Due to the recent focus on cybersecurity, government passing regulations, as well as hacking incidents, there has been so much talk about Information security in the media. The business community has seen 750 major data breaches in the United States last year, exposing more than 81 million private records, according to SysCloud, a provider of security and data backup. The average cost of a data breach jumped from $6.46 million in 2010 to $12.69 million last year. In light of the government’s commitment to Cyber security, the President’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” called on Executive Branch agencies to assess whether and how existing cybersecurity regulation could be streamlined and better aligned with the Cybersecurity Framework launched in February 2014. We also have other regulations to help provide guidance and direction based on the various business verticals i.e. HIPAA/ HITECH, PCI, State Regulations, GLBA, 21 CFR-11, ICD-10, etc. Additionally, we have standards for guidance like NIST, ISO, FIPS, CCM, HITRUST, amongst others. As professionals and people working within technology we are all aware of these. Are we really aware, and how are we applying so many regulations and standards? Is this really improving our security posture or creating a culture of “wait and see”. As security does not add to a business bottom-line, the approach is to wait for enforcement or an event. Businesses know that the fines can be large and they handle it from a legal perspective. The trigger for many businesses is not the fines but the brand name. They do not want to lose customer confidence and/or intellectual property.
As a security professional in the Industry for many years, I have seen the progression from security that was just a firewall and/or an anti-virus to a phenomenon that has created concern and fear. As the enterprise moves to big data, cloud environment, analytics, faster operations, more regulations, we need to think about the culture of security and privacy in our organizations. Security should not be left to the technologist it should be part of our employment contract. What does that mean? We need to equip each person in the organization with the knowledge and tools to protect sensitive data. The approach needs to be of team, where the business works with the technologists to learn and participate in a culture of protecting and managing data.
We are moving to an age where information security is all about the data flows and data consumption. Each user must be made aware of risks to that data, and how they can participate in securing it. Awareness is a key aspect of information security in today’s enterprise environment. Good training and awareness starts at the top and comes with strong governance. For an employee to be aware he/she needs to have access to a clear set of policies and procedures. These policies provide direction and a posture on how serious an enterprise is about its security.
Let’s not address each incident with another tool. Let’s look at the problem holistically, and address security and privacy as a team. People will participate in the process if there are clear directions and open dialogue.
Trying to get the herd to maintain the flight pattern is going to be the most daunting of tasks. IT security as we now know it is not going to be around much longer and whatever is coming in it's wake will be more complicated, which will make it easier to break and the cycle repeats.
Project Director, DEW Systems Offensive & Defensive Systems
9yTrying to get the herd to maintain the flight pattern is going to be the most daunting of tasks. IT security as we now know it is not going to be around much longer and whatever is coming in it's wake will be more complicated, which will make it easier to break and the cycle repeats.