Security and compliance may seem like abstract arts, desk-based and cerebral. To a point, they are, but the reality is that senior security managers are guarding the enterprise’s most valuable information assets against some of the worst that humanity has to offer: world class criminals with massive financial backing, entire foreign armies and psychopaths who code. It’s a stressful, high-stakes job.
IDC asked security managers “What keeps you up at night?” The answers they got, shown in the figure, depict just how big the security and compliance management challenges have gotten in 2015. In this article, we’re going to compare the calming “Don’t lose any sleep over it” take on these issues versus the scary “gotchas” that can still creep up even when you’re doing the best.
Am I going to get breached?
- Don’t lose any sleep over it. It may happen, but you’re ready. In fact, a breach is likely, but it won’t be the end of you. You have intrusion detection in place. You have sophisticated countermeasures and controls. You might lose sleep during a breach but you can rest easy now.
- Gotcha! You’re not going to believe this but there is a very good chance you’ve already been breached… for years! Writing in InfoWorld, Roger Grimes stated that he works with many companies that have had multiple criminal gangs active inside their networks for up to 8 years. It’s entirely possible that hackers have been reading your senior management team’s most sensitive emails and looking at their files at their leisure. They’re using your firewall’s SSL/TLS port 443 and your own AES (military-grade) encryption to exfiltrate data that you can’t even read right out of your perimeter.
Am I meeting the latest regulatory requirements? Will I pass an audit?
- Don’t lose any sleep over it. If you do the work, you’ll be okay. Even PCI, which affects businesses that take credit cards, can be tackled with a serious organizational effort and hiring the right advisory firms to guide the compliance process.
- Gotcha! PCI can be a major time sink and hassle. You have to make sure that you’re compliant across application hosting, managed firewalls, log management, data at rest encryption and more. A PCI audit can eat your schedule if you let it. Working with the right partners can help spare you this experience, however.
Is my brand at risk?
- Don’t lose any sleep over it. Your brand is as protected as your preparation for a serious incident. It’s all about how you respond to a security threat. Brands have long lives and are able to recover from damaging events. You still shop at that place, don’t you? And the other one? And that one?
- Gotcha! Let’s get real for a minute. Brands do recover over time, but serious security and compliance problems are going to affect the brand during quarters where you’re looking to earn a performance-based bonus. Your stock price can tank, too. But, it’s true that the way an incident is handled will affect the brand impact. Planning and clear communication with customers and partners is absolutely critical.
Do I need cyber insurance? What sort of policy? What the cost?
- Don’t lose any sleep over it. Yes, you can and should buy cyber insurance. In keeping with the best practice of information security, mitigate as many risks as you can through countermeasures but insure for residual risk. The policies are pricy but they are worth it.
- Gotcha! It’s insurance… all policies have exclusions. You really need to understand what you’re buying. According to Kevin M. LaCroix, an attorney and expert on management liability, notable exclusions in cyber coverage include damages for bodily injury, property damage, employment-related claims, ERISA Act exposures, acts of war, fraud, patent infringement and mechanical breakdowns. Thus, if you get hacked and fraud or ERISA Act violations result from the breach, for instance, you’re not going to be covered. Or, if you’re attacked by a foreign army’s cyber warfare unit during an actual war, you’re not covered.
Am I personally liable should something happen to the company?
- Don’t lose any sleep over it. You have multiple layers of protection against personal liability if there is a security or compliance incident that affects your company. For one thing, it’s a corporation, so you’re covered by the “corporate veil.” You’re probably covered by Directors and Officers (D&O) insurance. And, they won’t throw you under any buses as long as you do your job.
- Gotcha! It’s not so simple. While a CISO going to jail is a pretty unlikely outcome of a security incident, there is still a risk that you will have to go through the nightmare of facing personal liability. George Moraetes, Chief Information Security Officer of Security of Security Minders, warns that there are a number of scenarios where a security executive can face criminal prosecution or personal civil liability for a security or compliance lapse. For example, if a security manager at a healthcare company divulged some personal health information about a client to his or her spouse, and the spouse disclosed it to others, the executive could be personally liable for a multi-million dollar HIPAA violation. The CISO can also get sued by shareholders who believe that their investment was harmed by action or inaction on the part of the CISO, as happened with the case of Palkon v. Holmes, No. 14-cv-01234 (D.N.J.). In this case, a shareholder of Wyndham Worldwide Corporation sued the company’s directors and senior officers, alleging that a failure to implement effective security policies resulted in the theft of customers’ personal financial data.
For each “gotcha,” CenturyLink offers a combination of technologies and consulting guidance that takes you closer toward complete risk management. To speak with a CenturyLink security expert, please contact us.