Most information security professionals and their corporate leaders would prefer to keep the cyberattacks experienced by their companies to themselves.
And, they can do this, in many instances. After all, the various compliance mandates to which corporations must adhere deal in personally identifiable information – PII, the stuff of customers, employees or clients.
Where it can get tricky is if a data theft affects large corporate patrons. RSA Security's leaders were compelled to contact these very customer organizations after their breach. Lockheed Martin's management, we learn from this month's cover story, also under no obligation to go public, decided to do just that.
Our main feature also reveals that executives at Lockheed and the likes of Epsilon actually see value in sharing more than just a bit about their experiences. There was a time that the ‘name, rank and serial number' mantra followed by military captives the world over also seemed the main principle guiding the executives of breached companies. Indeed, this code still is followed by many a compromised company if there's no regulatory obligation to report.Take Sony, for example, which angered many a consumer when it took a week to disclose news of the PlayStation gaming network hack that exposed the PII of more than 100 million customers worldwide. Its CEO Howard Stringer then took about two weeks to apologize for the breach.
Still, changes in attitudes seem afoot. This might just be due to what arguably is the most threatening landscape we've seen to date. Breaches have become daily occurrences and the motivations behind them are as changeable as the Dow Jones.
Weirdly, according to a recent NetIQ survey of some 200 IT decision makers, most respondents are confident in their company's IT security solutions' capabilities. Yet, 74 and 72 percent, respectively, have experienced external and internal data thefts. So, it's all good to have funding for security, and even confidence in the investments made with that funding. But, is this enough?
Being a bit more open could help. Learning from one another's failures and successes might just better direct those resources into technologies and appropriate risk management and incident response plans that reflect today's reality. In that reality, ‘name, rank and serial number' retorts don't cut it. Just ask Mr. Stringer.
Illena Armstrong is editor-in-chief of SC Magazine.
