Last week a record number of more than 43,000 participants attended the RSA Conference 2017. Many Onliners attended the event, including Dan Lapierre from our Risk, Security, and Privacy practice. We had a chance to sit down with Dan this week to get his thoughts on the conference.
Is your information security program stuck in the middle ages? Are you still just protecting the castle walls or have you taken a step forward into the modern times where you must assume your outer perimeter will be breached.
Healthcare organizations are notorious for applying minimal security measures, which generally consist of firewall and anti-virus precautions to prevent attackers from penetrating their systems. This is an antiquated method that simply doesn't work. You need to think more strategically and prepare your organization for impending attacks by assuming that your defenses will be breached. In fact, 56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack. On top of that, it takes an average of over 200 days for an organization to simply detect an attack of any severity. Those are some scary stats to consider when people’s personal information is at stake.
The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.
The term A.I. is nothing new, it’s been used in movies and science fiction for decades. In the real world A.I. has been used to some degree for decades as well, but it has really only started to gain serious momentum in the last decade or so.
A.I. is part of an interdisciplinary field known as data science - and while there are many different definitions of data science, they all include some combination of the following areas of expertise: artificial intelligence, statistics, and domain knowledge. These skills are used to find valuable information out of vast amounts of data.
Topics: Digital Transformation
Are you a Service Provider or a Merchant?
This is an important question because merchants and service providers are accountable to different entities for their PCI DSS compliance. These entities are the people that will need to know about your (temporarily!) failed status and they will want regular communications from you starting now until you successfully complete your compliance assessment.
Are we ready?
Ready for what? For an incident of course! As I already mentioned in the first part of this series, if some of the world's largest corporations, security vendors, and intelligence agencies have suffered security breaches, the probability that your security program will be the exception is very low. So while you should do everything that is reasonable and prudent to prevent an incident, you should also ensure that you have appropriate processes in place to deal with an incident when, not if, the inevitable occurs.
In part one of this series, we discussed the first of the three questions all CISOs should be prepared to respond to when discussing security with their board or company leadership, "Are we secure?" In this article we will discuss the second question:
Are we compliant?
Compliant to what you might ask? Well to start, compliant to your own information security policies! The information security program you have put in place to address the question, "Are we secure?", should be articulated in a formal policy document for your company. That policy should specify what controls and measures must be in place across the company in order to protect your company's and client's information.
I love being a Chief Information Security Officer (CISO). No other job that I know of provides the challenges that come from balancing an ever changing mix of legal, regulatory, technology, and business needs, with geopolitics and international threats mixed in as well. However, when it comes to presenting what you do and how well you are doing to the senior leaders of your company, the job ultimately boils down to answering three questions, the first of which is:
Patching – one of the surefire ways to help your organization mitigate the risk of being compromised due to software defects or security weaknesses. As security professionals, we’ve seen the gambit when it comes to patching, on one end of the spectrum there are organizations where half or more of their servers haven’t been patched in years and on the other end there are those where they validate build specs and spin up new servers multiple times a day.
In my last blog (which you can read here), I discussed the hacking of Casino Rama and how this may have been caused by something called the Ostrich Effect. To review, the Ostrich Effect occurs when an organization knows they have a security risk but is unable to remediate the threat, often due to the cost and effort required for remediation.