RSA recently published their inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.
It would appear that the lack of focus on information security is a top-down problem. TechDirt reported this week that the United States' CIO ordered all government web sites to implement SSL by the end of next year. SSL is not exactly a new idea, and yet the U.S. government is just now getting around to it, and may fix it by next year, if the deadline does not get extended, and if they don't use a vulnerable version of SSL/TLS. I have also spoken to a number of customers with known web application issues, who just have not gotten around to fixing them. Folks, we have a problem.
The revelations above, along with the recent news about the government employee breach, made me wonder why corporate America is not fixing their cybersecurity problems. If I had a major revelation on this topic, I might be able to write a book and retire comfortably. I would offer, however, that part of the problem is simple and fundamental (there goes my book deal), stemming from the perception on the part of company management that good security requires the expenditure of large sums of money. As a result, some companies throw money at the problem, and don't get the return they expect. Others decide they can't spend the money, and hope becomes their security plan.
A few years ago, I managed security for a busy and highly regulated and audited credit bureau, with no recorded data breaches and a very modest security budget. What I have learned from experience is that good information security only has an indirect relationship to the amount of money spent. You can't win by throwing money at it, any more than you can by ignoring it.
So, how can you have a secure operation without emptying the corporate bank account? It starts with good fundamentals, and a daily focus. The following are some of the elements:
Involvement by company leadership
Security maturity begins in the boardroom. Company management must acknowledge information security as a priority, and support the IT team in its implementation. While a fortune is not required, it isn't free either, so they must come up with some money to address the issue.
Sign up for CIO Asia eNewsletters.