Despite the security industry getting ever more professional, with well trained teams, security incidents seem to be increasing. Just look at the news recently:
- Sony – 23 incidents so far?
- UK NHS Laptop – over 8 million patient records
- Citibank – 200,000 customer records lost
- WordPress platform vulnerabilities (see Steve Lord’s presentations on this)
- Stuxnet – targeted at a specific use
From the 2011 Verizon DBIR
- 761 breaches of which 87% were in Hospitality, Retail and Financial Services
- 436 of these were in companies with 11-100 employees – so this is not just a problem for the big targets any more
- 92% of attacks (leading to 99% of records compromised) were external
Some new threat groups:
Anonymous and LulzSec – often punitive, sometimes for the Lulz
- ACS Law
- Spanish Police
- FBI, CIA
- Porn sites
- Took requests
So what do the security professionals do?
- After an audit fix vulnerabilities
- After an attack, fix the issues
- Use encryption and strong authentication
- Patch regularly
- Validate input, encode output
- Assess your 3rd parties
- Use a Secure Development Lifecycle
- Build security into everything you do
No problem, right? If only it were that easy…
Your CEO wants the business to make money, so wants to minimise bottom line spend but will spend appropriately on risks to the business.
So why doesn’t the CEO see these security issues as business risks?
- Maybe they aren’t significant when compared to other business risks
- Or perhaps the CEO just doesn’t understand the latest security threat
Both of these are your problems. The security community is often called the ‘echo chamber’ for a good reason – we say good things and have good ideas about how to fix security issues, but we pretty much only communicate with other enlightened security professionals. We need to tell others in a way they can understand – but in general we talk technical 1337 speak full of jargon and no one can make head or tail of it.
It is up to you, the security professional to learn how to talk the language of business risk
There are materials out there that will help you:
- IIA GAIT – Guide to the Assessment of IT Risk
- FAIR – Factor Analysis of Information Risk
- ISACA CobIT – Control Objectives in IT
- ISACA – CRISC and CGEIT certifications
- IISP – approved Information Risk Management courses
Begin to understand what is important to a business executive and how they talk about it, and you are already well on the way to being able to articulate security in the same way. If you are a manager of security professionals, make it easy for them to gain exposure to heads of business, C-suite, executive, directors etc. and it is likely to benefit you in the long run.
These are good questions to prepare you for conversations you may have along the way
- What metrics should a CIO rely on to gauge risk
- How would you work with the security paranoiac on your team
- Can you provide loss values on security breaches
- How do you compare risks from website, physical perimeter, staff, etc.
- What are good threats to kick off conversations with others about what worries them