Virtual Strategy Magazine features Dwight Koop’s article “When it Comes to Security – Everything is in Scope”

“It’s outside the scope of the audit” is the new “It’s not my job.”

You’re Fired! When it comes to security – everything is in scope.

Did you hear the one about the big firm that got hacked last year? The company knew about a vulnerability, but did nothing because it was outside the scope of their audit. They are a huge company with IT security teams, outside auditors, and their own data centers yet they missed critical security news from the US government and industry experts. Why? Blame it on the “it’s not my job” syndrome.

That is tantamount to a bank teller telling the police, “Yeah, I knew the alarm system wasn’t working. But I’m not the guy who fixes the alarm!”

A network gets hacked and you knew the systems were vulnerable? A bank gets robbed and you knew the alarm was disabled? From now on, if someone in your organization says, “it’s outside the scope of the audit” they’re really saying, “it’s not my job.” Maybe that person needs to be fired! Guards, escort this joker out of here!

Every Network and Every Enterprise can be Hacked

The massive Target, Sony, and the Office of Personnel Management breaches occurred despite the organization’s size, internal policies, PCI-DSS audits, and/or security standards compliance. And the list (or bubble chart) is growing every year…

Once hackers (or disgruntled employees) breach an organization’s perimeter, they can easily expose weaknesses inside the network. Nearly 85% of insider attacks or “privilege misuse” used the corporate local area network (LAN), according to a 2014 Verizon security report. Hackers are now using corporations’ networks against them.

It’s the New, Porous Data Center DMZ

In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud.  Modern enterprises have teams and employees on the move all the time, visiting customers and checking in from devices of all types. Today’s more complex and distributed networks can create a more porous data center perimeter.

In traditional data center security, the focus has been on keeping data physically isolated via the perimeter or “demilitarized zone” (DMZ). But this model focuses too much on protecting the outside, with little to no security features inside the network. Cisco reports that by 2018, 76% of all data center traffic will come from the cloud. Perimeter-based security needs to evolve to better secure our critical data as it goes the road with our employees, to the cloud, and around the network.

Whose Fault is it? The Axe Falls at the C-Level Now

According to a June 2013 PwC report, organizational leaders do not know or appreciate what their IT teams are up against in terms of industry threats, vulnerabilities and the costs required to deal with an attack. A report from KPMG argues that even the corporate board must understand that cybersecurity is a business risk issue, not just a problem for IT.

70% of security professionals believe the CEO should hold the ultimate responsibility in the case of a data breach, according to a 2015 survey from Websense.  Frequently, C-suite leaders discover that their organizations have been using cloud-based CRM, email, and accounting tools without fully realizing their organization’s data is therefore cloud-based.

Truly, everyone responsible for enterprise IT is beginning to feel the security heat as reports of data breaches and cyberattacks have filled the news in the last few months.

Insider Job: Sony Pictures Overexposed

Then there is the Sony hack. At the end of 2014, this breach had cost the studio nearly $15M in security and incident response alone. The additional loss of intellectual property, damaged reputation, and future business losses could total up to $172M.

So the cleanup costs alone essentially wiped out all the profits from the Sony Pictures division. What we’ve all been speculating about is the total cost to Sony’s reputation. “Any company that holds something of value on behalf of their customers – be it their product designs, business plans, credit card numbers or cash – must establish and maintain trust” said Kowsik Guruswamy, a security expert quoted in Silicon Angle. We’ll still be tracking Sony’s costs years from now.


Compliance Overreliance: Target was PCI compliant, and yet…

You never want to hear your CEO say we were “certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” That quote is directly from Target’s ex-CEO, Gregg Steinhafel, who was ousted after the massive 2013 breach that has cost them $191 Million. Note the word “former” in his title, executives.

For those following along at home, that’s Target’s gross expense to date. In 2014 Target had a $46 million insurance receivable. In 2013, the company’s gross expense related to the breach was $61 million, which was offset by a $44 million insurance payment. That brings the net expense of the breach for the retail giant to $162 million, according to Security Week. Yikes.

Tip: Put your Healthy Paranoia to Work for You

What could they have done differently? The biggest security shift is knowing that meeting compliance does not always mean meeting security best practices. Most of the big companies that seek compliance only want a checked box, not the extra work of preventing network breaches.

Plus, think about all of your data as critical data. While Ashley Madison didn’t have to meet any compliance requirements, it was pretty darn embarrassing when everyone found out less than 15% of accounts were actually women. When everything is online, connected and public the security buck stops with you.

Here’s my advice to you:

Treat all you data like it’s critical data

No matter where your data lives – in the cloud or on a server rack in the back office – it should always be encrypted. Disasters don’t have to be massive hacks or natural disasters, but one forgetful employee. At the lowest level, encrypted data is always harder to exploit than plain text data.

Focus on prevention so you don’t have to worry about cleanup

Try telling your boss this fun stat: The Ponemon Institute estimates the actual costs of compliance with regulations such as PCI-DSS, SoX, HIPAA for a mid-size organization averages $3.5 million, while the cost of non-compliance was estimated at $9.4 million (3 times the cost to comply!).

Seek professional help

Ask the experts! Don’t have the budget for hiring a team of pros to do all the security scans, audits, and checklists for you? Fear not, there are people who’ve done a bulk of the work for you. Just grab a checklist from a group like NIST and customize away.

Again with Feeling: Customize A Security Plan for your Needs

As vital enterprise data moves outside of the protected data center and the IT silo, leadership should focus on new ways to secure critical data in any location. Organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security.

A modern data-focused enterprise must add encryption and security within the network to strengthen existing hardware and virtualization security. With security focused on each enterprise application inside the network, organizations can secure critical data if it is traveling across the network to branch offices, accessed via hotel wifi, or residing in the public cloud.

Take a page from what others have been doing for decades. Learn from the best standards and guidelines out there, and put the NIST Cybersecurity Framework to work in your organization. The NIST Framework offers a useful, unified reference to cybersecurity best practices, and you can start using it immediately to improve cybersecurity in your organization.

So consider yourself warned. It is your job to be aware of vulnerabilities, patch security updates, and take action on audit findings. It is your job to prevent the next Target, Sony, Ashley Madison, or OPM hack.
See the full article at,3#Q56JzS2BIPhoyGUW.99

By: Margaret Valtierra