Businesses are being targeted by cyberattacks at an alarming rate. Major breaches at Target in December 2013 and Neiman Marcus in January of 2014 shined a great big spotlight on the inadequacies that a lot of retail outlets have in their security infrastructure. As a result, more and more companies, both big and small, are feeling the need to ramp up their efforts and have a dedicated security team.
According to a report released by Reuters in May 2014, a number of large corporations, such as Pepsi and JPMorgan Chase & Co., are on the hunt for new chief information security officers (CISOs) in a bid to bolster security practices. What this reflects is a greater awareness of security and its importance at business’s executive level.
CISOs, and chief cybersecurity officers, are immersed in the security of their technology, both for employer and client, but their roles and responsibilities are becoming more pronounced and imperative in the eyes of the general public, not just among the security community.
"Five years ago, information security barely cracked the top 10 concerns of boards. A year ago, it was No.2. Interestingly it’s now data security and not just information security," says David Boehmer, regional managing partner at recruitment firm Heidrick & Struggles, in a YouTube video produced by the company.)
What a CISO Does
The role of a CISO can be quite broad, and they often find themselves wearing many different hats. The job involves everything from internal security, such as managing the security of intellectual property, to being responsible for customer security.
"I also do work with our product team and engineering team to implement features in the product that might be interesting to security buyers," says Joan Pepin, a CISO at Sumo Logic.
While the Target breach last year certainly got a lot of people talking, Pepin explains that she wasn’t all that surprised – and neither was most of the security community. That’s not to say the security community hasn’t had its "watershed moments" though, where everyone needed to reinforce their work moving forward.
The RSA breach in 2011, in which hackers breached the information security company’s servers and stole authentication tokens that provided access to sensitive government and corporate data, had many security professionals abuzz. How could a security company fall prey to hackers like that? Only two years later, that concern would shift to a target that had previously flown under the radar: retail customers. Attacks like those seen at Target and Neiman Marcus shifted attention to security for the everyday customer.
"Clearly when you have a massive retail operation with thousands and thousands of employees, all of these different sites, point-of-sale machines, that is the very poorest kind of system and the fact that those types of attacks did not happen on that type of scale sooner is actually bit of a surprise to me," Pepin said.
The issue stems from security being seen as simply a check box for companies to tick and leave be rather than a constantly policed aspect of their business. This doesn’t mean that cybercriminals are lax and can just walk in. In fact, cybercriminals are becoming increasingly skilled.
"[Target] was a pretty sophisticated breach, [the attackers were] able to impersonate the BMC agent, and those types of stealthy things. To engage in lateral movements throughout the Target network was pretty clever, Pepin said.
"I don’t want to take away from that but in terms of difficulty in target, no pun intended, I would never place any retail chain on a list of hard targets. Security companies are hard targets, the government is a hard target. Some retail chain whose business is selling socks, I wouldn’t expect them to be a super secure shop."
The Landscape for Security Professionals
In June 2014, Target hired its first CISO, Brad Maiorino, a former General Motors executive who will be overseeing an overhaul of the company’s security practices.
Businesses, regardless of their field or their size, will need to take note and enhance their security game in response to ever-growing threats with greater awareness and more authority to act on potential breaches.
"It was clear … in the Target case that alerts were generated that no one responded to and that, in my experience coming from managed security, is extremely typical, Pepin said.
"The best intrusion detection system in the world still has a very high false positive rate and so security responders are basically trained by their systems to ignore their systems. There is a technological human interaction gap there, where first responders become numb to the thousands of alerts that they get that are garbage. In the case of Target, there were some signs that were not followed up on that could have helped minimize the impact much sooner."
As is often the case, a security professional cannot immediately act on an issue because they need clearance or approval from someone else higher up in the hierarchy. This needs to change, Pepin says, explaining that a company’s security team must have more autonomy and authority to take the initiative.
"I feel that it’s still a governance issue in that chief information security officers should not be reporting to CIOs," says Tom Kellermann, chief cybersecurity officer at Trend Micro. "They should be reporting to the chief risk officer or to the CEO directly." This cuts out many of the middlemen and ensures a faster response time to potential emergencies.
Pepin agrees that security professionals should "report right to the top" in their company. "I am fortunate enough that I report to our CEO. That works very well and that is something I would really recommend for any organization that takes its security seriously."
Other Budgets and Security for SMEs
Hiring a CISO and expanding your security team is all well and good if you have the budget, but what about smaller companies? While an attack on a small chain or your local hardware store won’t reap the same benefits for hackers as hitting a Target or Neiman Marcus, it’s still unwise to leave yourself vulnerable in any way. So what can you do to mitigate the risk of attack? Pepin strongly recommends hiring the services of an incident response contractor or consultant.
"In the event that you are attacked, you have someone you can call, so you don’t have to open up Google and start looking," she said.
This will make more economic sense for a smaller company, she explains, as the business will only use the services when they are needed. These services are also extremely specialized in picking up where your staff has left off.
"You can have a fantastic team for triaging, understanding that you’re under attack but that’s not exactly the same set of skills needed to respond to that attack, to route them out of your network and to collect the evidence in a way that can be used in a court of law."
Companies have many resources at their disposal to combat cybercrime. Recent history suggests another big attack is just around the corner.