Should organisations be embarrassed by security breaches?

Over past months and weeks we have watched a number of digital horror stories (in some cases allegations) flashing across the ether.  Many of us will have seen similar, though possibly less publicised examples happening on a day to day basis.  “There, but for the grace of God go I…..” is a phrase that I have heard on more than one occasion in recent months.

I must confess this worries me.  Management teams should not be relying on luck for their security.

 We shake our heads as we see organisations that really should be “on top of their game” apparently falling foul of security problems which should be well within their defensive capability, we look aghast as businesses with household names make what appear to be elementary errors which expose their customers’ personal data to the criminal underworld, we look on sadly as we see senior executives paraded on the media, apologising for embarrassing failures in governance which have compromised customer privacy.
The issue that vexes me is the way we view these breaches….  Have corporate boards suddenly lost all interest and accountability?  Have we only just started discovering  compromises that have been occurring covertly for many years?
I don’t propose to know the whole answer.  What I do know is that security is a relative function and that organisations must manage a range of conflicting operational pressures and priorities.  As security professionals, we often berate our clients for “not taking security seriously”.  Whilst we are often justified in making this assertion, how often do we look at the whole risk picture?  It is not just a security breach that will put an organisation out of business….and organisations must find a workable balance between their various imperatives.  If information security risk management seeks to be fully integrated with normal operations, it must be a coherent part of this balance, and security professionals must fight the security case in context.
Looking at many of the organisations with and for whom I am privileged to work, there is a clear, common thread:  those who have the greatest practical challenge with information security are also normally those who lack a clear, relevant and timely picture of information security risk at a level where it is going to be effectively managed and resourced.  They also are often unable to effectively assess their information risk in the context of wider information risk – and assess relative priorities.

In many cases the plethora of best practice, conflicting priorities and technical complexity exacerbates the problem as it obscures common operational sense.  Security Managers and executives alike become reliant on unwieldy security architectures underpinned by short term technical patches or outdated technical strategies which have been outmaneuvered by the threat landscape. These complex and unwieldy architectures often obfuscate the real issues and their causes, making a pragmatic solution harder to achieve and coherent priorities harder to manage.

Sometimes it is important to ground our Information Picture.  Decision makers must continually ask themselves some simple questions:

  • Does the risk picture I am seeing ring true – and do I understand it?
  • Does it gel with my view of the wider operational context?
  • Can I act on the information I am receiving in a clear, timely and effective manner?

If the answer to any of these is “no” – then the next step is simple –  establish an effective and coherent risk picture and ensure it is reviewed regularly.  Whilst the step is simple, this does require effort.

As managers, we accept that information risk is increasingly a fact of life and manage it.  When information security is compromised through lack of resource, this should (normally) be a conscious risk decision by management teams.  When organisations do “breach” standards and compliance systems, or identify a breach of security then the incident shouldn’t be a surprise to anyone – though the actual event may be unexpected.  Understanding this difference is vital to the effective management of risk.

Once an incident does occur,  rather than reacting in a panic, urged on by baying media and consumers, organisations should be able to change posture in a controlled and practiced manner, manage the incidents as a part of planned incident response process and move on, learning and evolving as they move forward.

This is only possible if organisations have effective management systems in place, and if these management systems are integrated with normal operational structures, and supported from the top down.

Where do we go from here?  Before rushing into specifying detailed security architectures, we all need to step back.  There is a lesson for all of us.

  • As Information Security Professionals we must ensure that we understand the operational context of the organisations with whom we are working and ensure that security management activity and structures are coherent.
  • As management teams or executives, we should clearly understand our information risk pictures, including organisational appetites and tolerances in the wider context of business.
  • As consumers and bystanders, we shouldn’t expect a risk free environment, instead we should embrace risk, applaud effective management and take some responsibility for managing our own risk.

Management teams should not be embarrassed by security breaches – but they should be embarrassed by being unprepared for them.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Posted 6 years ago on · Permalink