Lessons from the Sony breach: Four things that need to happen now

We don't have the levels of government protection from a cyber-attack that we would have if armed men attacked, so we need to make our own plans says Eddie Schwartz.

Lessons from the Sony breach: Four things that need to happen now
Lessons from the Sony breach: Four things that need to happen now

When the finger pointing about attribution stops, the recent Sony breach will endure as one of the three most significant cyber-security events of 2014 because it once again highlighted a number of critical gaps in the ability of individual organisations to defend themselves against targeted attacks. A breach of this magnitude can make us all wonder, how are organisations supposed to defend themselves when attacked by a nation state, or a highly organised criminal group with deep pockets and high levels of know-how?

Think about it this way. If an organisation's headquarters or a branch office were under physical attack by armed assailants, they would normally call the police, who would dispatch the SWAT teams and other resources needed to physically protect the organisation from further harm. But in today's world of advanced cyber-threats, when an organisation is under siege, there generally is no such protection offered to them.

Organisations must defend their information assets in today's threat landscape. And here are four steps they should take immediately.

1.     First of all, organisations must develop a stark sense of reality about what they can do well and what they cannot in cyber-security. CIOs, CISOs, and security leaders must revisit the organisational structure and skills of their security teams and IT staffs that have any responsibility for securing information assets. This analysis involves a deep review of what currently are or can be core competencies for the organisation, and where they might need help from outsiders.

Important questions to ask include:

·         What is the right structure for the security team?

·         What skills are required and where are the gaps?

·         If we need to have these skills in-house, do we need training and certifications?

·         Which additional skills should we hire, and which should we outsource to service providers who are more experienced in these areas?

2.     Foster deeper collaboration within your industry and across industries. We all know that the bad guys share information freely and across borders and do not have to play by the rule of law. So, it is critical for the good guys to have more opportunities at all levels to collaborate both electronically and in person to share information and intelligence about current attack techniques and emerging threats. We need more effective collaboration forums than we have today. Better collaboration will help alert companies to the latest threats and help them identify the right solutions and service providers. There is some great collaboration happening in certain industry sectors today — the financial services is the most successful example — but we need a significant increase in information sharing and collaboration — and this change requires more trust among practitioners and changes to regulatory and legal frameworks.

3.     Take a back-to-basics approach by focusing on protecting that which matters most to the organisation with solid security controls. More organisations should implement effective governance and controls frameworks. When an organisation fully commits to implement a model framework, it has a much higher likelihood of success in protecting its crown jewels — with the added benefit of not having to reinvent the wheel. If a company focuses on good controls based on accepted standards and frameworks, some of the cyber-risks they are facing would be greatly reduced.

4.     Do not just create good contingency plans and incident response plans — practice them. It is critical to involve a wide variety of players across the organisation — not just IT and security. Communications, legal and senior management all must be involved — and so must the necessary outside service providers who augment an organisation's key cyber-skills. For incident response plans to be effective, the internal and external ecosystem must be well understood and all parties must be ready to act. Given what we all observed in 2014, practice may not make perfect, but it sure will help a lot.

Last, but certainly not least, it is critical that security practitioners understand the relationship between their organisation, its people, its IT assets and the kinds of adversaries and threat actors they are facing. It is only through this analysis can the right cyber-security programme be designed and implemented where budget, skills, intensity, and performance all are balanced at the appropriate levels.

By Eddie Schwartz, chair, ISACA's Cybersecurity Task Force