The inevitability of a data breach - The mental hurdle Security Executives must get over

The genesis of this blog post is a presentation and follow-up conversation with a group of executives from one of the Fortune 100 companies my various teams support.  This team is in a very interesting position, having an opportunity to build an information security organization completely from ground zero.  This is a unique opportunity very few of us ever experience in such a large environment, but it's also a position I don't envy due to the extremely complex nature of the undertaking.

 

This group was a loose collection of architects, C-level technology executives, and directors who didn't quite have a firm grasp of their roles in the soon-to-be-formed organization.  

 

Personally - I think this is one of the most difficult conversations I've ever been presented with... The idea was to provide a 'state of the industry' for the new leadership team, and to help them decide what, where, and how for their move forward.  What I didn't expect was the stumbling block which derailed the meeting as far as I was concerned...

 

The biggest mental hurdle that we ran into here which has been echoed elsewhere is the notion of "it's not if, but when" on the hacking and incident front.  I know many of you that are a part of the security community and live and breath security on a daily basis have long passed that mental hurdle.  We readily admit that any company, any organization, any person can and will likely be hacked or breached ...the question is simply when.  From the executives I'm speaking with - this is not something they're willing to accept yet, and it stops conversations dead.

 

Here's my personal take on this phenomenon, and how I understand it... again, just to be clear, this is unscientific summarization based on personal experiences-

 

  • Acceptance of data breach or incident as an inevitability correlates with the disposable nature of the information.
    As Josh Corman points out in one of his blog posts, information falls onto a continuum where on one end it is replaceable and disposable, and on the other end is permanent and costly.  Credit cards can be black-listed and new numbers generated, while personal health records are a little more permanent and thus more effort is placed on defending from breach.
  • This position is largely industry-dependent with the healthcare industry lagging.
    Accepting a breach as an inevitability is difficult - but it seems more difficult in the health care and life sciences vertical.  Where patient data is at stake, data that is not easily replaceable like a credit card, the appetite for a breach is lowest.  The retail industry, on the other hand, seems to be the quickest to accept the inevitability of a data breach or incident.
  • The position tends to start with unrealistic expectations from senior management.
    It would appear that this boulder rolls downhill, and the reason that the CISO isn't comfortable with the fact that there will be a breach at some point is that his manager, and that person's manager and so on aren't comfortable with it.  Organizational culture is failing at understanding IT risk and instead seeing a data breach as an event that can be avoided .
  • This position tends to be heavily influenced by whether the organization has had an incident previously
    It would appear that those that have been breached or experienced an incident are quickly converted.  Those that still haven't (or haven't figured out they have) are still largely in denial on whether they will experience a breach or incident.  We're not learning from our collective experiences, if you ask me.
  • This position seems to be possibly 'compliance-driven'
    While I haven't found more than a handful of senior security managers to confirm this as fact, I believe that the fear of non-compliance drives security managers to be pushed to a zero-tolerance policy for failure.  While it's unrealistic, and impossibly expensive, compliance tends to make absolutes like 'security' easy to misunderstand as requirements.

 

Where does this put us?

 

I think the position many security leaders are in is difficult, because as Corman points out (in one of my favorite of his quotes) "Sometimes you encounter someone convinced no one would ever target them; to which begs the question... 'If you have nothing worth stealing... - how are you in business?' "  On one hand your goal as a CISO is 'no breach' and on the other hand you're talking about relative risks all while being constrained by spending cuts and resource challenges.

 

As far as I can tell security still has a long way to go before it's actually understood in the business context.  We've got lots of work to do before security is a part of the mainstream business conscious thought.  It is only after many years of beating the drum that non-security professionals are starting to wake up to the fact that security cannot be an after-thought in development and design ... but I think it'll take another ~5 years before business executives are comfortable with the notion that they will be breached and this fact alone doesn't make or break their careers - their response, however, does.

Comments
SteveWerby | ‎08-13-2012 07:19 PM

As the Fight Club narrator so aptly puts it, "On a long enough time line, the survival rate for everyone drops to zero." Every organization will have a data exposure or data breach eventually. The breach may not be reportable by law and the organization may not have high-value data (or data that would seem to be high value), but it will happen. Organizations that chose to deny that reality put themselves and their CISOs in an untenable position. Most data breaches have a human or process failure as the root cause or a contributing factor. Anyone that believes a zero error rate can be achieved, even with extensive resources, is fooling themselves. And organizations that take this fallacious stance are probably less likely to be prepared to enact strong incident handling and data breach notification processes after an incident. After all, why focus on such processes if you are unwilling to accept a future that involves a data breach?

secolive(anon) | ‎08-14-2012 08:36 AM

Raf,

 

I think part of the problem is that a breach is understood (rightly so) as a result, meaning once the breach has occurred, it is too late. Hence, when you're saying a breach is inevitable, you're essentially passing a fatalist message, that most people not deeply in infosec will understand as "it's not worth fighting", which is exactly not what they expected you to tell them - after all they most probably came down here to be taught about how to fight. It comes as a shock to them, and it generates enough discussions that you won't need any additional slide for the rest of the time slot allocated to you :)

 

I think the problem is that there is a slight shortcut in the reasoning - two in fact. First, a data breach is not necessarily catastrophic - it all depends what/how much was breached; hence, impact of a data breach can vary and is in fact controllable (in the risk management sense) - however, most people not in the know will understand breach as catastrophe. Second, and more important: it is being hacked that is inevitable; but there is still time between the attack occurring and the actual data being breached. In fact, there are two events: 1) attacker comes in and 2) data is breached, and what you are actually able to do in-between the two is critical.

 

Hence, it might be easier to soften the message a bit, and say something along the lines of "inevitably, an attacker will be able to get in", and then you can go on with the key message that "detection and reaction is key because it determines what impact the security incident will have on your business". And then, yes you can go on with "even with detection & reaction, there will be actual breaches" - audience has been prepared, it will be easier for them.

 

@secolive

Phil Cox(anon) | ‎08-14-2012 10:18 AM

Raf,

 

As I noted on twitter, I do not accept the premise that everyone "will" be compromised. I completely agree that anyone "can" be compromised with enough effort. If you take the former stance, then what incentive is there for folks to spend money to try to prevent a compromise? If it is inevetable that you will be compromised, then it would be logical that all your resources should be spent on response. 

 

I think that as an profession (security folks) we should acknowledge that anyone "can" be compromised, and many "will" because they are either easy prey or an attractive enought target for expenditure of adequate resources to accomplish the compromise.

 

With that persopective, we acknowledge the reality of compromise, but also the fact that preventative measures are useful and worth investment.

 

My $.02

 

@sec_prof

rmur(anon) | ‎08-17-2012 11:22 AM

Raf,

 

Thanks for writing this piece. It highlights a very true reality in our world right now. Regardless of the security investments you have already made, it really is not a matter of “if” but “when” your network will be breached. At an estimated $5,500,00 per breach in some cases, this new reality is an awful wake-up call for some.

Please forgive the shameless plug, but this is the exact problem that our company aims to alleviate, if not solve. Carbon Black is a surveillance camera for your computer – always recording so you know precisely what happened and where. The “camera” collects and retains five key elements as they are occurring: records of execution; filesystem modifications; registry modifications; new outbound network connections and unique binaries – as well as the relationship among them. Companies using Carbon Black have reported an over 90% reduction in the time, cost, and disruption associated with breach response. The software gives you the ability to “roll back the tape” to identify what happened and where – dramatically reducing the effort required to remediate and get back to business.


We're always looking for ways to improve our software and help the security community as a whole. Raf, please check us out at http://www.carbonblack.com/ and offer some feedback if you have the time. We want to make this software the best it can be and people who "get" this reality you write of are our best resources.

jjsimonds(anon) | ‎08-17-2012 01:50 PM

Hi Raf,

We met at Discover 2012 you interviewed me about NonStop.  This is a very interesting area and I have been thinking about an idea along these lines.  NonStop is a fairly unknown system with a unique operating system, like our other high-end system OVMS.  It has had very low vulnerabilities and no known viruses or worms.  Could someone hack it - sure.  I agree that given focused effort every system can be compromised somehow.  Right now we enjoy security through obscurity, along with good security products, but that's okay.  What I was thinking of though, and would love to get your thoughts, was a corporate "black Box" like those that exist on a plane.  The purpose of the "Black Box" would be to reconstruct the business in a worst case scenario.  What documents, contracts and data are needed to rebuild the business during a worst case scenario?  I remember reading that a high number of businesses failed within a year after the 911 terrorist attacks - they simply could not recover from the data/personnel losses.  Do you think it's possible to put together a "Black Box" survival kit for a business?  Naturally I believe the data should reside on NonStop since it is one of the most secure and obscure platforms and is most likely to survive a virus/worm/malware attack.

Mark D Adams(anon) | ‎08-20-2012 04:40 PM

Rafal, I wrote a similar blog awhile ago called "SC IT Happens". 

 

http://www.spamstopshere.com/blog/2008/12/04/sc-it-happens/

 

"The amount of resources that your company spends on protecting your systems and data is typically the only factor that determines whether or when your company experiences its first or next security compromise and also whether that security compromise is even detected.

 

The first step at avoiding a security compromise is determining your company’s risk, the value of your data or systems, the amount of damage caused by any compromise, and then using that as a basis on determining the resources spent at protecting against a security compromise."

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation