For every data breach that makes the headlines, there are tens to hundreds that go unreported by the media, unreported by companies, or even worse, go unnoticed.
The rash of negative publicity around organizations that have experienced data breaches would appear to be a sufficient motivator to whip corporate leaders into bolstering their security programs in order to prevent from being the next major headline. If that is not reason enough, the litany of regulations imposed on certain industries should be enough, shouldn't it? I mean, who wants to be a victim of a data breach and risk the financial, legal, and reputational risks?
In my experience I have found that corporate leaders generally want to operate in a secure manner, however they often make poor or uneducated decisions that contribute to a mediocre security posture.
Pick up any article on a recent data breach and you will likely read about the technical reasons the attackers were able to compromise the network. For example, several large retailers have been breached due to attackers compromising an insecure wireless access point in their retail stores that were connected to their payment-processing environment. What you don't read about is the root cause of the issue. Why was there an insecure access point in the first place?
In this article, we will look at 5 non-technical reasons why organizations get breached.
1. Not Accepting Security as Part of the Core Business Process
For most organizations, security management functions are on the fringe of the organizations structure or buried deep within IT. To the business, security is often an after-thought and is usually imposed upon the organization in the form of regulations such as PCI, HIPPA and GLBA; even then compliance is spotty at best. Let's face it, security does not directly contribute to the organizations' bottom line. In fact, on the surface, it may appear to negatively impact the bottom line, increasing the cost of projects, and due to the difficulty to calculate return on investment.
So why do we have this disconnect? Simply put, information security has not been brought in from the periphery of the organizational structure. Lets take a look at the not too distant past. Ten to fifteen years ago, IT organizations were in a very similar place in the evolution of “organizational acceptance”. Organizational leaders did not understand technology and therefore may not have known how to properly manage or effectively integrate IT into their organization. In many organizations, IT was left to function on it's own, was not included in strategic planning and initiatives, and may have been considered in some organizations a “necessary evil.” Needless to say, management support, resources and budgets were difficult to obtain, if not non-existent. Today, in most organizations, IT has been accepted into the core of the business because of the need for organizations to remain competitive and run efficiently. Successful IT organizations are now lead by business thought leaders, not “techies”.
So what's with all this talk about IT? Isn't this blog about security? The answer is simple: security is today where IT was 10-15 years ago. All the issues IT organizations have faced in the past IS organizations are facing today, such as lack of understanding of security by organizational leader and lack of integration of security into the core business management process. Until organizations accept security as an integral part of the organization, IS organizations will be shoveling against the tide.
2. Misplaced Responsibility
The unfortunate perception is that with the centralizing of security management, security is no longer anyone else's concern. I dont know why this is; last I knew as an ISO I was still responsible for developing and maintaining a budget, even though we had a CFO and accounting department. In organizations where information security is centralized, but responsibilities are not well defined the business will continue to pursue business initiatives and goals, and wait for security to either intervene (hoping they can pass under the radar) or pass the buck to security to get “approval” just prior to launch. However, when security does intervene, it is often too late in the project lifecycle, or the business objectives trump any identified risks making security organizations ineffective and appear to be an obstacle. Security needs to be everyone's concern, and not just pushed on the CISO.
3. Lack of Accountability
When it comes to our jobs, we are all held accountable for something. For example, ensuring projects are completed on time and within budget. Our effectiveness, or ineffectiveness, often translates into our performance evaluations which we have a vested interest in remaining gainfully employed and obtaining some sort of financial gain in the form of a pay raise or bonus. My point is, if an employee knows they are being held accountable for something, you can bet they will comply with it; especially if it affects their employment status or future earnings potential. Likewise is true with information security, however, employees are seldom held accountable for their participation in the security of the organization. I suppose security could be categorized under “Other Duties as Assigned” in an employee's job description, but really this needs to be spelled out a little clearer.
Business and security leadership need to identify the roles and responsibilities of information security for each level of employee in their organization. Those responsibilities should be included on each employee's job description and translate to those responsibilities to the performance evaluation process. What did we just create by doing this? We created an environment where information security expectations are clearly defined and measured, ultimately leading to a more security conscious culture.
4. Conflicts of Interest
Organizations that put the responsibility of security management in the hands of IT are the equivalent of letting the fox guard the hen house. I'm not saying that IT folks are malicious and want their organization to get breached, but they are put in a precarious position in which often conflicting priorities arise and something has to sacrifice. For example, early in my career as an IT Manager I was primarily tasked with getting systems operational by the business so the organization could start to recognize the ROI. The pressure from the business was often overwhelming and project timelines were typically very aggressive. However, I was also unofficially tasked with managing security over the IT infrastructure. When put in the position of getting the system to market or crossing my t's and dotting my i's and ensuring any unnecessary risks were identified and mitigated, the later is what often sacrificed. I know for a fact I was not the only one placed in that awkward and unfair situation. Today, as a security consultant, I see it more than I would like to admit.
Folks, let your IT people do what they are good at. Involve them in the security process, but don't put them in the unfair situation of having to choose between delivering a solution on time over ensuring it is secure. Those expectations should be set by a CISO, ISO, Risk Manager, whatever you want to call it. That role should NOT report through IT where there is a potential for conflicting priorities. Just like auditors need to ensure independence, security professionals should not have to be worried about being unfairly influenced by their boss because he/she has a vested interest in delivering a project on time or within budget.
5. Lack of Governance
Most mid-sized or larger organizations have an audit committee in place, especially publicly traded companies. This committee is typically made up of board members that have the responsibility to review and ensure the accuracy of the organizations financial statements. Their purpose is not to actually put the financial statements together, but rather ensure that the controls in place to prevent errors or omissions are effective and that management is taking proper measures to continually identify and mitigate risks.
So, if we have this process around the risk of misstating financials, why wouldnt we employ a similar process around the risk of security breaches?
A governance process makes sure organizational decision makers are “in the loop” with identified security risks and effectiveness, or lack thereof, of implemented controls. This gives those individuals the opportunity to ask questions, understand risks, question management's judgment and re prioritize risks. Organizations that lack governance over information security management are omitting an extremely important and powerful responsibility of executive management and, in some cases, the board of directors, to ensure the security of their sensitive information.