Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Huge Sony data breach should empower CIOs and CISOs

Ross O. Storey | May 18, 2011
The Sony breach, and subsequent digital security tightening, should be a major wake-up call for multinational enterprises across the globe.

If the current Sony data breach case - expected to cost the company hundreds of millions of dollars - doesn't prompt a rush by major enterprises to employ a chief information security officer (CISO) or expand the influence and responsibility of CIOs (chief information officers), then there is something amiss.

Our IDG news service reported that Sony told customers that their personal information had been stolen in a breach of its PlayStation Network on Tuesday, 26 April, about a week after figuring out that it had been hit by hackers.

About 100 million Sony Playstation gamers are thought to have had their subscriber details compromised by the breach.

Reportedly the login password for each account was among the data stolen when an unknown hacker or hackers attacked Sony's San Diego data centre on 19 April. Other information leaked included the names and addresses for registered PlayStation Network and Qriocity users, along with their birth dates, e-mail addresses and other personal information.

Second network breached

Sony reportedly also discovered that a second network, Sony Online Entertainment, had also been hacked, and then had to admit that bank card numbers had indeed been stolen.

Sony began a phased resumption of its PlayStation Network and Qriocity services on Sunday, 15 May 2011, more than three weeks after the cyber attack.

Sony said upgrades to its systems have brought "considerable enhancements to the data security, including updating and adding advanced security technologies, additional software monitoring and penetration and vulnerability testing, and increased levels of encryption and additional firewalls".

It has also added software to provide an early warning of system activity that could indicate an attack has taken place and has created a new position of CISO.

This serious breach, and Sony's subsequent actions, should be a deafening digital security wake-up call to major enterprises across the world.

Not enough CISOs

According to a range of surveys, however, less than half, and, in some cases, less than one third, of the world's major enterprises, currently have their CIOs reporting directly to the CEO.

This has prompted some pundits to declare that too many company organisation charts are locked in the 20th century and fail to acknowledge the importance of information technology.

A whitepaper 'Mind the Gap: CISOs Work to Narrow the Breach-to-Detection Gap for Better Security' published earlier this year by IT security and compliance automation solutions firm Tripwire, highlighted the problem.

It said that "Heartland Payment Systems CEO claim(ed) the company was in compliance only a week before its 'scandalous breach' ".

"At the same time, many breaches fly under the radar, unnoticed for too many months even when, in most cases, the evidence is right there in log files that are collected as part of compliance efforts," stated the Tripwire report.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.