A few years ago, previous to my current position, I was recruited for a leadership position in IT Security and Compliance at a large private company. The position was newly created and included PCI and data compliance. As I was going through the interview process, I found that the company was in a post-breach PCI settlement negotiation. They, like many others in their industry, were an ongoing target for bad actors stealing both credit card data and Personal Identifiable Information (PII); and they, like many others, had suffered a significant breach with costly results both in fines and also in time spent remediating.
I later found out that the opportunity I interviewed for and accepted was a direct result of that breach event. The Board of Directors had instructed management to go on a nationwide search for someone who could not only continue to remediate the breach and run the department but also help ensure a breach event was not repeated.
I had arrived well after the beach was cleaned up by third parties hired by the cyber insurance firm but before substantial and needed technology changes were implemented. Like most IT Security professionals it was easy to identify the missing layers and weaknesses within the technology stack. Even without reading the post-breach report, which was inconclusive in its conclusions after the discovery and forensics process, it was obvious that the investment had not been made for many years in ensuring that there was proper visibility and control to combat the present threats and risks.
In the past, all efforts and security had been focused on the PCI environment since as a private company, in their opinion, they didn’t need to protect anything beyond the PCI scope. In fact, that approach led to creating easily exploited weak areas that could allow for lateral movement of escalated privileges and data. It actually made the bad actor’s job easier. Compliance is not security.
In the first 3-4 months, we replaced every piece of security technology with new technology and added tools where needed to create defense in depth.
We concentrated on making the solutions highly integrated, creating wide-ranging viability and alerting, and took advantage of automation. We consciously balanced preventive tools with detective capabilities instead of one or the other.
Just four months into the job I asked to present a 3-year plan to our Board of Directors that included both a plan for technology and most importantly, a more mature IT governance and controls environment to support those tools.
In my presentation to the Board in the opening statements I said that “this will happen again despite my plan and the improvements.” We could conduct data classification, improve access control, do user education, encrypt data, buy new technology, however, it was extremely likely that an event would still occur in the future. Maybe not a PCI breach but some other kind of breach like PII or other sensitive information. The key was how soon we knew something had happened, how quickly we could react and stop it, and how resilient our technology was to recover from a catastrophic event. In the end, preventing a future breach actually had less to do with technology than you might think.
Having gone through and seen many events over the years including breaches, attacks, criminal activities, insider attacks and negligent behavior, the one common denominator was, and still is, people.
In my experience, you can buy all the shiny new technology, but it’s useless without solid processes and controls in both IT and the business. Breaches and attacks, regardless of if they are from the inside or outside hinge on the behavior of people. No technology can stop a motivated person with enough time and resources. It can prevent the majority but not plurality.
Specifically understanding people in your organization and if they embrace security is everyone’s responsibility. How well trained and aware IT, IT Security, and their internal business partners are; and how knowledgeable they are in identifying an event (“See something, say something”) — all of these things contribute to a low success rate for cyber attacks and breaches. The time from detection to stopping an event is directly related to the cost of that event.
The behavior of your adversaries (also people) and their motivations and their habits are key. Due to time zones, activities that take place in the middle of the night in Washington DC when people are fast asleep are actually happening in the middle of the day in some of the places of the world where concentrations of bad actors and organized crime reside.
Having highly skilled and dedicated security and compliance professionals (people) is essential. My team at that company was dedicated and over time well trained. I was lucky enough to be able to build on that and those people were the frontline defense.
Most importantly the biggest takeaway is a company’s responsibility to its customers (people) and the employees (people). The breach I described above caused a lot of sleepless nights and hard work for the employees but for the people who’s card data was stolen it was personal.
IT Security and Data compliance continues to evolve and become more complex it seems. But the most successful security approaches are focused on the most complex element, the people.