There are two types of executives in corporate America: those who rest peacefully at night, and those who are up worrying.
Where do CISOs fit in? Given the current state of network threats, they should be tossing and turning.
It has never been clearer that the bad guys have the advantage these days. Take the last 12 months, for example. Aurora. Stuxnet. WikiLeaks. RSA. Epsilon. Sony.
Advanced, intelligent persistent adversaries are targeting enterprises at an alarming rate, and we are trying to slow them down -- albeit every man for himself.
I like to think of network security as an offensive lineman in football -- in the trenches, doing the dirty work, trying their damnedest to prevent threats from getting to their most valuable assets. When things are going well, and they are blocking these threats, you don't hear about them. It is only when an intruder gets to the quarterback (read: precious data) that their failure is noticed. Unfortunately for Sony, they just allowed a big sack.
But who is to say that you won't be the next linemen to allow a breach, targeted by a network intruder? It is very fashionable to bash Sony for what happened with their recent online network breach -- and those who had personal information stolen have every right to be upset -- but where does finger-pointing ultimately get us in the long run?
When a linemen gives up a sack, do his teammates say, "Thank god that wasn't me?" No, they come together on the next play to fight the threats. Collectively.
I am asking corporate America to do the same.
There needs to be a transformation in our overall outlook. We need to change the rules of the game. Get more blockers on the field. Work together better. Pull together. Share information. Commit to being better security people. Improve the processes. Innovate the technologies. We cannot treat these breaches as individual threats anymore.
Do you really think the bad guys are quitting after a single successful raid of your network? Of course not. They will come back for seconds and thirds, disguised as new threats.
Just last week, five Democratic senators sent a letter to Mary Schapiro, chairwoman of the U.S. Securities and Exchange Commission, asking for a motion to require companies to disclose their cyber intrusions.
What we really need is to follow through and insist on a mandate requiring corporations to share information on network breaches, disclose each foreign fingerprint found on their network, and even establish a federal database to house this collective pool of information. And even this may not be enough, but it certainly is a start.
In February, at the RSA Conference in San Francisco, I witnessed a major step in the right direction. Generals in uniforms and techies in sandals were leaning on each other, working together for one common goal: collectively fighting the bad guys.
We have been individually dealing with these threats for years, but this showing of teamwork was a great sign.
Still, technology alone will not be enough. Call this a rallying cry to the industry. Regardless, it is time to make our push.
It is time for our industry to wake up and join together to take these threats head on.
Well, assuming we ever get to sleep again…
Regards,
Peter G. George, president and CEO, Fidelis Security Systems
