Sony, Sony, Sony. Do you even realize what has just happened to you? Can you even comprehend the ripple effect this event will have not just on your industry, but everywhere?

So to begin with, let’s not dig into what happened or who did it. Primarily because there is still an open investigation happening and unlike others, I refuse to speculate. Who did it is not really important from my perspective.

Do I believe it was North Korea? No! Do I care who it was? No. I AM interested in how it happened and you should be too. Not because we are nosey, but to ensure it wasn’t something that our organizations could be vulnerable to. If you happen to be in the research or Intel fields, then who did it may matter to you so you can identify them, track their other activities, and correlate this hack. I get it.

So rather than focus on things that we don’t know like many sources, let’s focus on things that we do know. At its most basic we know a couple of things. Sony had not done what they should to protect their critical data. They did not put the level of importance into Information Security and Cyber Security (those are different things) that needed to be there to mitigate the threats they faced.

They obviously had a lack of controls externally and internally that not only allowed the attack to take place, but did not identify data being exfiltrated out of the network. Even if the hackers did have someone internally helping them, that person was only taking advantage of gaps in Sony’s security controls. I truly understand that there is no silver bullet and no way to catch everything, but come on. Some of the things that happened I am sure had BIG RED flags had some simple controls been in place.

This being the case, few things are different about this hack than other hacks. Someone took advantage of Sony’s weaknesses. Sony did not do enough to mitigate risk. Sony did not have appropriate controls to identify threats. And Sony did not have the proper processes in place to respond to incidents when they took place.

If you look at every hack that has taken place over the last few years, the company that was impacted failed in one or more of those areas. This isn’t the end of the world. Most of us expect to be hacked at some point in the future though we all hope its either not on our watch or happens a long long long time from now. Either way, we are all in some way preparing to be or not to be the next hack of the day.

The threats associated with the hack that were directed to theaters are a little different. Primarily because very few if any hacks that I am aware of to this point crossed the line into physical security issues associated with public safety. Once this line was crossed they quickly became public enemy number one.

Funny thing is that at the same time, this hacker group has made this movie more popular than ever.  I wanted to see it when I first saw the trailer, but now I REALLY want to see it and so do many other people that were never interested in the movie initially.

Now, with the extent of the extortion and complete embarrassment of Sony Executives, that’s where the similarities end. This is going to drive different conversations.

I do not recall any other time where an executive was exposed due to a data breach except maybe HBGary which was VERY different. There have been many called to the carpet over lack of action. Called to Congress for lack of response to an incident. But rarely ones truly embarrassed publicly due to the release of private documents.

To this point, many of us have speculated that the cost associated with a breach would drive decisions to be made at an entirely different level. In this case, pure embarrassment is going to drive these conversations.

We all know that there are email and other documents flying around some organizations that some executives would never want to see the light of day. In Sony’s case, not only did they see the light and go into it, they ended up on every website, blog, and other media outlet in a very unflattering way.

This is the scariest part to many current executives. That flirtatious email, that derogatory email, that email where they actually said security was not important…lol. I am sure they exist and if they were exposed would not be flattering to the executives that sent them.

This will impact other company executives in a way we have yet to see from the current list of breaches. Though they say the organizations’ bottom line and company brands are important, the lack of action for so many years shows that this is not as important as they “say” it is. However, sheer embarrassment and fear of public revelations of private communications would be even more impactful.

So when you look at this Sony hack, and you review the fallout from it — the sheer failure of their security program, if you can call it that — think beyond the traditional things that come to mind.

Think beyond their lack of security controls. Think beyond Sony’s inability to respond to the attack. Think beyond how it will impact Sony’s bottom line. Spend some time thinking about how public embarrassment has become their primary hurdle that they are trying to cross.

What would that mean for your company? What would that mean for your organization? What would that mean for you?

The post What’s Different About the Sony Hack… And What’s Not? appeared first on Security Current.

Recently I have begun to think about the strengths that make a good CISO. Some of those include technical understanding, business acumen, strategic vision, collaborative mindset, risk management mindset, and probably many others that I missed.

These are traits that are similar to ones found in very successful security entrepreneurs. As I look across the spectrum of CISOs from where they were, to where they are, to where they are ending up late in their careers, I am beginning to think that the CISOs with an entrepreneurial mindset are the ones that tend to be the most successful in meeting the needs of their organization. If you think about it, there are a lot of synergies between entrepreneurial security people and corporate CISOs.

As an entrepreneur in security, you have to think not just about today, but about tomorrow and the years forward. You try and determine what the environment looks like today and how it is going to change tomorrow.

It is impossible for you to go into a bubble and come up with how to provide the best technology or service to your customer. Therefore, you go out and collaborate. You work with them to show how you and your team will provide the best value for them as a customer. You work diligently to understand their business, how it operates, and how you can best integrate to support it. At times, you will make business decisions based on certain risk, whether it be monetary or reputational risk. You market yourself and your capabilities. You constantly relay messages to your customers on how you provide value to them and their bottom line.

So what’s different about being a corporate CISO?

Not much if you ask me. On a daily basis not only do we as CISOs deal with operational items, but we must ask about tomorrow and beyond. How will what we see today change? How will this affect us as an organization tomorrow?  What is your three-year plan to reduce our risk, etc.…?

No effective CISO does these things alone. We do not go into a corner and come up with “Our Plan to Save the World,” we collaborate. We connect with our peers at industry events. We work with industry leaders that get insight from across other mediums. We subscribe to email lists, LinkedIn groups, we follow industry veterans on twitter, and even listen to podcasts.

This sharpens our skills as it does that same entrepreneur. But wait, that’s not it. We similarly then go to our customers (internal or external business users) and find out what they want and need from us.

We work on how to provide value to their business and reduce their risk posture to meet their risk tolerance. We market to them the capabilities that our groups can provide. We talk to them about how we can be a positive impact on the business initiatives that are important to them. We talk about how we want to grow with them and enable them to be a better business, thus positively impacting their bottom line.

Hmmmm, sound familiar?  It should.

If you are a CISO and you realize that the things you are doing do not sound similar to either of these, then you may not be providing your company the best of what you can or should be providing.

As a CISO we have a creed that no one really talks about much these days. That creed is about ensuring we are providing value to our customer and our organization. That value can vary depending on many variables, but nonethless providing value is key.

Many of us are so focused on getting the title that we lose sight of our purpose. If we each provide value to our organization, then we inherently provide value to others through our own organization.

It will take all of us collectively to win the battle that we are fighting. It is truly an uphill battle with no end in sight. However, if you take on the mindset of a security entrepreneur, you will begin to show value to leadership, your team, your customers (internal or external), your peers, and the industry as a whole.

The post Are CISOs Better Off When They Think Like Security Entrepreneurs? appeared first on Security Current.