The tepid consequences are part of a growing problem. From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.I have long advocated for this. Cybersecurity won't be taken seriously until companies and CEOs are hit in the pocketbook.
DarkReading - Vulnerability Management: The Most Important Security Issue the CISO Doesn't Own -
The number of attacks like the recent one against Equifax have risen dramatically in the last few years, resulting in the exposure of hundreds of millions of private records. Almost without exception there has been some fundamental flaw related to configuration or patching of systems. This trend will continue without systems designed to automatically identify, patch, and close vulnerabilities in core IT systems that can reduce the chance of human error. We can accomplish this with automation typically found in large operational cloud deployments and the Constant Delivery (CD)/Constant Integration (CI) principles of DevOps. These principles are already being used to automatically stop active attacks within the information security community and should now extend to IT operations to improve protections and stop the bad guys from getting in at all.The problem with this approach is it assumes an organization is mature enough to implement DevOps. The major mistake I have seen in vulnerability management programs is a lack of follow-up. Servers are "patched" but the required restart is never executed so the patch is never really applied. This can be avoided if a second person validates the work.
Cisco - Incident Response: Are you ready? -
Security professionals experience “what if” scenarios every day as well: what if we experience a data breach? If my organization suffers loss from a breach, what happens to the business down the road? Unlike my scenarios, the likelihood of the breach occurring is very high and you may not even know it has happened. According to industry reports, it can take organizations more than 100 days to discover security incidents within their own environments. And due to resource constraints, nearly half of these incidents are never even investigated.
Think about that. Attackers lurking within corporate networks for months at a time. They continue to work smarter and faster, only needing to find one vulnerability to get inside a network. Meanwhile, the exploding number of new technologies, devices, and users on enterprise networks makes it unfeasible to block every attack all the time.
An incident response plan is critical for security.