by David Lam
I was first drawn to information security because it reminded me of the Mad Magazine Spy Versus Spy series. I liked the idea of being the White Hat spy protecting our organization from being attacked by the insidious Black Hat. I am continually intrigued at how the Black Hat is constantly evolving. However, this relentless evolution that keeps me interested also, sometimes, keeps me up at night. While some basic protections and information security hygiene stay the same throughout the evolution, we information security professionals find it critical to keep pace with those Black Hats by using continual improvement to stay up to date on the latest changes in the information security ecosystem.
Continual improvement is a concept with which we’re all likely familiar—for instance, when we make our New Year’s resolutions; it’s a process for striving to get better at what we do, learn from our mistakes and from changes in the environment around us. To that end, each year my team and I update our Information Security Policies and Standards to reflect what we have learned in the past year and, more importantly, what the information security community has learned.
Lesson #1: The Playbook
One of our greatest lessons from the past year has been the importance of breaking down, into manageable steps, the Information Security Management Program (which is the collective strategy and implementation of securing information). We have found that this “operational playbook” works much like the materials we receive from our CPAs in order to prepare our taxes each year or how a financial audit report helps us know how to improve our financial practices; these guides and reports detail what is needed to achieve success and how to get there.
Your playbook should guide your organization to achieving what we believe are the four objectives of any information security program:
- Be a Hard Target: make it difficult for an attacker to get into your system.
- Be a Resilient Target: be able to recover if you are attacked or have an incident.
- Be Legally Defendable: show that you have implemented protections which are reasonable given the information you store.
- Be Fiscally Sound: ensure your investments are cost-effective and have a positive cost/benefit ratio.
Lesson #2: Disconnect
In our annual revision of our client’s information security programs, we found worrisome trends with our new clients—a disconnect between what executives believe and reality. Some examples include:
Belief:
Executive management believes that information security is being taken care of.
Reality:
After the first assessment, 100% of clients have significant critical findings, typically including multiple systems not being patched at the most urgent level.
Belief:
We have a documented information security policy, so we’re all set.
Reality:
Even clients who have a written information security plan often have significant gaps in those plans because they have not been mapped to appropriate standards and frameworks (e.g., ISO, NIST, etc.). Furthermore, these security documents often don’t address new laws and requirements, such as new enforcement capabilities of the FTC, the Department of Labor’s Best Practices or the three new privacy laws in multiple states, including California.
Belief:
Aren’t those policies for people who are careless with their client’s data?
Reality:
Many clients and their supporting organizations, such as IT vendors, don’t fully understand the information security requirements or questions asked of them, and as a result, they are not in compliance with their responses. These include incorrectly filled out insurance questionnaires, credit card compliance (PCI) and client audit questionnaires.
Belief:
No one would target us with ransomware, so those precautions aren’t necessary.
Reality:
Too many—most—organizations are woefully unprepared for a ransomware attack, as we have seen repeatedly in the news. The guidance from organizations such as CISA are clear, yet just not followed. The problem is, like a tube of toothpaste, once an attacker has squeezed the data out of your systems (and without appropriate backups), there is nothing protecting your data (information assets) from deletion by this malicious attacker.
Lesson #3: Ask an Expert
As we look ahead in this new year, I urge readers to work with appropriate subject matter experts to make sure you are on the right track to protecting your information assets.
(article originally appeared in Los Angeles Business Journal)
See also: David Lam spoke on this subject on a panel at the Los Angeles Business Journal’s Economic Trends 2022 event. You can watch the recording here: https://labusinessjournal.com/EconomicTrends/