By Thornton May
Futurist, Senior Advisor with GP, Executive Director & Dean - IT Leadership Academy

Breaches and compromises have become a business reality. And yet, most organizations are at a loss for words. Many security experts focus on the dark side, counseling executives they need to “Update Their Nightmares”. Indeed, when was the last time you heard “good” security news? The years 2013, 2014, and 2015 have been dubbed “the year of the breach.” I believe that part of the problem is that the media and general population lacks a vocabulary capable of expressing positive developments in the information security space. The BakerHostetler Data Security Incident Response Report 2015 correctly asserts that the terms “’hack’ or ‘breach’ are inadequate to describe the diversity of incidents companies are facing.”

The Report goes on to speculate that “breach fatigue” is setting in. This is to say the more breaches consumers/corporations hear about, the less likely they are to care or worry about the next breach, or the next one, or the one after that, to the point that data breaches won't even be news to anyone anymore. And that could result in huge risks all around.

Lessons From Those Who Have Been “Breached”
According to the BakerHostetler Report, the top five causes of an incident are:

1 employee negligence

2 external theft of a device
3 employee theft
4 phishing and

5 malware.

Technology can’t fix stupid and technology can’t fix “evil”. Organizations cannot eradicate security risk solely through the use of better technology. And yet many try. “Encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not
stop employees from being phished, failing to review logs, or improperly configuring servers.”

Make Your Organization a Less Desirable Target
In Future Crimes: Everything is Connected, Everything is Vulnerable and What You Can Do About It Marc Goodman states: “I compare our current attitude to car theft. If you take a brand new BMW and park it in a bad neighborhood, leave the keys in the ignition, the doors and windows open, and $10K on the dashboard:  You won’t be surprised if your car is stolen. That is the cyber security posture of most people today. They are wide open for abuse.”

Organizations can take steps to make themselves a less desirable target for the “bad guys.” Chief among these being: moving away from a product-by-product approach to implementing information security.

Is Your Organization “Compromise Aware”?
One security firm’s report documents that attackers had a free rein in breached environments before being detected a median of 205 days in 2014 vs 229 days in 2013. The BakerHostetler 2015 Report calculated the average amount of time that elapsed from incident occurrence to detection was 134 days. This is 134 days too long.

A controversy of sorts is bubbling in the security industry regarding WHO discovers that a security incident has actually occurred. The general consensus is that most of the time (69%), organizations learned of the breach from an outside entity such as law enforcement.

Does your organization know what key stakeholders want to know AFTER a compromise has occurred? “The press, partners, investors and consumers no longer want to know simply when the incident occurred and what data was exposed. They want details about everything from the type of malware used to how attackers maintained access.” They want to know the “storyline” of the attack and whether the enterprise has “contained the incident.”

Is Your Organization “Compromise Ready”?
The aphorism “It’s not the crime but the cover-up that gets you in trouble” appears to be true in the information security arena. The question is not “if” a compromise will occur. The real question is what will you do “when” a compromise happens. Companies can become “compromise ready” by taking the following steps:


Developing an incident response plan and practicing execution of the plan with tabletop exercises; 


Working with an experienced security consultant to conduct security assessments (to understand where assets and sensitive data are located); 


Implementing “reasonable” security and detection capabilities based on the recommendations of the consultant;


Gathering threat intelligence to understand the nature of current risks;


Conducting personnel training and awareness-raising activities to reduce the chance that an incident will result from employee negligence and those incidents that do occur will be quickly identified; 


Undertaking vendor due diligence and contract analysis, to reduce the chance that an incident will be caused by a company’s business contacts; and


Maintaining ongoing diligence, updating and adapting to changing risks, to proactively guard against evolving and emerging threats. 


The Path Forward
In a post-Snowden, drone-filled, data-obsessed, privacy-concerned world senior management can be excused for being a bit confused. How are you going to figure out what to do?