Over the past two weeks, CBS’s 60 Minutes news magazine and the Director of the NSA have both made stunning statements relating to IT security. A segment during the December 1st episode of 60 Minutes left viewers with the basic conclusion that very little could be done to stop hackers from stealing their credit card information. On November 20th, Adm. Michael Rogers, Deputy Director of the NSA and head of the US Cyber Command, testified before the House Intelligence Committee that China and “one or two other countries” had the capability to launch cyber attacks on the U.S. that could shut down the electrical grid and other critical infrastructure systems.
60 Minutes also featured an interview with Dave De Walt, CEO of FireEye, who said that “Even the strongest banks in the world, banks like J.P. Morgan, retailers like Home Depot, retailers like Target, can’t spend enough money or hire enough people to solve this problem.” The story also included Brian Krebs of “KrebsOnSecurity.” Back in Congress, NSA Director Rogers concluded, “It is only a matter of when, not if, we are going to see something dramatic.”
These dire forecasts, while basically true, leave companies and their customers, wondering if they should just throw their hands up in the air. Redspin believes surrender is not an option but a different approach is necessary. We’ve advocated for years that IT security is about risk management and not about endpoint protection. We agree that 100% endpoint protection is not possible. But being proactive means conducting regular and comprehensive security risk analysis. A security risk analysis will not only identify vulnerabilities but will risk rate them so that organizations can prioritize their security measures and allocate resources accordingly. A critical vulnerability deserves more attention that “medium” or “low.” While this won’t stop every breach, it will help mitigate the damages these mammoth breaches can cause.
During every engagement, we also try to elevate discussions about IT security to the executive office or even at the Board level. Clearly, preventing these incidents is about corporate risk management. It can’t be left solely to IT to advocate for budgets and resources to protect the organization. Every CEO should be briefed regularly on the state of IT security within their operations. A regular security risk assessment, particularly by an objective 3rd party firm is one way to accomplish that.