a href="/myfiles/Images/2014/04/23/sr01_big.jpg" title="According to Richard Stiennon, a "devastating breach" is the best motivation for an organization to devote adequate resources to cybersecurity. " According to Richard Stiennon, a "devastating breach" is the best motivation for an organization to devote adequate resources to cybersecurity.
Molouk Y. Ba-Isa Saudi Gazette
Richard Stiennon, Executive Editor, SecurityCurrent, and Chief Research Analyst, IT-Harvest, was in Riyadh recently at a private event held by Lumension Security. Stiennon is a veteran of the information security industry and made his name internationally by authoring the book, “Surviving Cyberwar.” In his presentation, Steinnon spoke about countering targeted network attacks. Such attacks are escalating globally, affecting both public and private sector organizations. Stiennon stated that he is an “optimist,” and believes that while targeted network attacks cannot be completely thwarted, if there is a good enough network defense in place, it can become very expensive for the attacks to succeed. In fact, in such a scenario the attacker would be forced to switch to physical intrusions, including the bribing or blackmailing of employees to gain access. As the Kingdom is increasingly moving from paper to online systems, local IT staff often struggle to convince higher management within their organizations that more resources must be directed to network security. Stiennon commented that this struggle is taking place the world over and he has seen that there's little incentive for organizations to harden network defenses if the goal is to strive for best practices or be viewed as compliant with international standards. “The best motivation is to have a really devastating breach and then the resources will be devoted to properly secure the network and resources” said Stiennon. “Unfortunately, quite often people are let go because somebody has to be blamed for the lack of security. That's repeated over and over again around the world. For instance, recent breaches at South Korean retailers caused the CEOs of those retailers to resign. I am sure the new CEOs will take extraordinary measures to protect those network systems.” Stiennon advised as well that enterprises have a tendency to “fight the perception rather than fight real battles.” This involves endless meetings and multiple committees, all with the unspoken goal of making it no one's fault if there is a network breach. “My recommendation is always to assign the responsibility (for network security) to someone, just as you would do in any great project,” he said. “You hire somebody to build a house for you. The general contractor is responsible for building the house at the price you agree to, in the agreed timeframe. If the contractor fails to meet the contract, they are liable and they lose money. It's the same thing with establishing a good cyber defense policy for an organization of any size.” According to Stiennon, responsibility for network security entails that there will be direct consequences for failure. If it's a military organization, a network breach is the equivalent of falling asleep at your post - with the associated consequence. If it's an industrial or government organization, failing in your duties should involve embarrassment and termination. With the consequences for failure so grave, few are willing to step up and take responsibility for an organization's cybersecurity. Stiennon believes that no one wants the responsibility because they aren't given adequate resources to mount the best defense. That's why he counsels anyone who is requested to shoulder such a role, to document the conditions for undertaking the assignment, including which technologies must be deployed, the staff to be hired and the training required to get the job done. Those last two points are major issues in Saudi Arabia. To counter them, he supported the position of demanding that vendors who sell information security solutions locally must also offer local, instructor-led training for those tools. He also thought it was reasonable that the government provides some sort of preferential treatment to Saudi companies who sponsor information security education for their staff. Additionally, at all organizations with more than 1000 employees, Stiennon advocates the formation of dedicated cyber defense teams made up of IT professionals with differing and very advance skill sets. Such teams would be tasked with fighting a continuous, evolving battle against network attackers. Why an evolving battle? Because the attacks are constantly changing. He pointed to the Heartbleed bug revealed earlier this month. “The Heartbleed bug is yet another example of unknown vulnerabilities lurking out there,” said Stiennon. “The discovery kicked off a fire drill to find and patch vulnerable systems. According to cybersecurity company Mandiant, they saw a customer's VPN concentrator successfully attacked on April 8, the day after the revelation of the vulnerability.” Some analysts think the struggle against the Heartbleed vulnerability will go on for years. That's why it's essential that Saudi organizations stop wasting time and resources on blame avoidance strategies for cybersecurity breaches and step up the real fight against network attackers.
