I wrote an article a while back for Cyber-Defense Magazine (CDM) that is still relevant given today’s hacking climate. I’ve written before about “The Cyber 9/11” that I believe is on the horizon. As you’ll see in the CDM article, I explain that the Sony breach was a great example of a threat vector we don’t think about too much — HR department image scans from employee onboarding. Most know this breach as scandalous email exchanges between executives about their feelings for high-profile actors, but the underlying message should be that there’s really no regulatory control of securing data from scanning employee documents and storing them when HR employees onboard a new hire.
Additionally, the lack of HR teams and IT teams (business and IT again not playing well together) not communicating once again was a major breach contributor. More about this in this article can be found here.
I welcome any HR professionals’ comments, good or bad, to this article. I’ve been an advocate for breaking down the silo barriers for years and the Sony breach is a prime example of why working across silos and understanding why the IT and business arms of enterprise companies need to work more closely together. I recall in particular, a conversation with a Forrester Research analyst who described how IT has traditionally been the red-headed step child of enterprises’ business arms. IT’s job back for years was to fulfill requests from the business arm of the enterprise. It was reactive (i.e. fix my laptop, my email’s not working, add email accounts for 5 new marketing people, etc.) and not very strategic. Today the more proactive enterprise, has the business CxO working with the CIO/CISO on how to ensure performance service level agreements and streamline IT operations a better view of overall performance, availability and security across the entire enterprise. In this scenario, IT is less a servant to the business and more a strategic ally. This is what Forrester Research, Gartner and other expert industry analyst organizations are preaching to the Fortune 1000.
But there’s still a long way to go and the Sony breach, and others that have followed, are a stark reminder that usually in business, things don’t get fixed until they break. And ironically, it could be that there won’t be any major gains in shoring up security and app performance/availability until something goes “Cyber 9/11” wrong. I hope this never happens, but it is an accepted premise in InfoSec today that it’s not a matter of if you’ll get hacked, but a matter of when. As it stands today, InfoSec managers are struggling with the “when.” Case in point is the most recent Ponemon Institute 2017 Cost of Breach Study which revealed that average time to breach is still an amazing 191 days. Unfortunately, the when is taking over 6 months because InfoSec visibility is either so poor or it doesn’t matter. I think it’s mostly the former — IT infrastructures are so complex and so are the SIEM systems that manage security. It’s not unusual to see a dozen security software and hardware systems in an enterprise all trying to work together to secure the data and IP; the irony here being that our systems are siloed as well.
To say “InfoSec doesn’t matter” is a little caustic. I think it does matter to a lot of InfoSec professionals and there are a lot of great InfoSec professionals in enterprise environments doing what they can to fend off the hackers. Problem is, IT teams are overwhelmed. We live in an age of “do more with less,” and in an IT infrastructure where you have thousands of IT assets all dependent on one another to deliver all the apps a Wells Fargo-sized organization needs, it’s all hands on deck just to deliver applications to acceptable SLAs. The cloud is one way to simplify but the farther away you go from the datacenter, the more difficult it is to fully secure your data. Ultimately, we may just have to wait til that “Cyber 9/11” takes place before we truly get serious and start throwing a ton of money and human resources at the problem, much like our federal government did after 9/11 with a new division of government to manage security for travelers.
I welcome your thoughts and feedback. –Tony Perri