CIO Only Until the Next Data Breach
By Bob Fecteau, CIO, SAIC
Today’s chief information officers (CIOs) operate in digital environments that are riddled with cyber threats, and they face a daunting new reality: The next cyber-attack against their company, and the public’s reaction to it, could make or break their careers.
Hype versus Reality: Cyber security is no doubt a significant global challenge, but I question whether we are expecting too much from our IT professionals and are not properly supporting them. With the public moving toward a zero-fault position, cybersecurity has become an overwhelming focus for CIOs– and increasingly for chief executive officers, chief finance officers, boards of directors, and shareholders. A view is emerging that protecting a company’s data from intrusions, breaches, and viruses falls squarely on the CIO and his or her team. Nothing could be further from the truth. It is a total team effort that must become part of an organization’s DNA.
During the recent cyber-attack against the U.S. government’s Office of Personnel Management’s data systems, the public criticized OPM for compromising the data of millions of active and former government, military, and contractor personnel. Critics were quick to point fingers, but failed to recognize the challenges associated with securing this type of data in an increasingly complex digital world.
As the House Oversight Committee grilled OPM Director Ms. Katherine Archuleta over exactly how many records were compromised (ranging between 14 million to 20 million), the complexity of the challenge was missed. The truth is, it does not matter how many records are compromised. A single record breached is too many and CIOs work diligently every day to ensure data is as secure as possible.
"Security professionals must also be true experts in all aspects of the corporate network, connections, systems, interfaces, data stores"
The focus should not have been on numbers, but how the breach was dealt with. When security is compromised, CIOs and their teams have to act fast, smart and decisively with prepared and tested remediation plans that safeguard those affected, ensure a resolution, and protect other areas that could also be vulnerable to the now known threat. Leaders at all levels must know these plans and procedures and be ready to execute them in these situations. Ms. Archuleta, who had held her post for 17 months, was not able to do that. Demands for her resignation came quickly, demonstrating how vulnerable leaders are to a cyber-event.
Perfect Storm: Unfortunately, no matter what Archuleta did or how much taxpayer money she dedicated to securing OPM data, she may not have been able to prevent the attacks on these systems. Anything short of disconnecting the systems from outside networks would not have prevented this attack by a sophisticated adversary. The OPM breach occurred over a period of more than a year before it was discovered. If this attack was state-sponsored, as has been alleged, the chances of initial detection a year ago may not have been possible given the state of sensor technology and signature recognition at the time. In this case, some of OPM’s legacy systems are so old that just keeping them patched and operational requires constant and costly attention.
The sophistication of today’s attacks and the ability of an advanced threat to establish foothold operations in almost any network via web-injected agents, Trojans, advanced malware, tailored phishing events, or attacking insufficient IT practices on aged infrastructures all provide a virtual open door to a determined foe. In OPM’s case, the threat that caused the data breach could have been injected well before Archuleta was even considered to lead the agency and lay dormant until the adversary decided to activate it. It is further compounded by the need to have a very open network to ensure the broadest access to the agency by the public they serve.
Complex and Constrained: CIOs, chief information security officers (CISOs), and corporate leaders face the complex task of understanding every system, computer, and connection point, and then knowing what each one is supposed to be doing in a network. This knowledge must occur in a new normal that includes sensors that regularly spew out huge volumes of false positive data. Coupled with declining budgets, this creates a perfect storm of complexity and challenges.
The complexity of corporate networks, which often merge new systems with legacy applications, presents additional challenges to CIOs and CISOs who are trying to secure their enterprises. It is no longer sufficient for large corporations or government entities to put up firewalls, run anti-virus protection, and keep systems patched. Security professionals must also be true experts in all aspects of the corporate network, connections, systems, interfaces, data stores, where key information is stored, what and where backups are held, and where the company should communicate and where it should not. The need to connect people globally via networks, in a fluid and seamless manner 24/7 with no outages or interruptions, further complicates the problem. Restricting users, increasing security steps, and adding more procedures run counter to efficiently connecting the business.
Talent Challenge: One of the biggest issues CIOs face is finding talented people who can understand the entire network and make smart decisions when a threat is detected. Attaining the needed level of awareness takes time, talent and dedication by a highly integrated security team that is capable of synchronizing internal and external threat information, translating those sources into the environments they are attempting to secure in actionable ways. This is all happening within a very competitive market, where much of the best talent is being scooped up to work in software startups and development houses and in the end are not practicing security of institutions, systems and networks.
A Call for Leadership: After seeing what happened to the director of OPM, as well as executives at Target, Sony and other companies after a data breach occurred, I fear the current environment will have a terrible impact on the future of the cyber-security profession. Talented people who are dedicated and committed to security operations do not want to have their work and efforts maligned in the public eye.
Within the government, there are individuals who are working very hard every day to secure these data environments. I know them to be highly dedicated and committed professionals striving to do their very best despite facing a very challenging threat as well as a financially constrained environment.
If the trend continues where we publicly attack the best efforts and intentions of our people, it will become even harder to hire and keep cyber-security professionals willing to do this essential job. I believe the role of leadership in an organization is to provide support to these leaders and their teams by creating an environment where they can thrive and ultimately master their craft in a non-threatening, growth-oriented environment.
In many cases, their skills are unique and they are doing jobs that most people are unable to do to keep the rest of us safe. They have my highest respect for their dedication and service to the nation and we must strive to ensure they continue to be valued.