Art Coviello (photo: bocek.kevin)

Written by Arthur W. Coviello, Jr., Executive Vice President, EMC Corporation and Executive Chairman, RSA, The Security Division of EMC.

You don’t have to be a government agent or an experienced security researcher to understand that the security industry is being challenged as never before. Within the last few months alone, three companies, LinkedIn, eHarmony, and Last.fm, have warned their users that their passwords are floating around the Internet, including on one Russian forum where hackers bragged about cracking them. These breaches left millions of users scrambling to change their passwords, and only time will tell if hackers have used the compromised passwords to access the accounts in jeopardy.

Findings from this year’s global Governance of Enterprise Security: CyLab Report, released by Carnegie Mellon’s CyLab and sponsored by RSA, The Security Division of EMC, underscore this same reality, a reality in which a new generation of cyber criminals, hackivists and rogue nation states are operating with increased speed, ability and cunning. This latest research revealed that, encouragingly, more companies than ever before are forming Risk Committees. On the other hand, the numbers indicate that, across the board and within multiple industries, many corporate boards continue to remain clueless about cybersecurity best practices.

Security Must Adapt to Today’s Interconnected World

We’re well past the tipping point where our individual physical worlds and digital lives can be separated and our personal and professional lives can be isolated from one another. Never in history have there been so many consistent high profile attacks, never have these attacks been as targeted and never have so many security firms been attacked directly. In addition to the breaches I mentioned above, Stuxnet and, more recently, Flame (deemed ‘Stuxnet on steroids’), are just two more examples of today’s new threat landscape.

IT is trying to learn to manage IT resources that they don’t directly control, security organizations are attempting to secure resources and information that they can’t directly control, and both groups are left asking themselves how they can significantly and permanently close the security gaps that exist in critical areas in our hyper-connected, highly-mobile digital environments. The answer lies in a collective acknowledgement that past security models are inadequate when faced with the rapid evolution of digital technologies and user behaviors. In today’s environment, it’s not a question of if your network will be penetrated, but when, and confronting that fact requires a 180 degree mindset shift from defense tooffense.

Playing Offense in The Age of Big Data

Boards and senior management, working hand-in-hand with IT, need to implement effective strategies, people, processes and technologies, such as:

• Establish a board Risk Committee (separate from the Audit Committee) and assign it responsibility for enterprise risk (including IT risks).
• Review existing top-level policies to create an organizational culture of strong IT security and respect for privacy.
• This culture should extend to vendors as well. Ensure privacy and security requirements for all vendors (especially cloud providers).
• Evaluate and reset goals and expectations regularly (including an annual audit of the organization’s enterprise security program, an annual review of the enterprise security program and effectiveness of controls, an annual board review of budgets for privacy and security risk management and annual privacy compliance audits and reviews of incident response, breach notification, disaster recovery and crisis communication plans).
• Ensure that information privacy and security roles within the organization are separated and responsibilities are  assigned to the right executive; the CISO/CSO and CPO should report independently to senior management.

Just as important is the way security is done.  IT departments must stop adding new controls to outdated security models. Yesterday’s security models are inadequate, and the digital equivalent of locks on doors is no longer enough protection. We must accept that harnessing the power of Big Data for greater situational awareness and faster reaction to threats is the foundation of an offensive approach, enabling businesses to manage risk to acceptable levels and ultimately put the balance of control back firmly in the hands of security practitioners.

The notion of “Big Data” has already become a powerful strategic concept in other industries such as finance and healthcare, and I believe that with combined advances in data storage systems, computing power and analytical tools, the age of Big Data has now arrived in security. By adopting a Big Data model, the analysis of massive data sets will create actionable information, eliminate blind spots where threats can lurk undetected and, ultimately, help to shrink our windows of vulnerability.

Knowledge from One = Increased Power for All

Shifting our collective mindset is just one part of this complex equation. It’s also unacceptable for “information sharing” to continue to be a cliché for failure, or a process inherently surrounded by distrust, tech gaps and legal restraints. We all must demand more from the security industry because we’re at risk of failing if we don’t turn the tide today. We need more than just a few good men and women to step up and join our ranks if we are going to fight back, as we historically have, with creativity and innovation.

I envision our next generation of cybersecurity professionals as motivated to partner and cooperate with other industry leaders and government bodies to share intelligence. In addition to these collaborative people skills, they’ll possess the right analytical skills and big picture thinking as well as an unerring commitment to the principle that when shared effectively, knowledge from one organization can equal increased power for all. But, above all else, they’ll come ready to fight a battle that they can win.