
1. Let’s make sure we bring context into conversations. Remember that saying “there are two types of organisations, those that have been breached and those that don’t know they have been breached” is like saying “there are two types of shops, those who have been robbed and those who don’t know they have been robbed.” Robbery can range from staff stealing pens from the stationary cupboard, to petty shoplifting, to actual armed robbery. When making statements such as these, context is important to make sure the right message is understood.
2. Let’s focus on the getting the basics right before we start worrying about any new threats or the latest cool vendor solution. Ensuring that basic security controls are in place and working as they should is not an easy task, particularly for large enterprises. Remember: without the basics controls in place, the new headline grabbing threats are not what you should be worried about as you are more likely to be breached as a result of an existing threat. Also, if you cannot get the basic controls working what makes you think you will be any more successful with the latest and greatest vendor solution?