If you are in the information security industry these days, the events of this year show that the battle against the bad guys is increasingly becoming harder and difficult to win. Security incidents at big security product/service vendors, huge multi-national companies as well as government agencies throughout the world show we are still very far off from achieving the ideal security within our organizations. The question which poses itself is how these incidents are becoming so frequent while we have so many cutting edge technologies available to detect and prevent these incidents? Technologies such as IDS/IPS, SIEM, WAF, DLP, EPS and many others that the security industry has produced are capable of at least detecting sophisticated attacks, attacks that are termed as advanced persistent threats. So why are we still seeing huge data leaks and compromises at prestigious companies and military organizations left and right?
Back to the basics
I think the answer in my own little opinion is although we have made great strides in the technology side, we are still lacking a lot in the people and processes side. I think we need to go back to the age old Security = People + Process + Technology formula. Security can not be achieved by relying solely in technology or by thinking it the sole responsibility of IT departments. If we go back and analyze most of the breaches of 2011, we see a trend of targeted attacks against end users via social engineering attacks. I think people are the weakest link in this game and need to be educated or made aware of the importance of security in their day to day activity. Like not opening suspicious emails as was the case with the RSA employee. We need to invest heavily in user education and awareness and create the appropriate processes to control our information resources.
In order to do that information security efforts needs to be properly governed at the highest level of an organization to have a meaningful security program which protects information assets. I was amazed to hear that a company as big as Sony did not have the position of CIO or CSO. It shows that proper governance of security was not part of Sony. Yet i believe Sony is not the only company in this and most likely the majority of organizations are still on the mind set of security belongs to IT.
Unfortunately until companies and organizations wake up as did Sony and realize that security needs to be governed at the highest levels, we are going to hear more and more of these breaches in the future.