Earlier this month, the Wall Street Journal published a blog, “CIOs Name Their Top 5 Strategic Priorities,” which collected the recommendations from a variety of technical leaders at a CIO Network event. Author Steven Norton notes:
While proposals ran the gamut, consensus seemed to form around two major themes: cybersecurity, and delivering change through effective communication with the rest of the business.
Quickly, here are the top five strategic priorities, according to the report:
- Make security everyone’s business.
- Cyber risk = business risk.
- Be the change agent.
- Have a business-centric vision.
- Anticipate a “cyber 9/11” event.
The full report also highlights “Cybersecurity in the Wake of Sony.” Anecdotally, every CIO in attendance at the CIO Network event – save one – admitted that their organization had been hacked. Cyber attacks have become ubiquitious.
Interestingly, “44 percent of CIOs said their companies now tackle big data projects ‘all the time.’” Of course, as recent Bromium research has indicated, security solutions can often mutate into big data projects, as information security professionals are buried in an avalanche of security alerts.
Back to the topic at hand, the CIO Network event invited two security vendors to speak, who seem to be advocating an approach to information security based on triage, rather than prevention. Of course, this should come as no surprise, considering the products that they sell are unable of completely preventing attacks.
The suggestion that organizations need to be in the position to “detect when something bad happens” is predicated on a broken model of information security. A recent Ponemon report determined that only four percent of security alerts are investigated.
This represents a huge security gap. What is the value of a security alert if information security professionals are not taking the time to investigate and respond to them? Just ask Target (ironically “protected” by one of the vendors speaking at this event). There is no value!
In many cases, detection-based solutions are trivial to evade and in the other cases, information security professionals will be unable to respond to the alerts.
It is unconscionable that the security industry continues to push a broken model of detection and response. Of course, it is by selling these broken security solutions that these vendors can return to sell their forensic consulting services after a breach.
If President Obama is building an “Internet Cathedral,” then many of these information security vendors are guilty of selling nothing more than cybersecurity “indulgences.” If, as one vendor described it, the Sony hack was truly unlike anything seen in 17 years then why did they also describe the attack as not particularly sophisticated? Does incident response now include paying these vendors to make excuses for your organization, even though their products wouldn’t protect against attack?
Early adopters of information security have already realized that detection and response are failing. Yes, they remain part of the information security model, but a paradigm shift is occurring to implement proactive protection. Protection can be achieved by rethinking some fundamental assumptions about information security. Instead of trying to detect everything that is bad, security should protect everything that is good. Bromium achieves this through micro-virtualization, which isolates all Internet content in secure containers to prevent compromise.