What CEOs and CIOs can learn from the Hacking Team data breach incident varies enormously. From realizing that a product you use could not be securing your network to the extent you may think it is, to companies buying zero-day vulnerabilities and using exploits to gather data, to hackers breaching that business and getting ahold of sensitive information. This knowledge alone brings awareness to why information security needs to involve people and processes in addition to the tools you think are protecting your environment and data.
What does this mean for the CEO? It means that they really need stop looking at risk management as solely an IT problem. It also means they should listen to their CIO when he or she comes to them with suggestions on how to expand security throughout the enterprise. Furthermore, the realization that data security adds to an organization’s bottom-line is something that should be quite obvious at this point in time. The budget CEOs and the board of directors don’t allocate to data security will come back to haunt their enterprise through incident response efforts after the fact, data breach damages, and possible lawsuits following a hacking incident.
Not only did the Hacking Team’s data breach reveal possible vulnerabilities with risk management tools, but it also revealed the capabilities of remote control systems: how they can target platforms, what data they can take, and how they determine infected devices, as well as spread an infection or protect themselves from it.
What CIOs should take from the Hacking Team incident is the need to voice their security concerns a lot louder than they have been, even if that means having to deal with uncooperative ears. The CEO and board might underestimate the risk management concerns presented to them, but with breach examples such as the Hacking Team and OPM incidents, a CIO has concrete case studies to back up the conversation. Additionally, CIOs need to understand that if they don’t do so, were a breach to occur, they will most likely be the fall guy and the person held accountable for the lack of security. Just look at OPM’s CIO, she resigned; and let’s not forget about Target’s CIO.
Hacking Team’s breach won’t be the last to remind businesses of how important information security is to protect sensitive data and the enterprise. As long as CEOs continue pursuing a non-holistic risk management process, and as long as CIOs continue not trying to bring security in that direction; the more vulnerable your business will stay to potential breach. It comes down to your security ‘Why’.
How important is it for you that you’ve taken all the information security measures you knew you could have to avoid data breach?
Photo courtesy of alphaspirit