Lessons from the Sony Breach: Four Things That Need to Happen Now

When the finger pointing about attribution stops, the recent Sony breach will endure as one of the three most significant cybersecurity events of 2014 because it once again highlighted a number of critical gaps in the ability of individual organizations to defend themselves against targeted attacks. A breach of this magnitude can make us all wonder, how are organizations supposed to defend themselves when attacked by a nation state, or a highly organized criminal group with deep pockets and high levels of know how?

Think about it this way. If an organization’s headquarters or a branch office were under physical attack by armed assailants, they normally would call the police, who would dispatch the SWAT teams and other resources needed to physically protect the organization from further harm. But in today’s world of advanced cyberthreats, when an organization is under siege, there generally is no such protection offered to them.

Organizations must defend their information assets in today’s threat landscape. And here are four steps they should take immediately.

1. First of all, organizations must develop a stark sense of reality about what they can do well and what they cannot in cybersecurity. CIOs, CISOs, and security leaders must revisit the organizational structure and skills of their security teams and IT staffs that have any responsibility for securing information assets. This analysis involves a deep review of what currently are or can be core competencies for the organization, and where they might need help from outsiders. Important questions to ask include:
   • What is the right structure for the security team?
   • What skills are required and where are the gaps?
   • If we need to have these skills in-house, do we need training and certifications?
   • Which additional skills should we hire, and which should we outsource to service providers who are more experienced in these areas?
2. Foster deeper collaboration within your industry and across industries. We all know that the bad guys share information freely and across borders and do not have to play by the rule of law. So, it is critical for the good guys to have more opportunities at all levels to collaborate both electronically and in person to share information and intelligence about current attack techniques and emerging threats. We need more effective collaboration forums than we have today. Better collaboration will help alert companies to the latest threats and help them identify the right solutions and service providers. There is some great collaboration happening in certain industry sectors today—the financial services is the most successful example—but we need a significant increase in information sharing and collaboration—and this change requires more trust among practitioners and changes to regulatory and legal frameworks. One of the missions of ISACA’s Cybersecurity Nexus(CSX) is to create additional collaborative environments going forward for practitioners at all levels to share information.
3. Take a back-to-basics approach by focusing on protecting that which matters most to the organization with solid security controls. More organizations should implement effective governance and controls frameworks, such as the U.S. NIST Cybersecurity Framework and ISACA’s COBIT framework. When an organization fully commits to implement a model framework, it has a much higher likelihood of success in protecting its crown jewels—with the added benefit of not having to reinvent the wheel. If a company focuses on good controls based on accepted standards and frameworks, some of the cyber risks they are facing would be greatly reduced.
4. Do not just create good contingency plans and incident response plans—practice them. It is critical to involve a wide variety of players across the organization—not just IT and security. Communications, legal and senior management all must be involved—and so must the necessary outside service providers who augment an organization’s key cyber skills. For incident response plans to be effective, the internal and external ecosystem must be well understood, and all parties must be ready to act. Given what we all observed in 2014, practice may not make perfect, but it sure will help a lot.

Last, but certainly not least, it is critical that security practitioners understand the relationship between their organization, its people, its IT assets and the kinds of adversaries and threat actors they are facing. It is only through this analysis can the right cybersecurity program be designed and implemented where budget, skills, intensity, and performance all are balanced at the appropriate levels.

Eddie Schwartz, CISA, CISM
President, White Ops, Inc.
Chair, ISACA’s Cybersecurity Task Force

[ISACA]