Information Security:  What’s Old Is New Again

Cyber-attacks with accompanying data breaches have become headline news with increasing frequency.  These reports have resulted in a pervasive state of panic among corporations, especially those whose business is financial services, as well as across the general public.  The attacks are occurring more frequently and becoming more costly in dollars and reputation for the targeted companies.  Indications are that the situation will only worsen over time.

Why, one might ask, have the attackers been so successful of late?  Have the attackers developed some advanced methods requiring combatant capabilities that have yet to be discovered?  Are we doomed to have our valuable information pillaged and plundered by criminals?  I have read about “Heartbleed” and the Target breach, as well as the JP Morgan and Home Depot breaches, and discovered that no new security tools or methods would have been required to prevent them.  The methods to prevent and defend against cyber attacks are known and the tools are available and in many cases already installed.  So, what is the problem?  Jaime Diamond of JP Morgan Chase hit the nail on the head when he said “JP Morgan plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon” (quoted from the New York Times Deal Book, October 2, 2014).  Although his statement pertains to JP Morgan in particular, it is actually indicative of the problem of companies providing information security in general.  Information Security within corporations has typically been understaffed and underfunded. 

Historically it has been extremely difficult for Information Security departments to demonstrate the need and urgency of allocating funds and hiring sufficient staff to fully support the function.  It’s been a bit like convincing someone to buy an insurance policy to protect against some potential event that may never occur.  Businesses will opt to put their money toward the things they know they can accomplish, rather than on things that are doubtful.  So, when it’s time to tighten the belt, the Information Security budget is a prime target, and when it’s deemed time to down-size or right-size, Information Security staff are likely the first to go.

Two events have occurred in recent years that are beginning to affect this corporate stance.  First there is the fact that regulations now require corporations to notify customers when they’ve experienced a data breach.  The second is that the volume and frequency of successful attacks is on the rise.  The result of the two events is that corporations have been forced into the un-wanted limelight, clouding their reputation, costing them customers and inviting the scrutiny of government regulators.  I believe this situation will drive a change in perspective toward the need and urgency of information security.

We have come to an unfortunate state of affairs, but it may be the beginning of a new day for information security; one in which adequate staff and funding are provided to enable development of repeatable processes and controls, as well as effective use of tools to build the strong defenses needed to combat the cyber attackers.