December 10

Planning for Failure

This week in my Information Security Management class we discussed planning for security.  Of course the discussion in the course was about planning for success.  Unfortunately, a lot of the real world discussions I’ve had and articles I have read this week have shown more clearly how people and corporations are failing because of their planning.  I am sure they are not planning to fail, but their actions and poor planning skills have been leading to their demise.

My interest in this issue was piqued while reading about the recent problems that Sony Pictures Entertainment (SPE) is facing.  Their difficulties stem from corporate planning.  Unfortunately for them the planning was of the wrong kind.  In an effort to reallocate company resources, many articles claim that they were on a mission to save money by cutting staff.  This money saving planning extended to their IT compliance and security department.  They did everything they could to save money and cut corners, including having a policy of “just enough compliance.”  This resulted in a breach of SPE’s privately identifiable information (PII) at an estimated damage rate of upwards of 47,000 employee records.

In addition to budget cuts to their IT Security programs they laid off a number of employees in the last year.  Sony is not alone in this practice.  There is an epidemic in the corporate world of layoffs, benefit cuts, and even employee demotions.  This, in addition to the cutting of the IT Security budgets, has created a perfect storm, and I think SPE is just the first of many victims.  Due to the nature of this breach it is fairly evident that there was help from a trusted insider.  Some estimates are saying that this breach will cost SPE over $100 million, and that is not counting the personal cost to employees whose information was captured.  Had SPE focused on maintaining a functioning IT Security department, this breach could have been avoided entirely, saving the company far more than the money they will lose because of this attack.  Proper planning could have saved them their reputation.

It is time to stop planning for the right now and start planning strategically for the future.  It is time to focus less on the bottom line and more on preemptive planning to maintain a secure front and protect the information that is the lifeblood of any company.

December 2

Embrace the Oxymorons

Let’s talk about oxymorons, those annoying little things they keep trying to teach in network security and computer security and, well …. Cybersecurity.  I have a Bachelor’s in cybersecurity, am working toward my Master’s, and I have been officially (as in professionally) working in the field for just under 8 years.  Before that I had been into the dark arts (computer hacking) since I was 11 or 12, right about when the internet appeared, so that is about 23 years give or take, that I have been in some form or fashion involved in cybersecurity.

That paragraph was not to toot my own horn, I have plenty to learn, cyber security is such a constantly changing and large field, for example in all that time I did not REALLY understand false positives, and true negatives etc. until the last few years.  Learning the concept is relatively easy and logically they all make sense a false positive is an alarm that goes off for the wrong reason. A true positive is a proper alarm that went off for the right purpose.  A false negative is the bad guy getting through because the alarms think that he is perfectly acceptable. And finally true positives are what happen when the defenses actually catch the bad guy and sound the alarm.

Regardless of how annoying and, well, kind of ridiculous these things sound, someday (if you really go into security) they will be something you care about.  They are important to me in my current job as an offensive security professional because I want to get past the alarms.  They were important to me as a defensive security professional because I wanted to alarm to catch the bad actors.  And someday, maybe right now, they will matter to you too.  So, embrace the oxymorons.

Thank you for reading, check back next week for more.


John Nye