Security should no longer be 'cementing' the status quo

If your security program is struggling, don't stick with it because it's the way things have always been done. Change can be for the better

When considering the alarming number of mega-data breaches and other such security incidents as they occur almost daily, and then compare the announced "root causes" and "used attack paths" of the incidents with the current state-of-the-art strategies to defend against attacks, I have come to conclusion that, unfortunately, security (risk, audit, and compliance, and any other assurance functions) is more often than not only "cementing" the status quo, that is the currently used processes or ways of doing business in a somewhat "secure" fashion.

[Positioning your institution's response in the face of data breach]

For example, when POS (point-of-sale) units are in focus, then security professionals start to think / talk about:

  • Network segmentation to keep the POS terminals as much as possible out of the corporate network or other locally connected networks and therefore out of the scope
  • Encryption of cardholder data (Primary Account Number [PAM], cardholder name, expiration date, service code) and of sensitive authentication data (Full track data/chip, CAV2/CVC2/CVV2/CID, PINs/PIN blocks)
  • No storage (do not store sensitive authentication data after authorization, even if encrypted)
  • And all of the other 12 major requirements of the Payment Card Industry Security Standards Council (latest versions).

Often the security professionals may not get much further because business leaders don't want to spend the extra money needed to upgrade the infrastructure and so "accept" the risk on behalf of the unsuspicious consumers.

So basically what we're dealing with here is that the process of payments using credit cards between the consumer, the merchant, and the bank is not really secure, and both the merchant and banks need to either secure it or risk the consumer's money, data, and reputation (including that of the bank). This is why regulations and laws need to be put in place to protect the rights of the third-party consumer/customer. However, no one seems to think about better processes to perform electronic remote payments.

[Can threat modeling keep security a step ahead of the risks?]

Another example is in the HIPAA realm with its Privacy and Security rules, further defined by the HITECH act that addresses the handling and (non)disclosure of "Protected Health Information" (PHI) of individuals. While the Privacy Rule deals with covered entities, use-cases, disclosures, and administrative requirements, compliance dates and enforcement penalties, the Security Rule describes the technical and non-technical safeguards that covered entities must install and maintain to secure individuals' "electronic protected health information" (e-PHI) -- note the emphasis, PHI transmitted orally or in writing is not covered!

The Security Rule then makes references about the typical C-I-A (Confidentiality, integrity, availability) tuple, threats, misuses, impermissible disclosures, and compliance, and then defines risk management (analysis) as the underlying security management approach to administrative safeguards, in addition to workforce training and assigning a security official. Again we have the situation that two (or more) parties deal with data affecting a third-party -- the patient/customer -- whose privacy and health information is on the hook if they mess up.

Again, the reason why laws and regulations are needed in this space -- but again, it would be great to focus on data avoidance, better processes around healthcare, and more privacy for the patient. Why do they have data stored in all kinds of data bases instead of a mobile device with military graded encryption and a key (opening access device) that only the patient (customer) has control over?

Or look at SOX and SSAE16 (former SAS70 type II) regulations; after the global community faced management oversight scandals like Enron, WorldCom and many others, stronger laws and control regimes were put in place. Another reactive model approach where first there is only limited regulation following the mantra "the free market will fix it", then big damage (in addition to the direct one) is done to third-parties such as the stockholders, owners, or other such beneficiaries of the entities whose management has not acted properly or even performed fraud, and then some re-active measure is put in place, which puts a heavy burden and lots of in-efficient efforts into the auditors and others directly involved.

[Measuring the effectiveness of your security awareness program]

And, to be fair to management -- if you're the CEO / CFO of company XYZ and you now sign a statement each year that is your "go-to-jail if someone in your organization messed up"-card, you still risk a lot regardless of how many controls you have implemented and how much integrity you stand for.

Another great example of a complete wrong approach is the misuse of the Social Security Numbers (SSNs) in the United States of America by banks, credit bureaus, insurance companies, doctors, health plans, utilities, and the many other entities for either authentication or verification purposes. Why on earth would a government-issued number that is meant to be for tax and social benefit purposes only be allowed for this kind of non-purposeful misuse and therefore only create the potential for fraud and ID-theft?

These are all reactive and ineffective controls. Instead, one should ask: "How can we make sure that processes are designed and built so that they are secure and can't be overwritten or fumbled with by management, or IT super-users, or others?" and "How can we control/access/publish financial parameters of a company (entity) that they become early-warning / leading indicators, and ensure transparency to all -- so that 'insider-trading' and similar threats are not possible by design"?

We should create systems and processes where a change is 100% detected, tracked, and managed (accounted for), so that misuse, fraud, insider-trade etc. is not possible. Insider-trading is only possible if there are "insiders" -- anyone with advanced knowledge and access to information that others don't have. In the moment we create a third-party oversight regime with stringent, transparent, effective and efficient change control mechanisms, we solve the root cause of the common problem, instead of fumbling with symptoms.

[RSAC 2014: Experts discuss the harsh realities of incident response]

And, because we all are humans, culture and behavior will always play a big role -- it starts in school, colleges, universities, and in businesses, non-profits, and entities of all kinds. We need to educate people as to what is ethical, what integrity really means, what a human being is capable of when incentivized (either correctly or incorrectly), and continually develop, build, perform and improve our all behavior. We should also accept the fact that there is always room for improvement, and cementing the status quo is absolutely not an option. The worst statements therefore are these:

  • "This is the way we operate" / "This is our 'modus operandi'" / "We've always done it this way!"
  • "Who are you?" / "Then everyone could come and change it!" / "Who do you think you are?"
  • "Because I want it so!" / "I am the boss!"

Should you be facing one or all of the above sentences, you know what to expect -- and you should definitely defeat them. If you're a leader, you'll influence and change that culture and behavior in your organization over time -- do not give up -- persistence pays off! So I challenge you to not accept the status quo but to instead ask the right questions, come up with new approaches and ideas, develop well-thought-through and well-designed processes, systems, and controls. That will improve security over time so that we can overcome the current crises.

Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO - And Now What? and has held positions such as CSO and CISO for several large global companies. You can reach the author via or via LinkedIn.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOEnronPAMWorldCom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Oberlaender

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place