What Every CISO Should Learn From the Target Attack
 

What Every CISO Should Learn From the Target Attack

on

  • 622 views

This article originally appeared in the February 4, 2014 issue of CIO Journal.

This article originally appeared in the February 4, 2014 issue of CIO Journal.

Statistics

Views

Total Views
622
Views on SlideShare
622
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

What Every CISO Should Learn From the Target Attack What Every CISO Should Learn From the Target Attack Document Transcript

  • What Every CISO Should Learn From the Target Attack By Mike McConnell Vice Chairman, Booz Allen Hamilton (This article originally appeared in the February 4, 2014 issue of CIO Journal) The nightmare cyber breach that Target Corp. faced at the height of holiday shopping season will impact that company’s bottom line, its customer relationships and its customers’ financial security for months -- if not years -to come. Every business or government management team shudders at the thought, “This could happen to me.” Damage to an organization and its customers happens at light speed, which means senior leaders have to react at light speed to limit the mayhem and protect the organization. Decisions with potentially huge cost and brand implications must be made immediately. Leaders must determine how much liability looms, and how much investment in remediation is needed to account for that. They must also decide what to say to customers immediately about their individual vulnerability and actions they must take. And they must determine the right steps to take to ensure damage to the organization is fully contained. And yet even the best remediation effort falls short if the organization operates from an outdated security model. As cyber threats have evolved rapidly in recent years, much of the focus within industry and government has remained on perimeter defense and improving remediation from attacks after the fact. Today, the speed and scope of current attacks have outpaced those efforts, because the perimeter can no longer be fully protected. Today’s threat environment demands that companies or agencies have a predictive edge to sense and preempt coming attacks, and if they do occur, to possess the tradecraft to immediately turn information and intelligence at the IT level into actionable, real-time insight for business leaders to respond. And while some companies are starting to focus on improved C-suite decision-making, the secondary issue is how to manage that transformation effectively. Corporations can be excellent at forecasting revenue and developing long-term plans without realizing that cyber crisis planning in today’s threat environment requires a completely different approach. This is the greatest call to action for chief information security officers in 2014: to accept and understand that a remediation-centric cyber defense is not enough, and to build a communications link to the C-Suite that breaks down the Tower of Babel between the server room and the board room. Organizations need to change their entire security model from one of compliance – meeting basic standards for data protection – to a holistic multi-faceted program of engagement. The CISO can meet the current and future cyber challenge by first considering how much of a direct role and responsibility the C-Suite should take to manage the many components that a holistic cyber defense and remediation program will require. Each component – intelligence-based monitoring, crisis management, remediation, legal, insurance, crisis communications, organizational planning, staff training, etc. – has unique characteristics and must be closely synchronized with one another. And each component has its own level of risk. Is it too great a risk for leaders to manage each individually, or is the better option the use of a provider with broad expertise who can aggregate all for managed, simpler risk-based decision making for the C-suite? CISOs will be charged to make a recommendation on the level of direct management and responsibility, and sharing risk with others is almost always better. Given the inherent weaknesses in perimeter defense today, the most important single element of a holistic cyber approach is a predictive, intelligence-based defense, and more specifically a “military-grade” level of protection.
  • Government security agencies have long developed sophisticated components for a cybersecurity Web that now protects the nation, including micro-analytics that can sense bit-level signs of a coming attack, analysis of macro trends that include nation-state moves, the ability to integrate capabilities into a single-security architecture so gaps can be identified, and the skills to follow indications and warnings in the public sphere. CISOs must look for these same proven elements as they examine any commercial intelligence-based solution, because the approach is well proven in the classified realm. Another key factor in success involves people. IT security experts are a given requirement. But an effective intelligence-based defense team must be much broader and integrated, to include data scientists whose job it is to know what questions to ask of the data, linguists who understand the finest points of world culture and communication, and others. Turning information into intelligence and insight with analytics tools is a skill not found in textbooks – it’s a tradecraft that requires the right mix of training and experience among the experts who perform it regularly, and the ability to explain it to leaders. An enterprise is only as strong as its weakest link, and any cyber defense today that is not fully integrated, broad enough in scope to cover all components of risk, and with a military grade level of capability and the right talent is not going to serve a company or agency’s senior leaders well. CISOs within the commercial financial services industry -- which was one of the early targets as attacks evolved from Direct Denial of Services to theft and damage -- have set a strong example for leveraging predictive intelligence and translating risks to the C-suite. Bank CISOs, CEOs and board members work together to identify cyber risks and better manage them within overall organizational risk priorities. For example, when a major bank references liability risk in its annual report, that now often includes the risk for the loss of private customer information in a cyber attack. And more broadly, the financial services industry has created the Financial Services Information Sharing and Analysis Center, a forum for collaboration on critical security threats facing financial institutions. Valuable shared information from this group enhances the intelligence-based defense and helps individual institutions better manage cyber threats at the enterprise level. The oil and gas industry, which has extensive physical assets that are vulnerable to cyber attack, also is moving in this direction to manage its own unique risks. Today, it is not enough to know what to do in cyber security, but given how quickly events occur, it is just as important to work out ahead of time how to do it. Those industries have CISOs who have learned from experience and taken strong action, starting a conversation with the C-Suite and building an advanced team. Other CISOs should learn from them – if not just from watching the headlines – and begin the process of reimagining their cyber defenses immediately, or face the inevitable consequences. Mike McConnell is the Vice Chairman of Booz Allen Hamilton and served as the Director of National Intelligence for two years under Presidents George W. Bush and Barack Obama. He will be attending the 2014 RSA Conference to speak with CISOs about the challenges they face with moving from a perimeter defense to a holistic cyber program and engaging with the C-suite.