Truth be told, I’ll be very happy to see the back of 2016. For those of us in Information Security it was like being a 60+ year old rock star — there was a high likelihood of sudden death, usually self inflicted, or sometimes caused by the cancerous security culture in which we live.
It all started innocently enough. There we were, worried about HIPAA and PCI and GLBA and all the other typical regulations, and wouldn’t you know it, the FTC made their presence known (check out the LabMD case), and is now vying for the regulatory heavy-weight champion of the world title. There is so much overlapping of administrative regulation of security, privacy and consent, that any self-respecting CISO must now consider a law degree to sit along side their CISSP certification.
Then, as the weather warmed up, nation-state theft of our Intellectual Property (IP) started creeping in. Truth be told, this has been happening for a long time — but this was the year that executives started to pay attention to it — particularly in the Higher Education/Research fields. It certainly made for interesting planning and strategy sessions. If I hear one more person quote “there are only two kinds of companies: those that have been hacked and those that don’t know they’ve been hacked”, I will find a way to live in an alternate universe of my own choosing.
Organizationally, and therefore strategically, this created a conundrum, because although the consequences of IP theft are serious in a long term kind of way, they don’t typically involve short term financial penalties, nor do they involve the public shaming that mandatory reporting requires for regulated data. So, our executives (being the good risk managers that they are) care less (not nothing, just less) about these kinds of things than the ever-present regulatory agencies. Worse, those beating the drums about IP theft are unable to point to real cases where IP theft has had a negative impact on a researcher or research grant award. Turns out that Federal Agencies which fund research cannot hold researchers to a higher standard than they hold themselves, and they keep getting breached all the time (How Big Is the US Government Security Problem?)…
And then there was Autumn, when the world started to wake up to the potential of Cyber War, the blending of the virtual world and the physical world, and the likelihood that this is no longer about corporate data, but seriously about life and death. This really started with the 2015 hack on Ukraine’s power grids, took a short detour with a DDOS attack using “Internet of Things” to target Twitter and others, and arguably continues with allegations of Russian interference with the US elections. Unfortunately, our energy and political sectors are less prepared than some to respond to such attacks, and our love affair with cloud services will make the impact of future attacks 100 times worse.
For a CISO, the scope of our roles just got infinitely bigger. Not only are we now responsible for our respective organizations; we are also a soldier in the national and homeland security agenda, drafted while we were looking the other way into a conflict where the adversaries are unidentifiable and our weapons are outdated as soon as they are in our hands.
And so, we enter the Winter holiday season trying to work out what happened in 2016, and hoping really, really hard that 2017 will be better.
But you know, despite all this gloom and doom, there have been bright spots throughout the year. Some black-hat hackers have been indicted for their crimes, and some have even been sentenced. But this is not what I’m talking about. I’m talking about the individuals who take Information Security seriously — not because it’s their job, but because they know they have a responsibility to ensure information is protected. It’s the person who reports a phish, even though it is probably a real email. It’s the employee who sees that the person who shoulder-surfs through security is stopped before they can go any further. It’s the middle manager who ensures that their servers are refreshed while they are still covered by security warranties. It’s the project manager who makes certain that the system gets a security assessment before the go-live date. It’s the purchasing officer who ensures the contract language satisfies the organization’s security control requirements. It’s the trash collector who makes sure the papers make it to the shredder, not the trash can. It’s the hundreds of people who attend security training, not because they have to, but because it’s the right thing to do. It’s the many college students who decide that Security is a profession that is worth pursuing. The list goes on and on.
So, Happy New Year to everyone. I hope 2017 will be the year that we collectively manage cyber security risks, and that we can go back to thinking that the answer to the meaning of life is as simple as Douglas Adams would have us believe.