by Torsten George of Agiliance
On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that outlines disclosure practices for public companies in light of the most recent spike in cyber security attacks and associated data breaches. The guidance document hints that companies have to be paying more attention to assessing the impact of cyber security attacks and its outcome; especially as it relates to weaknesses in the security posture and preventive measures of the organization.
While it will be interesting to see how this new guidance will influence the interaction between CISOs and their business peers as it relates to securing bigger budgets to address the risk associated with advanced persistent threats (APT), the overarching question is if the SEC guidance is a sufficient measure to overcome the chasm between compliance and security.
2011 has seen record numbers of cyber security attacks and associated breaches with very public disclosures from Citigroup, the International Monetary Fund, RSA (the security division of EMC), Lockheed Martin, Google, Sony, ADP, and NASDAQ among others. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators, and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security -- often with discovery only after the fact.
The 2012 Global State of Information Security Survey, which was conducted by PwC U.S. in conjunction with CIO and CSO magazines reveals that only 16 percent of respondents believe their organizations are prepared and have security policies that are able to confront an APT. Even General Keith Alexander, head of the U.S. Cyber Command, acknowledges that the Pentagon and intelligence agencies must do more to protect their computer systems and coordinate with private companies to safeguard public networks.
Taking these statistics and statements from leading government and commercial sector security officials into account, the question arises if the SEC guidance fell short of its objectives and therefore stricter regulations are required to drive a risk-, security-driven approach to IT throughout public and private industry.
It’s well known that the majority of organizations puts compliance first, not security. Unfortunately, being compliant does not equate to being secure since compliance lacks the correlation to risk and is conducted periodically, rather than continuously. Thus, only regulations that mandate prioritizing security in the overall picture will really move the needle.
Shawn Henry, the FBI’s executive assistant director, most recently even went beyond talking about regulations when he said that “we can’t tech our way out of the cyber threat” and called for a secure alternate Internet.
Henry’s comments reinforce the importance of protecting the cyber networks that are so much a part of our daily lives due to their interconnectivity, economic impact, and importance for national security. His call for the creation of an alternate Internet and non-anonymous networks would, however, take years and require consensus not just within the U.S., but on a worldwide level.
A determined and collaborative effort driven by the White House, security vendors, industry leaders, and politicians is required to protect our nation’s critical infrastructure against disruptions and attacks may be a better and faster approach.
So while the SEC guidance is an good step from a government agency, regulations should be considered that put security in the spotlight, as organizations have to overcome the tick-box mentality of traditional compliance mandates. As a result, any consideration of stricter regulations to tackle cyber security threats should mandate the implementation of a pro-active information security risk management system (ISRM) and related best practices.
The degradation of core security capabilities as described in the PwC survey is illustrated by the fact that organizations’ vulnerability measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware, and antivirus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business.
Fortunately, the public, lawmakers, and regulators in Washington D.C. are becoming increasingly better informed as it relates to threats and vulnerabilities of the nation’s critical infrastructure so that further actions are expected in the near future. Until then, private and public organizations should consider the SEC guidance as a wake-up call and overhaul their approach to ISRM to counter cyber attacks and prevent data loss, unauthorized disclosure, and data destruction.
At the same time, they should pursue close collaboration with the U.S. Department of Homeland Security, which has set up a trial program to share cyber threat data with industry players in order to prevent intrusions. By implementing an ISRM program, an organization can not only increase its security posture, but inevitably is prepared for stricter regulations related to the cyber security threats that are looming in the future.
As vice president of Worldwide Marketing for Agiliance, an independent provider of governance, risk and compliance (GRC) solutions, Torsten George is responsible for driving company growth through branding, public relations, social media, demand generation, go-to-market strategy, and channel marketing activities. Torsten brings more than 17 years of global experience in promoting software and network equipment products to Agiliance.
Prior to joining Agiliance, Torsten was vice president of worldwide marketing at ActivIdentity. Before ActivIdentity, Torsten served nearly six years as chief marketing officer for Digital Link, a leading network communications equipment vendor. Torsten holds a doctorate in Economics, a master of business administration degree in Marketing and Business Strategy, and a bachelor of science degree in Law.