alphaspirit - Fotolia
Data breaches should now be declining, not still increasing, according to security veteran John Walker.
He said the recently disclosed security breach at Yahoo affecting 500 million user accounts showed that many companies, even large ones, were not taking the necessary steps to keep data safe.
“I would have expected them to have adequate resilience in place and capabilities to know that they had been breached,” he told Computer Weekly.
“When I see the likes of Yahoo being breached and the number of breaches continuing to climb, I have to ask at what point organisations will finally get it and we see the numbers go down.”
Walker, who has worked in information security for 35 years, said that in view of the cost of breaches to individual companies and the economy as a whole, the tide should have turned by now.
“The problem is that we have embraced and connected so much technology that we have these giant IT environments that nobody really understands, but we are well past the point where something should have been done about it,” he said.
However, Walker recognises the huge challenge of being able to call a halt, take a step back and address the problem. “The point is, we have got to start somewhere,” he said.
He defines a good information security leader as someone who is willing to speak out and say things no one else is willing to say, which he admits can be painful at times.
Walker is recognised as the first person in the information security community to openly denounce China for what it was doing in cyber espionage a year before it hit the news headlines.
“That caused me a lot of pain and grief, as did discovering things to do with powerful nations where they have insecurities, highlighting that these existed and helping to get them fixed,” he said.
Security leadership also requires courage to identify risks and be controversial, such as when, in 2008, Walker said the internet could be brought down and that people would start planning to do so.
“According to news reports, there is a nation state looking to do this, and I can see it being possible through many well-documented flaws,” he said.
“The internet is not as resilient as we think it is, but that is an example of saying something that many people do not want to hear.”
Business continuity planning
It is also something few companies are likely to be preparing for in terms of business continuity planning, despite that fact that many would go out of business if the internet did go down.
“Anyone who could take down the internet or sections of the internet and bring them back up again at will, would be in an extremely powerful position,” said Walker.
“Just taking out a single domain such as .co.uk for a day would have a significant economic impact and attract a great deal of media attention and coverage.”
In the business context, Walker said many chief information security officers (CISOs) needed to change their current model to become true leaders. “Most tend to be very board-centric,” he said. “They are mainly concerned with keeping the people at the top happy.”
As a result, Walker believes many CISOs are not in touch with the people tasked with the company’s day-to-day security operations.
There is also a tendency not to disclose breaches if there is any way they can get around it, he said, because that could have a negative impact on the brand and share price, which would not sit well with the board.
“Many CISOs are not looking after security in the right sense,” he said. “Instead, they are managing security in the executive sense. They have become too far removed from the actual objective.”
Walker also thinks there is too much emphasis on compliance rather than real security. “Governance and compliance seem to lead the way and, typically, 80% of information security budgets is dedicated to satisfying governance and compliance requirements,” he said.
Part of the problem is that various compliance people are sitting in separate verticals, such as PCI DSS compliance, he said.
“What we need to see is more common ground where nuts-and-bolts security sits down with the governance and compliance people, and the auditors – who don’t always necessarily understand security at the right level – and have a debate around what real security looks like,” said Walker.
Another are where security leadership is lacking is in understanding and defining acceptable risk, he said. “The appetite for risk appears to be growing because business risk tends to become ‘acceptable’ simply if it has not happened before,” he added.
“But if it were to actually happen, it would not be ‘acceptable’, so should not be defined as such, because growing risk appetite results in a lot of things being done that are not always correct and people getting away with doing things simply because they have been signed off as ‘acceptable’ risk. This is an area that needs much more attention and investigation.”