Data Breaches: 3 Lessons for LeadersRecent Incidents Impress Importance of Key Skills
Then, in April, the Epsilon e-mail breach exposed the risks of data security managed by a third-party service provider.
Two weeks later, Sony Corp announced that hackers had stolen names, addresses and possibly credit card details from 77 million user accounts of its PlayStation Network and Qriocity online service.
RSA, Epsilon and Sony: Three major security incidents that dominated the headlines and sent ripples throughout security organizations worldwide.
No one feels the pressure of such breaches more than the chief information security officer, who ultimately is responsible for protecting and securing the organization. How an organization plans for and responds to such incidents can make or break a CISO's career.
In the wake of these three high-profile breaches, we spoke to two global information security leaders - Alessandro Moretti, volunteer member from Switzerland of the (ISC)2 Board of Directors and a senior risk and security executive in financial services, and Abbas Kudrati, head of information risk and security director for the kingdom of Bahrain - and asked for their biggest lessons learned. Here's what they shared. [For more on leadership and incident response, see Why CISOs Must Care About Sony Breach.]
No. 1: Build Trust with Senior ManagementAn incident as significant as the RSA breach requires leaders to be agile and have the ability to redirect investment, projects and security controls within the shortest possible time if needed, says Moretti. This transition can only happen when IT security leaders have built trust with the business owners by establishing an open line of communication in which they discuss pervasive and forward- thinking issues on a continuous basis. Example: how to respond to unique events such as the recent Japanese earthquake or the RSA breach. Moretti picks up the phone and speaks with his executives at the bank as often as needed, bringing to their attention the risks, investment and options to be pursued within the threat landscape. "Leaders have to focus on how they get information across to senior management to do something more proactive," he says.
No. 2: Enhance Security AwarenessThese high-profile breaches have reinforced the need for comprehensive employee training programs designed to help organizations build a more security conscious workforce. "It is still a big challenge for most organizations to implement a thorough security awareness program in their companies, as they lack insight into employee behavior and where, what and how to protect their information assets," says Kudrati. "This means awareness remains low, understanding of the risks stays incomplete, risk is not properly assessed, and the need for regulation is not created."
His response to these incidents has been to initiate a detailed awareness program, including providing the necessary education and tools to employees for a heightened awareness of corporate policies, procedures and guidelines; customizing email policy for different departments based on usage; conducting frequent social engineering and anti-phishing exercises to enable employees to carefully consider the security implications of their online activities. He also has automated regular checks on technical controls, infrastructure and internal vulnerabilities, allowing the organization to reduce the risk of exposing sensitive information and ultimately strengthening the risk management and data loss prevention policies.
"We are working progressively in reducing risks by pushing the basics, expanding our knowledge of threats and vulnerabilities and educating our employees," Kudrati says.
No. 3: Manage Risk with VendorsIT security leaders can no longer just focus on controls and contracts in dealing with vendors that provide software, applications, network and core infrastructure solutions. Leaders have to ensure that "vendor management is built into the risk framework, so these providers know what risks they are managing for you," Moretti says. One must categorize vendors before assessing vendor risk, as not all service providers are the same. Also, IT leaders need to ensure they have a contingency plan in place to support their business should the worst happen to the vendor supporting their mission-critical systems and infrastructure .
Moretti says he has changed his attitude from a control mindset and instead works with vendors as partners of the organization in making them understand the impact of managing risks. The dialogue is now on risk management and mitigation.
Ultimately, Moretti says, "a leader's passive attitude to a security incident outside of their organization is no longer acceptable."