make a good business better

Blog Information Security

Print Divider Print Divider Branding

U.S. Cyber Security: We Have a Long Road Ahead

06/26/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

In January 2015, we celebrated the fact that our profession got more than a passing mention in the President's State of the Union address. However we are consistently reminded how uninformed most of our country's leaders truly are.

A Lack of Perspective

You've likely heard about the huge Office of Personnel Management breach, which affected between four and 18 million U.S. Government security clearance records where hackers gained access to sensitive data and roamed systems undetected for many months.

Now that the attack has been discovered and acknowledged, members of the legislative branch are calling for inquiries and demanding answers. A comment from a member of the House Oversight and Government Reform Committee, Rep. Elijah Cummings, Maryland, demonstrates the poor understanding of cyber security that characterizes many government leaders.

Upon hearing that a third-party vendor's security weaknesses may have contributed to the breach, Rep. Cummings said, "If these cyber attackers are able to get on through contractors, that is a huge vulnerability."

Well, yes. Rep. Cummings, it is a vulnerability, but this is not an unknown weakness. Similar stories have been widely reported in the media. Remember the Target breach two years ago? The initial entry point was via a third party vendor. The Home Depot breach from last summer? A third party vendor's credentials were used to pull it off.

Pervasive Issues

Granted, it is up to cyber security professionals to help business and government leaders grasp the risks. And perhaps it's a bit unfair to expect non-security experts to know as much as we do about the topic of cyber security. But if you are paying attention, it is hard to miss the news reports on the escalating frequency of breaches across private and government sectors. The media has gone to great lengths to report on the manner in which many of those attacks have occurred. And let's face it, shouldn't our government leaders be held to a higher standard? Surely when it comes to questions of national security, they should be among the most informed citizens.

In fact, the lack of understanding of the frequency, nature, and volume of cyber security challenges facing any entity with sensitive data in the cloud is an issue that pervades not only the US government, but many US businesses as well.

Data Security Based on Business Risk

While it is the obligation of a responsible leader to understand the risks facing their organization, the duty of properly identifying, measuring, and articulating those risks falls to the information security teams. And many of us within the information security field struggle to find the most effective way to communicate these issues — or even to find the opportunity to communicate our recommendations on how to best combat those issues to a relevant audience. An earlier article goes into my thoughts on how a risk-based approach aligns security controls on an organization's risk tolerance.

For now, though, Rep. Cummings' comment underscores the fact that we have a long way to go to effectively address cyber security here in the United States. As more breaches are discovered and disclosed, more questions will be asked. Hopefully along the way, our leaders will develop a deeper understanding of the pressing need for security professionals to develop and implement stronger security processes and protocols. And ultimately our industry will find more support for an information security program's activities.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!