Joel Yonts, the CISO of a Fortune 500 automotive supply company, isn't pleased with many of his peers. Their complacency and timidity around security is widening the chasm between victory and defeat by an ever-growing margin, and simply put, the losses really are piling up.
In security, where the threats evolve on an almost daily basis, most organizations – even ones operating the most proficient networks – seem content with the traditional perimeter-based, compliance-focused approach of battling the enemy, Yonts says. Such block-and-tackle tactics, as they are known among security pros, may work against the so-called low-hanging-fruit threats – things like SQL injections and common trojans – but they hit a brick wall when it comes to dealing with more sophisticated weaponry, like espionage malware.
“I am tired of [hearing], ‘We are defending at the gate and we are winning,'” says Yonts, 40, the CISO since 2006. “No, we're just letting the attackers attack us as many times as they want until they get in.” He blames this inherent defect on an industry where security programs largely have been built by the guidance of audit firms, which place heavy emphasis on meeting compliance mandates, such as Sarbanes-Oxley, and apply a good deal of weight to guarding against the insider threat, often overlooking today's advanced adversary.
Meanwhile, networks are getting owned with regularity by well-funded and well-trained assailants, who use their deep pockets and slick skills to quietly burrow in, establish a foothold and then purge sensitive data. In many cases, the victim organization doesn't learn about the intrusion for weeks, months, or even years – and even then, a third party is the entity that usually notifies them.
“They're bleeding data,” Yonts says of the targeted firms. “They can be happy with their compliance scores, but they're bleeding data.” Worst of all, these enterprises are operating under a false sense of security. “They'll totally downplay a compromised PC because the connection between one compromised PC turning into data exfiltration is not something people are living with,” he says.
As evidence, Kroll Advisory Solutions' recent report, “HIMSS Analytics Report: Security of Patient Data,” which examined the health care industry in particular, found that despite increasing rates of compliance, the number of organizations reporting breaches jumped from 13 percent in 2008 to 27 percent last year.
It's become a common refrain that security doesn't equal compliance, yet many practitioners remain asleep at the switch. Yonts is not alone in his sullen assessment. Lately, other respected security professionals have publicly announced their disdain with the current state of affairs. Shawn Henry, the FBI's former top cyber cop, got quite a bit of print when, upon announcing his retirement, took to the media to proclaim that the nation is on the losing end of the war on hackers.
“I don't know that we can ever get ahead of this right now with the current state of architecture and attribution,” says Henry, now president of services at security start-up CrowdStrike.
But Henry and Yonts have a solution – or at least a tactic: Offense.