The Morning After the Equifax Settlement
The recently announced Equifax Settlement has stirred up quite a bit of excitement. It’s not every day that a large financial organization is forced to pay out such a large sum, but there is actually nothing shocking about the $700M. Data breaches are costly. Unfortunately, they are also inevitable. This is not a new fact, but it has been one that many cybersecurity leaders have had a tough time accepting. For decades the industry has been obsessed with securing the IT perimeter. The top minds and fastest-growing start-up have produced a continuous fare of shine new technology solutions that promise to out-smart attackers and keep networks safe, but there is no such thing as an impenetrable perimeter. Eventually, a breach will happen. This is the new reality the entire industry is waking up to.
Technology Alone Cannot Save You
Security technology alone cannot save your organization from a data breach. Remember that antiquated idiom, “Behind every successful man, is a successful woman”? It’s high time we updated it for 2019. “Behind every effective cybersecurity tool, is an effective cybersecurity professional.” All the cutting-edge, AI-powered machine-learning security products an organization acquires, are only as effective as the humans who deploy and operate them. One of the anecdotes of the Equifax breach is that the cybersecurity team had warned management about the very vulnerability that was eventually exploited, but they were either not listened to or not empowered to take the necessary steps to patch it. In wake of the Equifax settlement, CISOs need to adjust the balance of their cybersecurity investments to focus a bit less on the perimeter and technology and much more on the people behind them. I like to think of the incident response team as a fire brigade. You need the best equipment, anything less would be irresponsible, but you also need to train, train, and then train some more. Firefighters spend most of their time learning response procedures, running realistic drills and developing physical fitness. Your human cyber defenders are no different.
Tough Questions for CISOs
The shift to focus on people, teams, and training is not trivial. To help business leaders understand the need for transition, I propose starting with a few tough questions every board and chief executive should be asking their CISO, and all CISOs should be asking themselves:
8 Tough Questions for CISOs Following the Equifax Settlement:
Are we certain we are ready for a breach?
Is our SOC team ready to respond to any type of breach?
From the moment a breach is detected, how long does it take to respond and remediate?
Have we run all the necessary exercises?
Have we tested and updated all our incident response playbooks?
Is every member of the SOC team familiar with all the playbooks?
Has every member of our SOC team mastered all the IT and security tools in the SOC?
Are we confident the SOC team will able to work together to flawlessly execute incident response under severe pressure of an active breach?
10,000 Hours of Practice?
Malcolm Gladwell claims it takes 10,000 hours of practice to master a skill, but this is unrealistic for SOC analysts, especially the newer members of your team. In fact, most SOC analysts will encounter their first breach on the job. I don’t care how impressive their resumes are, nothing can replace hours of practice and real-world experience. You need to see for yourself how your analysts perform under pressure, as individuals, and as a team. A CISO needs to have a realistic way to assess how the SOC will perform when a breach happens and an efficient way to give them the experience they will need to perform under pressure. Sorry, Mr. Gladwell, SOC analysts don’t have the luxury of 10,000 hours of practice before starting their first shift.
Optimism in the Post-Equifax Settlement Era
Cybersecurity is known for its doom-and-gloom attitude, but I am quite optimistic. The huge data breach settlements are an important development in the economics of cybersecurity, the effect of which will be that organizations dramatically rethink the way they assess risk and reduce it. Yahoo!, Equifax, and now Capital One, all likely had top of the line security products in place, but technology alone was insufficient to reduce the risk and associated cost of a major data breach. Now, organizations will start taking a deeper look at how they recruit and train the human beings that operate the technology so that the next breach will be neutralized before the damage is done.
Will Equifax Survive this Data Breach and Settlement?
Naturally many are asking “Will Equifax survive this costly data breach?” I’m not in the business of speculating, but my response to that questions is, “Why not?” Data Breaches are now an integral cost of doing business. Data breaches are severely unpleasant, yet inevitable. Our job is to make sure our security operation teams are well prepared and reduce the damage as much as possible. We cannot avoid data breaches but investing in training can greatly reduce the risk.
Watch FREE Webinar: Cyber Ranges – The Future of Cybersecurity Training