Moving Beyond a Fear-Based ApproachFor those involved with securing privileged information, the news of the latest big breach plastered on every TV, website and newspaper commonly elicits a pair of simultaneous reactions: relief that it's not your organization and dread that it could be the next time. Thus, the initial, formalized realms of IT security departments were born. The problem with this approach is that it is, almost by definition, reactionary. Fear of reprisals, termination or exposure focus organizations on preventing what has already happened ("Could that happen to us? No? Good?”). Furthermore, simple fear promotes negative connotations towards data accessibility. Where information technology gloriously created broad interconnectivity and transfer capability, which we all enjoy, IT security becomes a scolding parent imposing limits and saying “no.”
Compliance Isn’t EnoughAs the personal, professional and financial implications have expanded as confidential data is lost, we see regulatory agencies step in and create a framework of policies and penalties to formalize what must be protected and what consequences are incurred for failure to abide. This removes some of the negativity regarding IT security, as restrictions and data security can be based on formalized decisions but can have the unintended consequence of implementing IT security based on compliance measurements and not on the actual risk. Target, famously, was certified to be PCI compliant immediately before allowing more than 40 million card profiles to be captured and exfiltrated. An issue with compliance-based security mentality is a simplified focus on access prevention, and that may not be a guarantee. Organizations and vendors are recognizing that while we apply security measures and procedures throughout the enterprise, attackers only need a single failure to gain access.
Approaching IT Security as a Risk Management ExerciseThe simple reality is that for all the security technology and processes developed, we cannot 100% guarantee complete protection, nor is it financially feasible to pursue such a methodology. The goal should be recognition that cybersecurity is business risk. As such, the focus should be on identifying and quantifying the financial impacts of any potential breach. With this focus in mind comes the realization that a multi-tiered approach is required where certain risks are more logically offset by a defined identification program than by any preventive platform—essentially, insuring against the risk rather than walling it away. The great hurdles to this involves the required deep-dive into the organization's data structure to accurately recognize and classify pertinent information, and recognizing that unauthorized access paths are not always high-tech exploits that can be offset with high-tech solutions. In a number of the recent high-profile breaches, access was gained through compromised privileged user accounts. All of the cybersecurity tools in the world can be circumvented if a malicious actor has a legitimate login profile. A great analogy for the Board would be a typical (or perhaps advanced) household. As the owner, you definitely want to lock the doors and windows, but even so, you are aware that these won’t stop a determined thief. You can install a monitored security system that can alert the proper authorities of a breach, which can greatly limit the time of exposure. You can install a safe to further protect the subset of items you deem completely critical, and you can take out an insurance policy to indemnify you if all of these approaches fail. To extend this analogy further, the homeowner can realize discounts on premiums by proving to the insurer that various security systems are in place to protect against the insured loss or he or she may have any claims adjusted should the insurer find fault or omissions in the security approach. And finally, you need to teach your children not to share or lose their keys!