InsightaaS: The Sony hack is one of those 'crossover' events, an IT security breach that is so big and bizarre that people with no real interest in IT security are talking about it and its repercussions. What might this enhanced visibility mean to the practice of IT security in 2015? Expert/blogger Ben Rothke has published an interesting take on CSO Online, in which he reviews both what the hack means today and what actions it should prompt in the new year.
In the former category, Rothke starts with "this was yet another wake up call" (joining a list that also includes Home Depot, Target, and JPMorgan Chase) and "more breaches will occur." a theme that is echoed by virtually every professional in this field. He goes on to list other items that are worth reviewing, including "buying security hardware and software [is not the same as] having a secure infrastructure" and "firms don't have a handle on the amount of data they have." My favourite from the list is "fixing security and doing it right takes time, money and staff," which includes the following: "if there is anything management dislikes, it’s putting time, money and staff into something perceived as a cash cow. Management often needs things done last quarter to make the financial analysts happy this quarter. Fixing a faulty information security program will take many quarters. Let me reiterate this, there’s no overnight fix here."
From here, Rothke branches into a "Farmer's Almanac" view of IT security in 2015. He urges readers to understand that "great security architects are critical" (especially for SMBs that can't afford a CISO), that they should not "throw good money after bad" (or in this case, engage consultants who will likely only lengthen the time needed to address problems), and that they should "hire the best information security team" possible, and manage risk resulting from vendor links to internal systems. Three particularly interesting points from this list: "use a two-prong approach to information security" melding standard and custom elements, creation of an "application security" program to address vulnerabilities that are beyond the network infrastructure, and "consider a plan to retire old data" - a good idea that is too often neglected.
The recent (and perhaps ongoing) Sony breach was certainly one of the worst corporate data breaches we have seen to date. As 2014 draws to a close, no one knows the details with certainty of who the perpetrator was. Even so, it’s undeniable that it’s a breach that will forever change the way Sony does business.
As the year of information security ends in 2014, what does the Sony breach tell us about what will happen in 2015? Here are a few things I think can be said with certainty:
- This was yet another wake-up call – but many will still sleep through it. Home Depot, Target, JPMorgan Chase were but a few of the most major breaches of 2014. Many firms are simply shell-shocked and hope that nothing will happen to them. Information security has had myriad events that promise to bring sea change, quantum change and countless other transformations that many information security professionals are still waiting for. The reality is that too many firms will try to spend the least on security and hope for the best.
- More breaches will occur - be it state-actors, hacktivists, disgruntled employees and the like. There’s no reason to think things will get better in the short-term. The information security infrastructure is porous and decades of poor design can’t be fixed by patching alone. This means more mega-breaches are an inevitability.
- Fixing security and doing it right takes time, money and staff - And if there is anything management dislikes, it’s putting time, money and staff into something perceived as a cash cow...