Sergey Nivens - Fotolia
October may be National Cyber Security Awareness Month (NCSAM), but there will be many months to go before anybody can really feel secure about doing business over the Internet. This year's NCSAM, the 11th annual, is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.
Yet the attention cyber security is receiving this month is for all the wrong reasons. Security breaches at Target, Home Depot, JP Morgan and Snapchat, among others, reveal a disquieting truth: It's all but impossible to guarantee that online data won't be hacked. So what can be done? And most important, what is the current state of cyber security? SearchNetworking reached out to three top security professionals to gather some insight.
Johna Till Johnson, founder and CEO, Nemertes Research Group Inc.
Johnson shared some of her perceptions of the security industry at a recent meeting with TechTarget editors.
"There is a systemic problem with how we do security in organizations," Johnson said. Security has long been thought of as a technical discipline. But this perspective needs to change.
"With the recent high-profile breaches at Target and JP Morgan, business executives realized two things: first, that it's impossible to make an organization perfectly secure; and second, that the consequences of an information security breach can affect them personally [Target's CEO was forced to resign, as did the retailer's top security executive]." The challenge, Johnson said, is to lower the risk to acceptable levels. "This means information security properly belongs as a branch of overall risk management -- something that organizations are just now beginning to recognize."
Once an enterprise's security perspective changes, it can change the way it does business. "Doing security well becomes a way of doing business better," she said, citing Nemertes' 2014-2015 Enterprise Technology Benchmark research that indicated that 42% of all organizations are beginning to view security as a business enabler. Another 25% said security highly enables innovation.
"We located six key areas in which security typically enables business," Johnson said. "Enabling and empowering employees, B2B and customer-facing initiatives; meeting regulatory requirements; enabling business to occur at all; enabling global expansion; and making it possible to implement Internet of Things and machine-to-machine initiatives.
Michele Chubirka, senior security architect
Chubirka commented on how the changing IT infrastructure is affecting the security vendor industry and, in reference to recent security breaches, why enterprises should have the same security concerns as retail companies.
In a piece written for SearchNetworking, Chubirka said one of the main challenges facing the industry is the lack of a vendor that can provide all the services an enterprise needs to protect its data. "There is no go-to vendor right now and probably won't be. It's the innovator's dilemma. Security needs different products, but established companies have no interest in disrupting their existing economic models.
"With the influx of startups introducing products based upon graphing theory [and] data science, everything is up for grabs. The security industry will be in a state of constant disruption, because attacks are evolving [at a faster rate].
"Traditional products only fulfill compliance objectives, but even that money may begin to decrease as auditors realize most are worthless in actual prevention and limited with detection. The real progress will come from developing talented professionals who understand and can analyze context: people who understand the business, and [who] aren't ego-driven individuals who believe finding a vulnerability makes them smart. Building an application or fixing a vulnerability makes you smart.
"As for the recent spate of retail attacks, I suspect that lawmakers at the state and federal level will be forced to step in soon. These breaches only illuminate how pointless the entire compliance and audit process has become. Most organizations "game" the audit, instead of actually using Payment Card Industry Data Security Standard requirements as a method to validate their security controls. The cottage industry that has developed around compliance has allowed this to happen."
Jon Oltsik, founder and senior analyst, Enterprise Strategy Group
Oltsik explains his perspective on NCSAM in a recent blog. While he is a supporter of cyber security education and wishes it got more attention in the media, he believes the half-hearted effort shown by the industryisn't worth it.
Oltsik said he hasn't always been cynical about NCSAM, but there are a few things that he just does not understand. Citing the websites of leading security companies ranging from Check Point to Symantec, Trend Micro and Fortinet, Oltsik wrote, "Check out the websites of leading cyber security technology firms like Check Point, Cisco, FireEye, Fortinet, HP, IBM, McAfee, RSA, Symantec or Trend Micro.
"These 10 companies account for billions of dollars in infosec revenue but you'd never know about NCSAM based upon the marketing rhetoric on their sites. If the security vendors don't care, why should anyone else?"
Meanwhile, Oltsik noted that NCSAM's marketing message, "Stop, Think, Connect," doesn't go far enough.
"NCSAM has featured this message (or similar messages) for years … We need wide-ranging programs to educate business leaders, [federal, state and local] legislators, and critical infrastructure providers."
Compared to other major initiatives, such as the publicity generated by the ALS Association's Ice Bucket Challenge, the cyber security industry is hampered because it lacks a primary spokesperson, Oltsik said. Michael Daniel, the nation's cyber security coordinator and special assistant to the president, "should be making the rounds to CNN, Fox News, Good Morning America, etc.," he wrote. "Where is he? Beats me. Come to think of it, can anyone point to a person who represents NCSAM or cyber security in general?"
So what does Oltsik suggest moving forward? "Before next Oct. 1, Washington supporters like the National Cyber Security Alliance need to enlist grassroots participation (and money) from the infosec industry and work with ISC2, SANS, ISACA and others to get security professional organizations more engaged. At the same time, we need our elected officials to increase funding for cyber security programs and take these programs to their constituents. Finally, let's try and get some international participation since there are no borders on the Internet."