The cyber security landscape has changed dramatically in the past couple of years. In particular – the focus by attackers is on infiltrating corporate networks in a much stealthier way than in the past, as staying hidden for a long period of time allows them to take their time in stealing highly sensitive data from intellectual property to sensitive employee data and beyond.
What 2-3 pieces of advice do you have for organizations and agencies who are struggling to protect their data from a breach?
First, today’s executive suite, boardroom, and other senior leadership must understand that cybersecurity is no longer purely an IT issue. Cybersecurity has become one of the greatest business risks facing companies and government agencies alike. Executive leadership is ultimately responsible for the protection of employee and customer data across their entire organization.
For this reason, organizations must not establish networks with single points of failure that provide unfettered access, or “keys to the kingdom,” to critical assets and sensitive data. Enterprises must architect networks with multiple levels of security to protect all levels and classifications of data.
Finally, companies and agencies must understand that breaches are inevitable and therefore must institute effective response and recovery plans with clear processes and roles to communicate across stakeholders, limit data loss, and prevent hackers or malicious insiders from re-entering company networks.
What role does identity play, in your view, in this broader, ever-changing cyber security landscape?
Today, identity is a substantial threat vector as hackers and cyber criminals have shied away from using malware to attack traditional perimeter defenses. Instead, in the majority of intrusions in the last year, we have seen cyber criminals targeting employee and contractor credentials, including system administrator credentials and then leveraging those legitimate credentials to move freely throughout a network without triggering alarms.
Identity has always been important – but with this shift toward more identity-centric attacks, a sound plan for identity security is critical. Enterprises need to approach identity with a holistic method rooted in what we call the “Five A’s” – Authentication, Authorization, Administration, Analytics and Audit.
You speak to a lot of C-level executives who are increasingly concerned about managing risk. Security is no longer ‘just’ an IT problem. How does your conversation differ depending on your conversation with the CEO vs. the CRO vs. the CIO or CISO?
I believe that we must bridge the gap in conversations on cybersecurity between the CEO, CIO and CISO, and the rest of the C-suite. As I stated earlier, cybersecurity has become one of the greatest business risks to enterprises nationwide.
At The Chertoff Group, we believe that the CEO and the board must own the responsibility of managing cyber risk and look at cyber risk in much the same way they would look at other risks to their business.
When management of cyber risk is done right and through an effective risk management framework, it can prove to be a business enabler, bringing greater efficiencies across the organization, restoring customer and stakeholder trust, and elevating the company for competitive advantage. Helping leaders across an organization understand that enables IT professionals to implement a successful cyber regimen.
How do you apply your learnings from national security to IT security as part of your work today at The Chertoff Group?
The national security and IT security spheres are quickly merging, as seen through recent cyber incidents including the OPM hack, the Edward Snowden disclosures, and the Ukraine blackout. Therefore, much of my experience in government, in terms of disaster preparation, risk management, and incident response applies to my position as Executive Chairman of The Chertoff Group.
Cyber has become the fifth domain of warfare, after land, sea, air, and space. Cyberattacks pose a significant threat to government agencies and private companies with countries jostling to gain intelligence, military, and economic advantage over one another. Companies face many of the same risks and threat actors as governments do in cyberspace, requiring that they think strategically about their defenses to prevent intrusions and their response plans when breaches occur.
From China’s OPM hack that led to the theft of 20+ million personnel records of federal employees and contractors, to Russia’s takedown of Ukraine’s power grid in an unprecedented hack on critical infrastructure, these IT events have direct effects on national security.
Additionally, because of the difficulty with attribution, countries now often favor cyber actions over conventional ones as they are able to gain an advantage while maintaining plausible deniability.
Editor’s note: The Honorable Michael Chertoff will be a keynote speaker at Navigate ’16. For information on registration and a full schedule, visit: https://navigate.sailpoint.com/