I find it rather ironic that after more than a decade of technology convergence and the marrying of physical and logical security, we are still fighting the same battles. Whether it is the corporate sector or critical infrastructure — whether it is IT or physical — security is a cost center, not a risk-based destination, in far too many places.
When President Obama delivered his State of the Union, security took the spotlight. He unveiled an updated Presidential Directive and an Executive Order (EO) giving government agencies a year to devise a “baseline framework” for cyber security that will incorporate peer-based standards and industry best practices that are already in place in other critical infrastructure sectors like utilities and gas and oil pipelines.
“I think the president threw out a challenge in his address by specifically noting this was a bipartisan issue,” says Lisa J. Sotto, managing partner of the New York office of Hunton & Williams LLP, and she currently serves as Chairperson for the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. “He is challenging our legislators to get together on this and move forward.”
While information sharing and cooperative measures protecting public- and private-sector networks is not new despite the President’s perceived consternation for the cyber security threat facing the nation, some wonder if it is just business as usual – meaning more posturing and little impact.
Our world is now a technology quilt that is constantly evolving and continuously connected. Information is the new gold-standard — it is a valuable commodity requiring more than a knee-jerk approach to securing it. The shocking fact is that many major organizations, corporations and government agencies, whose very survival depends on this information currency, are no more sophisticated in managing its protection than the average home PC owner.
For some former practitioners like Jeff Bardin, currently the CTO of Treadstone71 with more than 25 years experience as a CIO, CISO and CSO, the sense is the administration’s vigor to strengthen cyber security accountability could be doomed before it rolls out. “Being in the security industry for years, we’ve been in this spot before,” he says. “It has always been a struggle to get anything done with respect to security — physical or IT. Upper-level management sees it as just another expense. People don’t act until they have a breach, and then they only act on that breach for a short time because they have short memories.”
Bardin realizes there are plenty of pseudo-standards already on the books like GLBA in the banking/financial sector, PCI-DSS for credit cards and NERC for utilities. But he says when it comes to NERC and PCI, they are mere checkpoint-type standards that still don’t fully protect their respective environments. “It is not a holistic or enterprise approach to building your security program,” he says. “I see CSOs, CIOs, CEOs and others who will only allow their security and risk groups to build a program based solely on these regulations,” he adds, pointing out that it allows them to abide by the spirit of the standard, yet leaves their organization highly exposed and open.
As do his physical security counterparts, Bardin complains that organizational culture dictates its level of risk acceptance and its ultimate security strategy. He sees flawed organizational reporting structure that can cause inherent conflicts of interest, such as CISOs reporting to a VP of Infrastructure or a CIO. In this scenario, business concerns can override security concerns — demonstrating a complete void in enterprise alignment.
“It is a tough place to be when you put security in the IT structure,” Bardin concludes. “IT is no different than many corporate environments. When you treat security as a ‘bolt-on’ after-market piece, it is not a cost-effective approach, nor is it pro-active. We have created a class of cyber janitors and built a cottage industry for cyber response and clean up.”