Wednesday, February 18, 2009

Surviving a Depressed Economic Situation...in security

The signs are everywhere; Wall Street has fallen into deep recess, consumers aren't buying, houses aren't being built or sold, and criminals are breaching companies at an alarming rate. The economic conditions of today's reality combined with the need to continue to survive financial has thrown gasoline on the hacking fire in recent weeks.

Whether you're looking at the intrusions and catastrophes at Heartland Payment Systems (HPS), SRA International, or the Wyndham Hotels - the writing is on the wall. Actually, it's no longer writing on the wall, it's a flashing neon sign over the freeway - "Criminals Are After You". It's only a matter of time before your web sites, applications and precious databases are infiltrated and bled dry for every drop of information.

The problems that are going on outside your corporate walls aren't any better internally. Insider fraud continue to mount in this type of depressed economy, just wait until someone in one of your call centers starts to skim credit cards and cardholder information... there is nothing you can do about it. The scary thing is that you, as the security leader, couldn't prevent this problem even if you had any money left in your budget. Criminal Organizations (read: the mob) have figured out that sometimes, rather than employing expensive hackers, they can simply find an internal employee who's willing to be pushed over the edge for a payout and commit that next big insider crime. Let's face it, you have to trust at least *some* of your employees... right?

At least security companies are here to help you. At least anti-virus companies are there as your rock in hard times - oh, wait... they're not. BitDefender, Kaspersky, and Trend Micro join the expanding list of security companies that have been infiltrated lately. When will it all stop?

Now the Washington Post is reporting that GovTrip.com (the travel site for Federal employees) has been hacked as well to redirect visitors to a site that served up malware, how cute. There is no stopping the attackers, the criminals who are organizing at alarming rates. The FBI can't even track them let alone catch them anymore - there are simply too many, they're too organized, and they're too smart.

If you're the CISO, Security Manager, or whatever your security-related role in your business you have to be looking at the news with your head in your hands. I know I am. It is time to raise the white flag? There seems to be a perfect storm of sorts that has come to our doorstep looking for attention. The economic crisis has created a situation which reads like from a horror novel, for us security folks.

The contracting economy is breeding more criminal activity, while at the same time shrinking budgets. Combine those two together with the fact that there are more disgruntled employees than we've seen in a long, long time - and you get a situation that's nearly impossible to survive unscathed. Data breaches, hacks, and break-ins are being reported daily... but I'm going to offer you hope after tearing down your morale. Here it is...

First off, remember that now is not the time for pet projects - now is the time to get real. If you're lucky enough to work within an organization that actually understands the value of security you have a leg up on everyone else, if you don't work in one of those organizations ... wait a few weeks until you're hacked and then approach the subject again. The bottom line is this - there are risks inside your company that will simply go unmitigated, you'll have to pick your battles. This is one of those rare times when security leaders with great intelligence, vision, and understanding of business shine and accel. Everyone else looks for a new job to fail at.

Part of being real is understanding that ther are some immediate needs that require a security dollar, and there are some that simply don't fit on the to-do list until things calm down. I've started a list here, for your reference... please feel free to contact me or comment to add to this list.

These are some of the ways you can survive, as the security leader of your business...
  1. Forget pet projects... you won't have money, manpower, or time
  2. Focus on your business's core money-making activities, secure those as well as you can
  3. Use the shelfware you bought but haven't opened the shrink-wrap on yet
  4. Employ automation (yes, this means tools too) to make your small team as efficient and far-reaching as possible
  5. Pick your battles - understand that sometimes the answer is "We'll simply accept this risk"
  6. Review your employees; make sure you have someone that covers every necessary [read: relevant] aspect of security
  7. Look for outside help - services organizations are your friend because it means you get to spend operating budget (OpEx) and not capital budget (CapEx) - huge difference
  8. Rely on your peers for advice; there is no need to fail in their footsteps
  9. Trusted consultants are like gold - they're rare but can provide you with information across industries, business practices, and historical context... they may be your salvation
  10. Document mitigated risks; you'll need to make sure you document in great detail what you're doing, why, and how much it's costing... in case you ever have to explain to your board why you got hacked.
Good luck, and get yourself a life vest and a helmet... it's going to be a rough ride.

No comments:

Google+