Consumers will lose trust after a data breach, making it very hard to rebuild afterwards, was the stark warning to the ISACA Ireland conference entitled “GRC2.0: Breaking down the Silos”.
The warning came from Amar Singh, chair of the ISACA security advisory group.
Singh said, “There is no trust in the younger generation.” They crowd source, he asserts, “They follow what Instagram says.”
Singh cited the example of the Target retail group, which fell from the top 20 list of brands worldwide after its data breach (Fraenkl, Brand Index).
Trust and customer confidence will make a difference, said Singh, when 1 million pacemaker wearers drop dead from a new “heartbleed” bug. While this might be an extreme scenario, the point is valid as many commentators from various industries have warned of the potential risks with the Internet of Things (IoT) if security is not improved.
Singh advised companies to “make it personal”, ensuring that consumers are engaged with brands and made to feel that they can trust the brand.
Similarly, Singh said that internally, this is also a valid strategy.
‘Please cycle’
He warned that the “please cycle” for security policy implementation can often fail when those who either do not understand it, or feel left out of it, will not approve.
Posing the question of which department might be the most fruitful in terms of bridge building, he said “show some love to marketing”.
Marketing is one of the biggest IT spenders in organisations today.
They are and will be a significant contributors to future breaches, said Singh, because they are self-enabling, credit card cloud and shadow IT users who bypass IT departments and consequently security policies and measures.
Hence, they are worthy of attention to head of issues before they arise.
Speaking to TechPro, Singh was asked if the current security tools are up to the job of mitigating risks, both internal and external. Singh opined that they are commensurate to the task, but only just. However, he said that it was collaboration and cooperation that really needs to be improved.
Similarly strong views were expressed by John Walker, CTO and director, Cytelligence. Walker said that many organisations were focusing on the wrong things when it comes to security and risk, with an over emphasis on reports and not enough actions.
Walker said skills are still low in the area and the focus tended to be on standards and not enough on practical implementations.
Struck off
“If we were medical practitioners, we would be struck off because the patient is dying,” he said.
Citing the UK Waking Shark II cyberreadiness exercise of 2013, Walker said starkly, “I don’t believe that governments or organisations are taking what we call ‘cyber’ seriously.”
Patrick Curry, director, Multinational Alliance for Collaborative Cyber Situational Awareness, talked about intelligence led security.
Curry highlighted the unprecedented risk that the modern environment poses.
“Today’s Internet is a great place where you can do truly dumb things on an epic scale, very quickly, with little chance of recovery”
Curry highlighted the insider threat, citing statistics from the SANS Institute that said 65% of IP theft is by insiders. He warned that greater awareness of access and policies is needed to safeguard against this.
“If you don’t know your actors and you don’t know your assets, you don’t have a basis for risk management,” said Curry.
An interesting take on the area of governance, risk and security came from John Linkous, founder and CEO, InterPoint Group.
Linkous highlighted a few character types that can be a source of risk in businesses.
Buccaneer
The first is the “buccaneer”. This character is typically among the ‘money makers’ within the company, which leads to perceptions of a company within a company.
The buccaneer often instils fierce loyalty with immediate staff, often resulting in an ‘us against them’ attitude that can foster such practices as shadow IT usage that bypasses IT.
Another dangerous character is ‘Atlas’. Linkous said that Atlas is often found within the IT ranks and thinks that the world rests on their shoulders. Consequently they think that perpetual domain admin rights is their fundamental right.
Atlas thinks that they are the only one who can save the world because they are the only one who understands it. Atlas is a knowledge hoarder, in an effort to be indispensable.
These character types must be tackled, warned Linkous, if a successful security policy is to be implemented across organisations.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers