In my previous blog, I talked about how I was encouraged that Sony was going to create the CISO position, but disappointed that they’d be reporting to the CIO (a position that I feel is inherently in a conflict of interest with the CISO position). However, I got some great news last week - Philip Reitinger was named the firm’s new senior vice president and CISO, and will report to the company’s executive vice president and general counsel.
This is encouraging because Sony is now aligning security and the CISO position more with risk, liability, legal, and compliance areas. This is the polar opposite of a CIO or CTO who is all about efficiency, uptime, and making things more accessible, faster, etc. Somebody inside of Sony has got the right idea and is being listened to, which is a very good sign.
Hopefully someone in the Obama administration will see the light too. This is analogous to the failings of Obama (and Bush before him) to recruit and maintain an impactful Cybersecurity Czar. Where the Czar reports is inconsistent with enabling them with authority. The NSA still holds responsibility for cyber security and until that changes (or there is a reporting line between NSA and the Czar) it will be mainly a figurehead position. They can write all the policies and make all the speeches they want, but they have no authority to drive meaningful change because the NSA isn't accountable to the Czar's policies.
This is one reason I like Languevin's bill - it changes the reporting structure, makes real accountability measurable for all agencies and contractors, and creates a position reporting to the President that will oversee and influence the work of DHS (the group who is directly accountable for implementing and assuring the new cyber security measures & requirements.) It even calls for punitive measures for failure as well as regular audits and monitoring (not just paper audits) to make measurement more automated and regular.
Encouraging, very encouraging.
A few months ago, Sony announced that it was created a new CISO position, reporting directly to the CIO, in response to the attacks against PlayStation. I’m encouraged by the fact that Sony realizes they need someone focused on data security – but discouraged that they’ll be reporting to the CIO, who almost always has a fundamental conflict of interest and often reduces this role to a figurehead. CIO’s are typically responsible for the information technology and systems that support enterprise operations, and they need them to be high-performing and feature rich (and security often crimps that style).
If I were CEO of a multinational enterprise like Sony, MassMutual, SAP, and others, I would place my CISO reporting to the most senior risk executive in the company and have that person report to me. I would create a nested risk-based approach to data/information protection. For example, Application Security would be part of a larger Information Security group, which would be part of a larger risk group, which is responsible for assessing risk in the context of business continuity and operations.
Security and risk are elements of _every_ person’s job, and the group who’s “responsible” for security has the charter of assuring the dissemination and absorption of those security/risk elements (making it part of the culture vs. doing all the security work themselves in the security group.) This would be my yin to the CIO and IT yang of faster, cheaper, more efficient automation of data management.
Companies like Thomson Financial, Liberty Mutual, and SAP had it right, imo, and changed things – which sent their CSO’s running away and significantly weakened their security posture overall.
In the wake of the Sony Security Breaches (breaches, you say? As in plural? Yes, read on for more information) I decided to update some of our instructor led training slide decks.
The first few slides of our security awareness courses include a number of slides intended to scare people into paying attention to the threat of security issues. We do this by showing the largest, most costly and most impactful data breaches and security vulnerabilities in recent history.
Instead I scared myself. There is no statistic I could find to show that things are getting better or more secure in general.
I should say before I list off all these terrible statistics that largely the companies we work with are, in fact, getting more secure over time. I've seen some of our clients go from unknowingly writing insecure applications to having robust and mature Secure Software Development Lifecycles that drastically reduce the overall number of issues we find in quarterly assessments. These micro-trends, unfortunately, seem to be the exception to the rule.
These companies should also stand as a reference point for other companies who are finding themselves a target for attackers or that fear they are not doing enough to protect themselves and their customers from this type of attack.
Another correlation a colleague of mine, Tom Samstag, found while researching is the negative attention of a large data breach. After public attack hackers seem to swarm in, focusing their attention on other arms of the company. This makes sense from the attacker's perspective, the initial breach acts as a beacon to identify companies that do not have proper security measures in place.
We see exactly this happening to Sony right now.
One month after their infamous Playstation Network breach on April 26th Sony BMG suffered another breach on May 23rd, then Sony Pictures was hacked less than two weeks later on June 2nd. It seems the hackers smelled blood and came running, I wonder what will be next?
Of course it's easy to pick on Sony, but they're not the only company who has lost large amounts of data in recent months, far from it.
PrivacyRights.org tracks all data breaches, they report there have been 533,686,975 records breached in 2,511 Data Breaches since 2005. There are a lot of recognizable names in that list as well, chronologically speaking: Sony, WordPress, The Texas Comptroller's Office, Health Net Inc., Jacobi Medical Center, and American Honda Motor Company. Those companies have all lost more than one million records each in the last 6 months. Let me repeat that:
The companies named above have all lost more than 1,000,000 records each in the last 6 months.
In a recent Ponemon study it was found the average cost per record lost for the offending company was $214 per record, up from $138 per record in 2005. In this way Sony got away for cheap if the most recent numbers are correct in that their PSN breach only cost them $171 Million.
The study went on to conclude indirect breach costs, such as the loss of customers, outweigh direct costs by nearly 2 to 1. That means Sony could lose another $342 Million in customers, market share and customer confidence. In 2010 other companies spent, on average $7.2 Million per data breach. Talk about consequences!
Unfortunately it also seems more vulnerabilities are being found in software. Likely due to insecure coding practices, insufficient security measures and controls, lack of training, and the attacker threat increasing almost daily. According to an IBM study there were 4,938 vulnerabilities found in 2005, 6,543 in 2007, 6,737 in 2009 and 8,562 in 2010. See graph to the below for more data points.
If you've been waiting to see who has lost the most records in recent history, you can check out the PrivacyRights.org website, or Here is my list of shame: the most recent breaches that have lost more than 1,000,000 Records.
- Sony Playstation Network
- 101.6 Million records lost
- Texas Comptroller's Office
- Health Net Inc.
- Jacobi Medical Center
- American Honda Motor Company
- Educational Credit Management Corporation
- U.S. Military Veterans
- Heartland Payment Systems
- Royal Bank of Scotland
- Countrywide Financial Corp
- University of Utah Hospitals and Clinics
- Bank of New York Mellon
- 12.5 Million records lost
- TJX Corporation
- 6.3 Million customer records lost
- Hannaford Bros
- 4.2 Million CC#’s records lost
- Fidelity National
- Georgia Dept. of Community Health
- 2.9 Million medical records lost