Commentary - In October, the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that outlines disclosure practices for public companies in light of the most recent spike in cyber security attacks and associated data breaches. The guidance document hints that companies have to be paying more attention to assessing the impact of cyber security attacks and its outcome; especially as it relates to weaknesses in the security posture and preventive measures of the organization.
While it will be interesting to see how this new guidance will influence the interaction between CISOs and their business peers as it relates to securing bigger budgets to address the risk associated with Advanced Persistent Threats (APT), the overarching question is, if the SEC guidance is a sufficient measure to overcome the chasm between compliance and security:
2011 has seen record numbers of cyber security attacks and associated breaches with very public disclosures from Citigroup, the International Monetary Fund, RSA (The Security Division of EMC), Lockheed Martin, Google, Sony, ADP, and NASDAQ amongst the many. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators, and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security -- often with discovery after the fact.
The 2012 Global State of Information Security Survey, which was conducted by PwC US in conjunction with CIO and CSO magazines among more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared and have security policies that are able to confront an APT.
Even General Keith Alexander, head of the U.S. Cyber Command, acknowledges that the Pentagon and intelligence agencies must do more to protect their computer systems and coordinate with private companies to safeguard public networks.
Taking these statistics and statements from leading government and commercial sector security officials into account, the question arises if the SEC guidance fell short of its objectives and therefore stricter regulations are required to drive a risk-, security-driven approach throughout public and private industry.
It’s well known that the majority of organizations puts compliance first, not security. Unfortunately, being compliant does not equate to being secure, as compliance lacks the correlation to risk and is conducted periodically, rather than continuously. Thus, only regulations that mandate prioritizing security in the overall picture will really move the needle.
Shawn Henry, the Federal Bureau of Investigation’s executive assistant director, most recently even went beyond talking about regulations when he said that “we can’t tech our way out of the cyber threat” and called for a secure, alternate Internet.
Henry’s comments reinforce the importance of protecting the cyber networks that are so much a part of our daily lives due to their interconnectivity, economic impact, and importance for national security. His call for the creation of an alternate Internet and non-anonymous networks would take years though and would require a major consensus not just within the U.S., but on a worldwide level.
Instead, a determined and collaborative effort driven by the White House, security vendors, industry leaders, and politicians is required to protect our nation’s critical infrastructure against disruptions and attacks. So while the SEC guidance is an honorable step from a government agency, regulations should be considered that put security in the spotlight, as organizations have to overcome the tick-box mentality of traditional compliance mandates. As a result, any consideration of stricter regulations to tackle cyber security threats should mandate the implementation of a pro-active Information Security Risk Management system and related best practices.
The degradation of core security capabilities, as described in 2012 Global State of Information Security Survey, is illustrated by the fact that organizations’ vulnerability measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware, and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business.
Fortunately, the public, lawmakers, and regulators in Washington D.C. are becoming increasingly better informed as it relates to threats and vulnerabilities of the nation’s critical infrastructure so that further actions are expected in the near future. Until then, private and public organizations should consider the SEC guidance as a wake-up call and overhaul their approach to Information Security Risk Management to counter cyber attacks and prevent data loss, unauthorized disclosure, and data destruction. At the same time, they should pursue close collaboration with the U.S. Department of Homeland Security, which has set up a trial program to share cyber threat data with industry players in order to prevent intrusions. By implementing an Information Security Risk Management program, an organization can not only increase its security posture, but inevitably is prepared for stricter regulations related to the cyber security threats that are looming in the future.
Torsten George is Vice President Worldwide Marketing at Agiliance