Make it stop!: Data breaches
Sharing lessons learned with managers and staff is key to halting breaches, says Lena Smart, CIO, New York Power Authority. Steve Zurier reports.
Lena Smart, CIO, New York Power Authority
If anything, IT security workers may feel that whatever new risk management program they roll out or security product they deploy, the bar constantly moves higher. Many fear privately that the hackers are winning, and that nation-states, organized crime and amateur hackers out to prove they can access Defense Department systems or Wall Street bank accounts are impossible to stop. Anyone and everyone can be hacked – and it often happens without the IT staff even knowing about it. Even the harsh 20-year federal prison sentences handed out to TJ Maxx hacker Albert Gonzalez and credit card scammer David Ray Camez haven't really proved an effective deterrent.
However bleak it may appear, the tide started to turn with the Target hack in late 2013. In fact, the Ponemon Institute reports that following the Target breach, survey respondents said the percentage of senior management who considered data breaches an “extremely high” concern rose to 55 percent – up from just 13 percent.
It also didn't hurt that heads started to roll from the corner offices. Without question, CEOs woke up when they read in the news last year that 35-year company veteran Gregg Steinhafel was forced to resign at Target, and CIO Beth Jacob also lost her position.
Dave Frymier, CISO, Unisys
John Kindervag, analyst, Forrester
Kevin Mandia, SVP and COO, FireEye
Donald “Andy” Purdy, chief security officer, Huawei USA
Lena Smart, VP and CIO, New York Power Authority
Nathan Smolenski, CISO, Zurich North America
And if Target was a wake-up call, the Sony hack late last year pushed cybersecurity into the mainstream as President Obama weighed in on the issue and even Entertainment Tonight reporters gushed cybersecurity news when Amy Pascal, former co-chairman of Sony Pictures Entertainment, was forced to resign over revelations about embarrassing emails that were stolen by the hackers.
Only the serious need apply
Much of this publicity and the focus by the press on the next “9-11 event” that will affect the security industry troubles Lena Smart, vice president and CIO of the New York Power Authority (NYPA). “I really don't respond well when people compare these hacking attacks to 9-11,” she says. While it's regrettable that personal information and credit card data was stolen in these recent incursions, there was no loss of life, she says. “As for security becoming the hot career, while the industry needs people, what we really need are people who are ready to roll up their sleeves and do the hard work. I'm still finding it hard to find qualified people.”
Smart, who worked for more than 11 years as NYPA's CISO before assuming the CIO position, knows what she's talking about. Along with her role at NYPA, Smart serves as the power industry sector chief for the New York State chapter of InfraGard, a partnership between the FBI and the private sector, where she receives briefings on cybersecurity events from the FBI and shares lessons learned with other IT managers and FBI officials.
She says following the Sony hack, she met with top management at NYPA and explained to them that the FBI believed the hack was tied to North Korea and how her security program at NYPA puts the organization in a strong position to withstand an attack.
“I told them we use a combination of data encryption, complex passwords and identity and access management tools that weren't necessarily applied to the same extent at Sony,” Smart says.
NYPA also has an aggressive security education program. Anyone who enters the organization, whether it's their first day on the job or are there as a visitor or contractor, is trained in IT security. Further, Smart will run unannounced phishing attacks throughout the year to raise awareness so staff understands better what to look for. She also does “brown bag” lunches with the rank-and-file staff where she offers tips on how to spot a suspicious email that may be a phishing attack or contain malware.
“We do videos of these sessions and people who may have missed the presentation are encouraged to watch and learn what's going on,” she says.