The steady drumbeat of security breaches makes me wonder: are people and organizations becoming complacent? Has the mentality become that breaches are inevitable, so “let's make sure we are compliant and be really good at incident response and PR when we get hit?”
After all, if our credit cards are compromised, the merchants and banks have the liability and we get new cards. Worst that can happen is we are inconvenienced.
It makes for sensational news when it happens: “today X millions of credit cards were breached in an attack at a large retailer where we all shop.” Then later, after an investigation that takes months and millions of dollars, we learn a bit about how it happened and eventually (if we are still interested) hear how some network of low lifes worked in the shadows to execute the breach.
The news of these attacks is becoming repetitive, and I think it is making us complacent.
Why is this relevant to us as security professionals? Because if it is true, it means we will see this complacent attitude in the executive team we report to. Complacency isn’t new, but it is getting worse. We have all seen the CFO that wants to cover the risk with insurance, meet minimal compliance, just do what's required. It’s a typical CYA approach, and it’s the norm. And you and I know that it just isn’t enough.
It might seem like the only way that the CYA will get it is through a major breach, but another option is to show them what is actually being done to them on their watch.
We recently launched our beta of Pwn Pulse and is it ever revealing things that are spinning the helmets of management. While we cannot reveal the details of what we are seeing, let's say it is well worth your consideration. Let me tell you why:
Though it’s easy for a security professional to say that there are certain things that need to be done, it takes solid proof to actually show most execs that something needs to be done. In “Project Eavesdrop”, Dave Porcello of Pwnie Express worked with NPR to show how you can be spied on. That series alone opened the eyes of many execs. Pwn Pulse, a service which goes live fully this Q4, can show you rogue actors at work in your organization today. Show that to the CFO who is responsible for risk. I guarantee that he will lose the complacent attitude and you will get the attention you need.
We might need to shake things up.