Latest news
There is a phrase that has become quite popular in information security circles and it goes along the lines of “there are two types of organizations, those that have been breached and those that don’t know they’ve been breached.” I hear it quite regularly from industry commentators and speakers at conferences - the key message being that every organization has been breached and only those with good information security have been able to detect and respond to the breaches.
The other implication of course is that the CSOs in the companies that “don’t know they’ve been breached” are incompetent.
One of the main problems with this phrase is that anytime I hear it, the speakers never qualify what they mean by a breach. Does it mean that someone has penetrated the network and taken the organization’s prize data? Or does it mean that a computer virus infected a laptop with little or no value to the organization? My point is that without clarification on the context of the statement how are we to know how bad the problem really is?
I say this because I regularly talk to business people or senior management in companies who read the above statements and they say to me, “is it really true that our company has been breached but our CISO does not know about it?” Some have even asked “if every company is breached, why should I spend money on security at all?”
We cannot blame them for having that viewpoint when not only do “industry experts” regularly claim the battle against our adversaries has been lost, but their viewpoint is reinforced when they read about security breaches resulting from basic security measures not being properly utilized or not even implemented in the first place.
While some will argue that this is the reality we’re facing, I say that if that’s the case - what are we going to do about it? Are we simply going to surrender our networks, our systems and our data to whomever wishes to access them or are we going to work together as a community to improve the situation for us all? I will certainly be aiming for the latter and urge those of you reading this to do the same.
I believe we need to take several steps to help us improve the overall image of our profession and community. Some of these will take time and will require some hard work but if we work together we can make our networks safer and secure for all.
Here are my suggestions:
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
