The Security Model is Broken, Part 6: How To Fix It

Over the past several months, I have been writing about how our security model is broken. This blog is the final in this series, and it focuses on four crucial root causes that must be addressed if we are going to fix our broken security model.

Specifically, we need to invest more money, adhere to basic security hygiene, be cyber threat driven not compliance driven, and last but not least, stop retrofitting cybersecurity and build it into systems and applications.

1 - Board of directors and business executives need to allocate more money for cybersecurity

The one major underlying root cause of why our security model is broken is the lack of resource allocation or, to be more precise, money spent on cybersecurity.

Many indicators point out that more money is being spent on cybersecurity, and that trend is expected to continue for some time. In my opinion, this spending trend is unfortunately a compensation for years of under investment and neglect in our cybersecurity infrastructure. Much like our nation’s infrastructure of bridges and roads, we have delayed investing in cybersecurity until it came back to bite us, as demonstrated by all the cyber breaches we continue to experience.

Security technologies and safeguards that could have been deployed years ago to address many of the threats being exploited today are just starting to get widespread traction. For example: strong authentication, continuous vulnerability monitoring, and pervasive encryption at rest. We must continue to spend more money to secure our cyber IT infrastructure.

More troublesome is that technology (e.g. smart devices, cloud based computing, big data, etc.) and corresponding cyber threats are expanding at an exponential rate while our cybersecurity spending continues to increase at a linear rate.

This means that even more money (and new security safeguards) must be spent for the foreseeable future, and this will require that directors and executives allocate a bigger percentage of the IT budget for cybersecurity.

2 - Implement and adhere to basic cybersecurity hygiene

Our cybersecurity infrastructure continues to be plagued by lapses of not implementing or adhering to basic security practices and standards. Several, if not most, of the well publicized cyber breaches in the last couple of years have been traced to an alert not being responded to, servers not being properly configured, a vulnerability not being patched, or other basic security practice lapses.

This needs to change. Much like airline safety practices, basic cybersecurity practices or standards must be ingrained and unfailingly adhered to. For example, we must implement: cyber safeguards such as granular encryption of personal information at rest and in transit everywhere; second-factor authentication, including system administrators; better privilege-access controls; continuous vulnerability and event monitoring.

Basic cybersecurity diligence is a must! There is no room or reason for lapses anymore.

3 - Organizations must be cyber threat driven not compliance driven

Many organizations still continue to be compliance driven as the major driver for their security practices and safeguards. Often, many organizations will do the minimum necessary to meet regulatory or other industry compliance requirements. For example, several of the financial institutions breached in the last couple of years were PCI compliant, yet they were still breached.

Regulations like HIPAA or industry based security compliance standards like PCI are a baseline addressing known or prevalent past cyber threats. Worse yet, lawyers often interpret regulations and opine on the necessary security controls to meet regulatory requirements, which is the equivalent of CISOs practicing law. Nevertheless, many organizations still fool themselves into thinking that if they are compliant, then they are secure enough or it is good enough.

Regulations and standards lag behind today’s cyber breaches, because regulations and standards are retrospective not prospective. Regulations will never stay abreast or ahead of new technologies and threats. For example, NIST recently issued mobile security draft standards for industry comments, yet there are already millions of mobile devices deployed. Finally, lawyers should have no role in determining the cyber controls needed to meet regulatory compliance; that should be left to the subject matter experts.

Organizations must be cyber threat driven, not compliance driven.

4 - Build in and stop retro-fitting cybersecurity

As I discussed in my Internet of Things blog, smart devices are being sold and deployed, yet the necessary security is often not built into them such as patching capabilities. As a result, discovered vulnerabilities have been difficult to patch, or the patching has been delayed. This is just one example of deploying technology and products without building in the necessary cybersecurity safeguards.

Too often, organizations are driven by competitive, internal cost, and date driven project pressures that result in cutting corners or delaying building cybersecurity safeguards into the technology or the application.

Much like building airplanes, where safety must be built in and tested prior to being used commercially, new technologies and applications must have the necessary cybersecurity built in and tested prior to being deployed.

Build, ship, and fix later is no longer an acceptable business paradigm for cyber systems. Cyber threats are just too great and the result of breaches too severe to make this an acceptable risk.

Conclusion

Fixing our broken security model is not really difficult. We know what needs to be done and we know how to do it.

Fixing our broken security model is not really difficult. We know what needs to be done and we know how to do it.

It will, however, require more resources—money for people, solutions, etc. We must change our mindset that cybersecurity needs to be threat driven not compliance driven. We must ensure that baseline security practices are not negotiable. And we must start deploying new technologies and applications securely from day one.

I hope that 2016 will be the year that we make strides to fix our broken security model.

Happy New Year!