outlook invite

Recurring meeting Invite to CEO and leadership team Topic – Cybersecurity breach

Invite your CEO, Board and senior leadership to block 7 days in a year to handle potential cybersecurity breaches.

Will the recent security breaches and President’s state of the union move the needle on cybersecurity spending?

There is a lot of conversation about cybersecurity spending boom and need for enterprises to loosen their purse strings for digital security but, is there a real ROI that can be measured??

A few analysis on 3 recent breaches with their business impact.

Target was the poster child for credit card companies to mandate tighter deadlines for EMV (chip card) migration to avoid fraud liability shift with the tens of millions of credit card stolen.

In terms of financial impact, Target earnings are approx. $2B and their net loss from recent cybersecurity breach after insurance payments were $148M. They may have additional liability from law suits but, from their quarterly reports, it did not look like there was any major shift in customer spending patterns and deeper product discount brought back shoppers. The CIO may have been a casualty but, the CEO departure was mostly attributed to their Canadian strategy.

So, bottom line financial impact was a loss of $200M, an additional investment of $150M in EMV etc.. But, for a major retailer, the cybersecurity loss was much smaller than their Canadian investment and the brand was not severely affected to result in big customer spending drop.

Home Depot on the other hand which makes $5B in earning had a net loss of less than $40M from their cybersecurity breach. No executives were fired and neither was the brand significantly affected.

Now, Sony is a whole another story. In Q3 2014 earnings, Sony lost $10M on a $1.7B revenue and now stands to add tens of millions of dollars from cybersecurity attack to its financial loss. This leaked emails and the loss in trust from its partners has made a major impact. They have not been able to report quarterly earnings and they are cutting paychecks manually. The loss of trust from the leaked emails fuels speculation if Sony pictures will still be a viable business.

In a recent conversation with a senior executive at a $4B company on increasing their cybersecurity investment, his responded to me by email was “we are not a Sony, we do not handle large consumer transactions like Target and chances of us getting breach are minimal with our current investment and if we do get beached, our lawyers and insurance will take care of our liability”.

Words I like to hear insurance and lawyers to reduce liability. I then responded saying that Target, Home Depot, Sony and hundreds of other cybersecurity events have one impact in common. Distraction. Senior executives are responsible to grow the business and increase shareholder wealth. Their job is to foster positive growth and not get distracted. When a company has a scandal or an investigation, the CEO’s, board and senior management performance is affected.

After the cybersecurity breach, Target CEO retired, CFO testified in front of Congress, CIO was fired and I am sure the senior leadership team spent hours convincing customers, partners and working with investigators which cannot be quantified but, certainly did not increase shareholder wealth. So is this not an impact from lack of cybersecurity controls?

“Home Depot ex CEO Mr. Blake took charge of the breach response. He backed up his chief information officer, Matt Carey, and spent time in the “incident response” room set up on the 20th floor of Home Depot headquarters.”

Sony Pictures CEO “It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two,” Mr. Lynton recalled in an interview.”

So, were their CEO’s not distracted and spent countless hours trying to mitigate damage that could have been contained in the first place just by smart investment? I am not trying to say they do not invest enough in cybersecurity today or more technology or resources will eliminate be the silver bullet but, continued serious investment will certainly reduce the risk and response to a cybersecurity breach.

So, what moves the needle? Senior leadership’s time, stakeholders trust and of course legal fees and tangible financial loss. Now, no small company or large company can argue that their CEO has time for cybersecurity breaches.



107,000 jobs on LinkedIn require one skill

President Obama in his State of union address mentioned “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So we’re making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. 
And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.  That should be a bipartisan effort.  (Applause.)
If we don’t act, we’ll leave our nation and our economy vulnerable.  If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

The World Economic Forum ahead of Davos has issued a report that warns failing to improve cyber security could cost the global economy $3tn, and is urging companies to sign up to a new “framework” for assessing the risk of an attack.

It is very encouraging to see protecting digital assets and digital presence being mentioned at the highest levels.  While, there is much talk about technologies, intelligence sharing, the threat of cyber warfare, one key piece is the shortage of skills. A recent ISACA survey of 3400 members found that 68% of them have a shortage in cybersecurity skills to fend off an attack.

VC’s invested nearly $2B in different cybersecurity startups that are delivering the next generation of digital protection but, the shortage of people who know how to implement these complex technologies with relevance is still unresolved.  Yes, some industry groups and educational institutions are beginning to provide basic training courses to add new workforce.

Having been in information security world for over a decade, this profession requires hard skills and soft skills.  Security attack patterns are like amoeba.  The patterns can change with click of a mouse and the damage inflicted can be part of a President’s speech. I saw a posting from Sony for a IT security manager a few days after their cyber hack.  Does this mean, they did not realize, the importance of that position or they just could not fill it.

Many job postings for information security professionals just cannot be filled.  The reason, they want Sheldon from Big Bang theory or Stephen Hawkings of cybersecurity.  Security operations, compliance, risk, threat management all need a completely different training and approach unlike coding C++ and moving to Java.  A fundamental understanding of information security is key for all positions.  Their role within information security will depend on their personality, people skills, analytical thinking, investigative instincts and communication skills.

This crisis is going to affect midsize firms who need to have a level of cybersecurity protection but, cannot afford to hire expensive consultants and retain experienced employees.  The emergence of cloud, mobile is adding more weak spots for hackers. A white hat hacker who wants to help the community is also in demand from Bounty hunters with deep pockets.  A recent increase in cyber security freelancers is helping the industry a little but, costs remain high.  Many firms need skills on demand or for a period of time and consulting companies are not able to meet the growing demand.

In December 2014, one of the legislation passed by the senate authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation’s cybersecurity workforce.This maybe a start or a political dialogue but, maybe a tax incentive or a subsidy to enterprises, educational institutions, startups to provide training and education won’t hurt.

Lessons from Sony Hack

What can we learn from Sony’s hack?

According to Sony Pictures CEO Michael Lynton, Sony Pictures did not have a playbook.

Sony’s Incident response plan to the recent cyber attack included

bbry gmail chk phnbnk

The lack of a response plan during the cyber breach added significant damage to Sony’s business impact. It took the 9/11 attacks for major financial institutions started to have secondary operation centers outside Wall Street for business continuity.

The Sony hack was no different than a disruption in business operations but, the preparedness demonstrates the weakness in cyber threat response and the time enterprises can recover from a cyber attack. Having been in cyber security business for decades, we have learned that attacks cannot be prevented but, the ability to minimize the business impact can be a proportional response.

I appreciate the fact that working on an incident response plan is not interesting or cyber insurance can be a shortcut but, impact needs to be measured more than financial loss. So, when it comes to lessons learned from Sony hack

  1. Sony CEO says No Playbook - Having no playbook is not enough but, doing annual tabletop will help refresh the tasks.
  2. Sony business down 8 weeks, Manual paychecks, and blackberry - The impact of an attack needs to be measured in the playbook to help plan an appropriate response. Not all attacks are same and business continuity needs to be a top priority.
  3. FBI and Consultants are not on remediation resources - The cybersecurity industry is seeing a shortage in skills and some of incident response roles like forensics are needed on demand. There are many freelancers will broad skillsets available and maybe easier to retain experts to assist as needed.
  4. Sony had 45 firewalls – There is a lot of noise on technology to identify and protect from the next big threat. The noise needs to be filtered by bringing relevance to business. Not every threat has same impact for every business and again technology is not the answer.
  5. Sony is hires Crisis specialist – PR specialists cannot contain reputation damage. Sony’s reputation and brand as an entity has been hurt over the weeks that $MM crisis specialist can fix. This is a wakeup call to every enterprise without an adequate response plan.
  6. Sony was attacked on No. 24th. Sony brought FBI and hired Mandiant on Dec. 1st – This 7 day delay shows the lack in communication, executive decision and inadequate plan to respond. If there was a waterleak in the office, the plumber would be there in 2 hours.
  7. 100TB of data stolen – Protecting what is relevant to the business in this case, movies, employee, customers and other corporate information should have been a priority. If a hacker gets a free rein into the network to steal not 1 but 100TB of data, the need to protect digital crown jewels was not a priority.

The press on Sony hack, the White house response should not be news but, a true wake up call. So, while there maybe lessons learned for a long time, this is a wakeup call to have an effective and tested incident response plan in place NOW.

NSA Director on Sony Hack: ‘The Entire World is Watching’

Originally posted on TIME:

National Security Agency Director Admiral Michael Rogers expressed support Thursday for the United States’ economic sanctions against North Korea in response to the hack on Sony Pictures Entertainment, and called the attack against the movie studio a “game changer” for cybersecurity.

“Sony is important to me because the entire world is watching how we as a nation are going to respond do this,” Rogers said Thursday at the International Conference on Cyber Security in New York. “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”

After naming North Korea responsible for the attack against Sony, the U.S. announced sanctions last week against 10 individuals and three organizations in North Korea, including the state’s main intelligence agency and its primary arms exporter. The sanctions effectively denied them access to U.S. financial systems.

In his address…

View original 310 more words

Sony Hack: A Timeline

Raj Raghavan:

This could be the 9/11 of cyberattack

Originally posted on Deadline:

Refresh for latest… The cyber attack on Sony Pictures Entertainment continues to cripple the company, embarrassing its top executives and those who do business with them, as e-mails and confidential information are sifted and selectively published by anyone with access to the hackers’ dump. Here is how the story broke, day-by-day. We’ll continue to update as it unfolds.

Day 1: Monday, November 24

At Sony Sony Guardians of PeacePictures Entertainment’s headquarters in Culver City, a typical week begins. The first sign of a digital break-in comes early that morning, when the image of a stylized skull with long skeletal fingers flashes on every employee’s computer screen at the same time, accompanied by a threatening message warning that “This is just the beginning.” The hackers say “we’ve obtained all your internal data,” and warn that if Sony doesn’t “obey” their demands, they will release the company’s “top secrets.”

At 10:50 A.M., Deadline’s Mike Fleming…

View original 2,976 more words

Employee Data Breach The Worst Part Of Sony Hack

Originally posted on TechCrunch:

The Sony hack has taught us so much. It’s taught us to send corporate email as if everyone is reading those emails. It’s taught us that people in Hollywood are just as mean as people in any other industry (and potentially racist). And it’s taught us that Channing Tatum is really enthusiastic about beating “TED” at the box office.

The one lesson that’s the hardest to stomach is that you may be doing everything possible to protect yourself online, but your employer may be laissez faire about the whole thing. This is the position that over 6,500 current (and many former) employees of Sony find themselves in today.

As Gizmodo’s Brian Barnett wrote:

“The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins…

View original 355 more words

May I have a seat at the table? – II

In continuation to the first blog, articulating security risk to business leaders needs to be a stepped approach.  While many business leaders appreciate the need for securing digital assets, there is a need to increase awareness on information security affecting their line of business.

A CSO needs to become relevant to a business conversation and not just trying to justify an IT security need or seeking additional resources.  The data presented to the business leadership comes from a variety of security tools, security incidents, geo political risks, regulatory compliance, data loss, incidents and technology or service adoption of business leaders.

The information presented need not to be fear driven or sugar coated but, a simple view of security risk mapped to business impact.  This can be presented periodically to show security trends with an enterprise and provide information on mitigating the security risk.  The CSO’s should be in a position to provide recommendations to the business leaders who can then weigh in their perspective.  If a CSO asks a business leader to sign off on a risk that was presented as high priority after providing the relevant data with business context, the business leader may agree on a recommendation with some negotiation.

I believe security is non-negotiable but, a CSO needs to negotiate priorities while pushing the impact of security risk on a business.  I recently read a blog at Tripwire.com that talked about CSO’s view of their position and interesting quotes included “never again”, “find an easier job”, “be scared”, “byod focus” and of course princess Leia who wanted to “fight the dark side”.  I did not see anyone mentioning business risk or ability to talk Information security to business.  Majority of CSO’s probably do not want to leave technical part of information security but, that is changing rapidly.  If protecting brand, complying with privacy laws, embracing cloud and business driven security products take a leap, CSO’s need to start thinking need to have a business risk perspective.

There are a number of tools available in the CSO’s arsenal today that can provide relevant and accurate data on the security posture of an enterprise.  Some of these tools like SIEM (log management), IT GRC (Compliance and risk), IAM (identity management), and DLP (Data leakage) have the data and they need a single dashboard to aggregate technical data into simpler views.  If the dashboard can bring business context to the security data, then, the visualization make it easy for a CSO to articulate security.  Depending on the audience, the CSO may talk about assets associated with a business and the security risk associated with them which could be access control, data leakage, data integrity etc.., they can also show compliance context to security where an enterprise is complying to security and the business units that need to comply with regulations and technical vulnerabilities to a CIO to ask for resources to remediate.

In short, CSO’s need to have a dashboard to view the security posture that aggregates security and compliance data but, different screens to show relevant context to the security data to help articulate to appropriate business leader.  Currently, IT GRC tools focus on technical risk and that is just one small part of the equation. 

Context based risk is being adopted rapidly in the security industry and let us put a extra chair for CSO’s at the table!