June 6, 2012: Over six million passwords stolen from Social Media Giant – LinkedIn.com. April 6, 2012: Hackers break down mac firewall on over 600,000 apple computers. April 4, 2012: A 23 year old British hacker steals eight million identities of UK residents. March 8, 2012: Anonymous leaks Symantec source code.
You probably already know that the above mentioned incidents are just a mere drop as compared to the ocean of Internet Security Hacks that have happened in the past five years. What’s the reason? Is it limitations in our current Internet Security Technology? Or is it our business process? What role does the C-suite needs to play in order to avoid such Security risks? Unfortunately, these questions can’t be simply answered by a “yes” or a “no”. John Lainhart, Steve Robinson and Marc van Zadelhoff from IBM have recently released a thought provoking white paper on this topic. It’s called “Managing threats in the digital age”. You can read it here: http://www-935.ibm.com/services/us/gbs/thoughtleadership/ibv-security-managing-threats.html. Although their research is very thorough and convincing, I’d like you – the reader – to read it and challenge its viability based on your experience in dealing with Internet Security Risks.
Here’s my experience.
Is an “Optimized Security” (that is Proactive and Automated Security), the solution?
John, Steve and Marc talk about how businesses typically implement security in “waves” starting from “Basic” to “Proficient” to “Optimized”. In my experience, while a “truly optimized” infrastructure does make security much harder to break, it does not completely solve the problem. The reason why even the most optimized security systems are still prone to vulnerabilities and intrusions is because the rules that make a system “intrusion aware” keep changing. Every time an intrusion detection rule is compromised, it must be updated and patched as soon as possible. For instance if logging in to a production environment over VPN network at around midnight, especially when there is no planned maintenance, is considered as intrusion, and if this rule becomes known to the hacker, he will simply avoid hacking into the system at that time. This raises the discussion of how to secure the security fabric itself!
As a company moves towards optimized security, the role of C-suite becomes more and more important. Stringent processes must be defined and ensure that they are followed without exceptions. How many times does it happen that a Level 3 support developer comes to know about the password to the production box because the Level 1 operations person was away from the computer and something serious had to be fixed urgently? How many times does it happen that since that Level 3 support developer doesn’t know the seriousness of him having that password, writes it on a Post-It note and sticks it on the corner of his monitor? You know what I mean.
Can the C-suite really help here?
John, Steve and Marc take the discussion further and discuss how the C-suite (the CEO, CFO, CMO, etc.) should be responsible for ensuring that incidents such as above don’t happen; and if they do, immediate remediation is taken to ensure the security fabric remains bullet proof. Personally I think their idea of the “three-point plan” is brilliant because in my experience the reason why things fall apart is because the C-suite is not kept well informed about the vulnerabilities in the company’s technology and processes and its implications on the company’s business. Once informed, it’s really the responsibility of the C-suite and the board to align their resources and priorities, and finally become smarter is analyzing and quantifying the risks.
For me, the key take-away from this paper is that making your business secure is a continuous and evolving process. It is not just the responsibility of the C-suite. It is not just the responsibility of the developer or the QA engineer. It is the responsibility of the society and the community as a whole. Although “responsibility of the community” is not mentioned in the white paper, I see it as a general progression to the “three-point plan”. Apart from involving customers, internal staff, partners, auditors, etc., the company must have appropriate processes and channels in place to accept feedback from the community at large.
What are your thoughts?
June 25, 2012 at 9:00 am Comments (0)