Protection, Detection, Response
If you own a business and believe that all of your cyber-crime threats are covered, I submit that you are solemnly misinformed. Even large international bank war games scenario group -- a group that predicts and tests scenarios for the bank before they happen -- admit that, while not covered, at least these large banks are actively and proactively looking at threats and working hard to figure out what's next and how to preempt and attack. But what about the mid-market and SMB companies? Can they do that's necessary on their own?
Traditional firewalls, antivirus, counter-spyware and spam protection will not work. David Stelzl, who in 2007 wrote The House and the Cloud, submits that preventative measures are useless except for the purpose of triggering a detection process, which would then kick off a response plan. Security experts call this P.D.R. -- Protection, Detection, Response. Seven years later, some promising technologies have been developed. As Mike McConnell, Vice Chairman of Booz Allen Hamilton and former Director of National Intelligence for two years under Presidents George W. Bush and Barack Obama, writes in the CIO Journal, "It is not enough to know what to do in cyber security, but given how quickly events occur, it is just as important to work out ahead of time how to do it... companies must begin the process of reimagining their cyber defenses immediately or face the inevitable consequences."
In a recent Wall Street Journal survey, information technology specialists guessed that larger companies were running up to 50 different applications in the cloud. The actual survey of larger companies told a much different story. On average, larger companies are running over 350 cloud applications! Skeptical? Walk down the hall and inquire to the use of online applications. Do you know where your company's data resides?
In McConnell's article he writes, "This is the greatest call to action for chief information security officers in 2014 -- to accept and understand that a remediation-centric cyber defense is not enough, and to build a communications link to the C-Suite that breaks down the Tower of Babel between the server room and the board room." He argues that companies must begin now by changing their approach to security from "one of compliance" to a more holistic model. This would include awareness and education. Again, most organizations have reasonable protection - it's the detection and response that's missing.
The target breach of 40 million credit cards is said to have cost them 20% in profits and 6% in revenue. That's real money! Managing business risk is personal. We all value our physical, financial and technical assets differently. How we protect those assets is up to each individual executive at the organization.
Investing in the technical security alarm like detection and response systems is highly recommended. Your five-year-old firewall isn't cutting it anymore.