By Ondrej Krehel,

You can’t opt out of real life. Yet often that’s what a lot of cyber security advice sounds like. It’s true that social networks are a hotbed for malware, hackers and spam. But staying off Facebook — for some people in certain industries — could have real-world repercussions.

Signing up for an online service, participating in an Internet auction, enrolling in a rewards program: it’s almost like playing in a casino. Which is going to lose your data tomorrow? Picking online companies we do business with is almost like placing a bet.

And just like in a casino, there is little a consumer can do to hedge his bets. The house controls the table. That is, the security manager controls the risk.

A recent pointed out that of 381 breaches investigated, only five were due to un-patched vulnerabilities. Keeping up with patches, as pointed out, is the “fundamental component” of most IT security programs. This is the finger in the hole of a leaking dam. When IT teams discover how hackers break into a system, the teams race to “patch” the digital entry point.

I’ve worked closely with dozens of topflight IT security professionals, and this is the bulk of their work.  It’s the proverbial camera system in the casino ceiling. One hundred percent of the focus is on vulnerabilities and the means to patch them. So I agree wholeheartedly with the Verizon report, which emphasizes “balanced priorities.” But that begs the question, What are the priorities?

Good security posture, as I see it, is divided into three equal parts: fortifying vulnerabilities, identifying threats and implementing good data practices.

  • • Fortifying vulnerabilities is what IT departments already do well, as I mentioned above.
  • • Identifying threats is an offensive tactic. It’s a close monitoring of the system at hand and the cyber news media. It’s easier to be protective when you understand what kinds of hackers, criminal, or nation states are after your system’s data. Know how to handle toxic data.
  • • Implementing good data practices is how employees engage system data, from credential management, to software logs. For developers, this includes incorporating a privacy-by-design philosophy. Adjusting to and establishing this new holistic approach takes a team of professionals: data privacy experts, risk managers, cyber security technicians, legal counsel and a data breach response team — all under umbrella and governance of executive management.

As a consumer, you have to trust that the house is moving in a more comprehensive direction with its security practies. As the house, you owe it to your consumers to keep them safe. In the end, it’s the best way to keep them at the table.

To shun this approach is to mettle with the primary forces of the Internet, Mr. Beale. The hackers won’t have it. They’ll take millions out of your business and put nothing back in. It is ebb and flow, tidal gravity. It is the new cyber ecological balance.

Ondrej Krehel, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Leave a Reply