Imagine it's the end of 2015 and you're about to read an expose from a fly on the wall at top closed-room board meetings across the enterprise discussing the state of information security. You're excited, right?
Well, why wait? Here's your seat at the table for 2015's most heated board room discussions about information security.
The backdrop: Events to come
Certain characteristic types of painful breaches will drive heated security debates in the board room in 2015. First, there will be high-profile reinfections of organizations infected in 2014; and, there will be first-time high-profile infections of enterprises that significantly increased their information security budgets to avoid what they saw happening to other companies. "Those are two that will create ripple effects and frustration in the board room," says Eric Cole, Senior Fellow, The SANS Institute.
Companies are spending millions of dollars to avoid infection but they're not spending it in the right areas. "If you take any of those big companies that have already been hit, they made these big announcements about spending several million dollars on security to fix the problem. When breaches hit them again next year, that's going to paralyze the organization and the board of directors," says Cole. The same applies to companies spending heavily on security now that see their first massive breach in the new year.
Another gut-wrenching type of breach that will cause boardroom dismay is the theft and display of Intellectual Property (IP) on the Internet. Companies will also publicly discover that hackers have breached them for years and they didn't know it.
"They will suddenly find out that there have been people in their systems for, let's say, a decade and they really hadn't had any secrets in all that time. When that becomes public knowledge, that will create panic in the boardroom," says Ted Demopoulos, certified instructor, The SANS Institute.
The board goes off on the state of information security
In 2015, as a result of these types of events, boards of directors and C-levels will be frustrated because they will have no idea how secure their organization is. "They will be scared but they won't know why because they won't know what questions they should be asking or whether the information they receive is sufficient," says Cole.
"Boards of director will ask, 'how do we know this isn't us already?'," says Demopoulos. How will boards know that someone hasn't already compromised them for years or that someone hasn't already plucked their IP in order to sell it or put it on display for the world to see? And when no one gives them a solid answer, that will be extremely unsettling for the boardroom.
There will be increasingly heated discussions among board members about whether they are wasting the money they are spending on security and why, says Demopoulos; they will ask whether they are spending on the right solutions for security.
The thing that will make board members most livid is when the organization uncovers a breach and no one can tell them when it started. "I think that's going to cause a lot of yelling and shouting, not that they've been breached, not that somebody's been in a critical system with some critical assets of theirs, but they won't know when it happened," says Demopoulos.
In response, board members will continue to seek metrics to measure, then minimize the risks of information security breaches rather than get into the technical details, because they are not technical people. "If you tell them what caused these continued breaches, I don't think many of them will understand the answers," says Cole.
Executives speak the language of dollars, cents, and risk while security experts speak a different language. They don't understand each other. "I've seen CSOs give a 45-minute presentation to the board of directors about security, and five minutes into it, attendees are pulling out their phones, they're doing something else, and the CSO has totally lost the audience because they weren't speaking to them in their language," says Cole.
What should happen
"Most big companies / stores purchased more security products such as next-generation firewalls and state-of-the-art IPSs. My concern is that many of them don't have the proper structure or foundation for security in place," says Cole. Rather than a quick fix with all these products, companies need to first build the proper foundation.
There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don't know how people have configured these assets. They don't manage change, and they don't know where their critical data is located. "If you fail in those four areas, you can spend $50M on security products, and it's not going to help you because the underlying vulnerabilities that create risk are still there," says Cole.
Executives are not going to learn technology, which means technical people need to learn how to speak the executive language. "You need a security officer who is bilingual, who can convert the technology into the business language and present it with business metrics so the executives can make the right decisions about security moving forward," says Cole.
Companies should be looking for CSOs who can report directly to the executive team, people who can speak their language. "Today, most CSOs are buried under the CIO and are technical positions rather than business positions. Their communications never make it up to the executives," says Cole.
Companies need a CIO and CSO with equal footing. "The CIO needs to address uptime availability while the CSO communicates the proper security metrics to the executive team," says Cole.
In addition to bringing on a CSO who can talk to the executives, the board should bring on a board member who understands security. "Three years ago, no one was asking me to be on their board of directors. This year, I've been asked to sit on four boards because they want someone who understands security and can translate it for them," says Cole.
The outcome should be the ability to better contain breaches and minimize damage. "If any of the large retail organizations get breached this coming year, but they catch it in a few days and contain the damage, they will never make the headlines," says Cole.
The issue is not whether someone has breached them, but the degree of damage. "That's what executives miss. Breaches happen all the time that never make it to the news," says Cole.