Lesson # 3 — Don't underestimate the value of a CSO
2014 is considered the year of the breach. While there are many contributing reasons these intrusions occurred, a key issue is executives are unaware of how insecure their networks actually are. Cyber security has gotten to the point where it is a boardroom discussion, if it isn't, it needs to be. Executive teams need to get information directly from the person in charge of security. Burying security under the CIO does not work.
Information uptime and cyber security are two different problem sets. They are critical enough to an organization that they require a separate reporting structure, a CIO and a CSO. The CSO must report directly to the CEO and have a clear metric for implementing security.
Lesson #4 — A solid foundation is critical
Building and implementing an effective security program takes time; it is not something that can be simply pieced together. Similar to a home, a security program requires a solid, well thought-out foundation to be successful. There must be a clear plan of action and a robust architecture design when building out a security program. Therefore, while there might be a firewall, IDS and DLP, without the proper foundation the infrastructure will collapse very quickly as soon as the winds of adversity start blowing.
For organizations that have not built their security program correctly, they need to put the foundation items in place. The core foundations of security are 1) asset identification, 2) configuration management, and 3) change control. If an organization does not know what is on its network, how they are configured and properly control change, the organization is going to lose and get breached. An organization must have a proper foundation which allows all the devices connected to the network to be controlled and managed.
Lesson #5 — You can't protect critical data if you don't know where it resides
In 1933 when Billy Sutton was asked "why do you rob banks", his reply was "because that is where the money is". For an organization, its money is its data; that is why adversaries break into organizations. This is perhaps one of the most important lessons the industry has learned in 2014.
Today's attacks are focused on the critical data and ways to exploit this data for the attacker's advantage. If an organization does not know where its critical information is, it can't protect or control it. Therefore it is critical that organizations identify what their critical information is, locate which servers it resides on, and provide proper measures to protect it. Organizations must perform data discovery to identify and control their critical intellectual property.
Sign up for CIO Asia eNewsletters.