With a successful major security breach happening nearly every month now, it is easy to start treating this as noise, but that could be a career-ending decision. The news this week wasn’t just on the Cardinals hacking the Astros but also on Congress asking for heads to roll on the Chinese hack that compromised the information of a massive number of federal employees.
While I think the drama of all of this is fascinating, the underlying problem is the continued focus on blame rather than actually attempting to fix the problem. At the heart of the federal problem is an endemic lack of focus on making critical systems secure. So much so that last year the Attorney General recommended shutting much of the system down to protect confidential information.
I’ve done a lot of security audits over the years and I don’t recall ever seeing something so bad that we recommended killing the entire system to protect the information that was in it. Now, when you have a problem this bad, it generally isn’t because IT is incompetent. Thus, firing people won’t fix the problem. It is because the executives that control the budget haven’t made security a high enough priority and provided the funding necessary to mitigate the problem. In this latter case, that would mean that if heads need to roll, the first likely should be the folks in Congress who didn’t properly prioritize mitigating this risk.
However, I’ve never seen a CIO successfully argue that a security problem was the CEO’s fault and survive the result. That suggests two things: that being a CIO right now in a firm that doesn’t take security seriously enough is suicidal, and that creatively shifting budgets to make sure you are secure might significantly decrease the probability of premature retirement.
Every time I hear about an unauthorized access breach, it is generally connected to password theft and/or unapproved escalation of privilege. What really surprises me is that way back in the 1980s, while I was at IBM, we determined that passwords and IDs weren’t secure enough (this was before Ethernet and way before the Internet), and yet we still seem to be proving this is true now on a far too regular basis.
Simple things like assuring that someone can’t be logged in two places at once, IDs and passwords are removed when an employee leaves or are suspended when they are on vacation, multi-factor authentication tied to primary devices, and audited security policies can mitigate much of this problem and it really isn’t that expensive when taken against the cost of the breaches we have been seeing.
One of the most traumatic experiences in my life was when a highly critical, confidential report on IBM’s products somehow made it to Kaiser Permanente, our largest customer in California, which then, based on the report, decided to stop buying these IBM products. I got to meet the Senior VP of Sales because he personally wanted me fired. If it hadn’t been for the fact that I was sneaky and owned security for my unit, I would have been. But we were able to trace the report Kaiser had back to that same Senior VP’s office. I survived. He didn’t.
So I’m a huge believer in document controls and making sure that only people who should have access to documents actually do. Products like those from Varonis are critical to assuring that breaches like we have been seeing of late are caught rapidly and mitigated before they become catastrophic. More importantly, they can identify the potential for problems long before they occur, preventing the kind of damaging drama we now see in the news so often.
One of the really stupid things about security systems historically is that they typically alert on a breach, but they often don’t alert on an attempt. An entirely new class of tools called Security Information and Event Management (SIEM) has been released by companies like Intel/McAfee over the years to address this lack of alerting, and they have increasingly been tied to automated mitigation technologies like those from Huntsman. This is because when initial SIEM products used to run, they would send the CIO into near cardiac arrest, showcasing a massive list of potential exposures that exceeded by multiple times the available resources to fix them.
Law Enforcement Inaction
The Major League Baseball incident aside, much of the problem we currently have is the inability or unwillingness for law enforcement to take action against the criminals. Granted, if it is a state, like China, it becomes more problematic, but at the heart of that problem is the fact that the Snowden leak showcased that the U.S. was doing pretty much the same things. Much like it was with nuclear proliferation, it is well past time for the governments of the world to realize that this hacking is making their citizens unsafe and agree to stop it with severe enforceable penalties if any government gets caught. Inside the U.S., law enforcement needs to be better funded to address this kind of problem as well, at a more granular level, so the skills aren’t as easily developed for attacking individuals and small companies.
Wrapping Up: No End in Sight
I can feel for the folks being grilled by Congress after the latest breach, both because I’ve kind of been there and because I’m well aware of the feelings associated with having the persons responsible for a problem trying to punish me for it. In the end, though, this isn’t about blame. It is about protecting the companies and governments that assure our salaries. If we don’t start taking this stuff more seriously, many of us may find our own necks on the block over the next few years. One thing is for sure, it is going to get a lot worse if government doesn’t start taking this entire class of crimes far more seriously.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+