The genesis of this blog post is a presentation and follow-up conversation with a group of executives from one of the Fortune 100 companies my various teams support. This team is in a very interesting position, having an opportunity to build an information security organization completely from ground zero. This is a unique opportunity very few of us ever experience in such a large environment, but it's also a position I don't envy due to the extremely complex nature of the undertaking.
This group was a loose collection of architects, C-level technology executives, and directors who didn't quite have a firm grasp of their roles in the soon-to-be-formed organization.
Personally - I think this is one of the most difficult conversations I've ever been presented with... The idea was to provide a 'state of the industry' for the new leadership team, and to help them decide what, where, and how for their move forward. What I didn't expect was the stumbling block which derailed the meeting as far as I was concerned...
The biggest mental hurdle that we ran into here which has been echoed elsewhere is the notion of "it's not if, but when" on the hacking and incident front. I know many of you that are a part of the security community and live and breath security on a daily basis have long passed that mental hurdle. We readily admit that any company, any organization, any person can and will likely be hacked or breached ...the question is simply when. From the executives I'm speaking with - this is not something they're willing to accept yet, and it stops conversations dead.
Here's my personal take on this phenomenon, and how I understand it... again, just to be clear, this is unscientific summarization based on personal experiences-
- Acceptance of data breach or incident as an inevitability correlates with the disposable nature of the information.
As Josh Corman points out in one of his blog posts, information falls onto a continuum where on one end it is replaceable and disposable, and on the other end is permanent and costly. Credit cards can be black-listed and new numbers generated, while personal health records are a little more permanent and thus more effort is placed on defending from breach.
- This position is largely industry-dependent with the healthcare industry lagging.
Accepting a breach as an inevitability is difficult - but it seems more difficult in the health care and life sciences vertical. Where patient data is at stake, data that is not easily replaceable like a credit card, the appetite for a breach is lowest. The retail industry, on the other hand, seems to be the quickest to accept the inevitability of a data breach or incident.
- The position tends to start with unrealistic expectations from senior management.
It would appear that this boulder rolls downhill, and the reason that the CISO isn't comfortable with the fact that there will be a breach at some point is that his manager, and that person's manager and so on aren't comfortable with it. Organizational culture is failing at understanding IT risk and instead seeing a data breach as an event that can be avoided .
- This position tends to be heavily influenced by whether the organization has had an incident previously
It would appear that those that have been breached or experienced an incident are quickly converted. Those that still haven't (or haven't figured out they have) are still largely in denial on whether they will experience a breach or incident. We're not learning from our collective experiences, if you ask me.
- This position seems to be possibly 'compliance-driven'
While I haven't found more than a handful of senior security managers to confirm this as fact, I believe that the fear of non-compliance drives security managers to be pushed to a zero-tolerance policy for failure. While it's unrealistic, and impossibly expensive, compliance tends to make absolutes like 'security' easy to misunderstand as requirements.
Where does this put us?
I think the position many security leaders are in is difficult, because as Corman points out (in one of my favorite of his quotes) "Sometimes you encounter someone convinced no one would ever target them; to which begs the question... 'If you have nothing worth stealing... - how are you in business?' " On one hand your goal as a CISO is 'no breach' and on the other hand you're talking about relative risks all while being constrained by spending cuts and resource challenges.
As far as I can tell security still has a long way to go before it's actually understood in the business context. We've got lots of work to do before security is a part of the mainstream business conscious thought. It is only after many years of beating the drum that non-security professionals are starting to wake up to the fact that security cannot be an after-thought in development and design ... but I think it'll take another ~5 years before business executives are comfortable with the notion that they will be breached and this fact alone doesn't make or break their careers - their response, however, does.