Recently, Doug Lhotka, executive cybersecurity architect for IBM Security, sat down for a meal with a dozen CISOs, and picked their brains about what the biggest threat to their organizations was.
And he was surprised with the reactions he got.
“I was expecting cybercrime, nation-state hacking,” he said, speaking May 17 during a presentation at the HITS Spring: The Hollywood Innovation & Technology Summit. “But the consensus was finding and retaining qualified talent. Even when they do find them because of the demand, they’re out the door 12 months down the road for $30,000 more a year.
“And when that happens, they lose all of the knowledge of the security infrastructure and corporate infrastructure.”
Right now, IBM Security estimates there are 150,000 unfilled cybersecurity jobs in the U.S., and that number is expected to rise to 1.5 million by 2020, “and I actually think those numbers are low,” Lhotka said.
And that’s just the start of the cybersecurity challenges facing organizations today. Cyberthreats continue to be treated as special cases, when they should be treated as the norm, Lhotka added, with companies continuing to simply react to a crisis and move on. Security infrastructures are in the dark ages, Lhotka said. He looked a decade back and more, back before mobile and IT and cloud advancements, and pointed out that most security considerations were about defending the perimeter, and that’s what most organizations continue to do.
“The truth is, we don’t have a perimeter anymore in our organizations,” he said. “Like the old joke goes: There are two types of companies. Those who’ve been breached, and those who know they’ve been breached. The bad guys are already inside.”
The average time the bad guys are in the network before being discovered is 250 days, Lhotka pointed out. “They’re extremely patient when attacking organizations,” he said. “We’re truly in an era of industrialized threats, and those threats fall in three categories.” Those are confidentiality attacks, where records and data are stolen; availability attacks, or ransomware; and denial of service attacks.
There are emerging attacks as well, including integrity attacks, which attempt to change stock prices or the expiration of your Netflix account.
“If you’re going to protect your brand, you have to take a step back, and truly assess where you’re at in this environment today, and look at the risks that you face,” Lhotka said.
Part of assessing your risk, is prioritizing what’s important … not everything can be protected all the time, Lhotka said. There’s just not enough time, money or manpower. Audits and a compliance are a start, staffing is another step, and updating your security infrastructure is yet another.
Security infrastructures have been built piecemeal as reactions to attacks, and that doesn’t prepare companies for emerging attacks. The approach requires, instead, an alignment of your security preparedness with prioritization of what’s important within your organization.
“Awareness and insight is key to security,” “It’s about having good instrumentation throughout your environment. Having that information collected and moved up to a central repository … a real analytics platform that finds the anomalies. And then you have to actually be able to take action on that information.”
“Information is the fuel that our security operation center runs on.”
HITS Spring was produced by the Media & Entertainment Services Alliance (MESA) and the Hollywood IT Society (HITS), in association with Women in Technology: Hollywood (WiTH); the Content Delivery & Security Association (CDSA) and the Smart Content Council. The event was presented by Entertainment Partners, with sponsorship by Expert System, LiveTiles, Microsoft Azure, Ooyala, Veritone, Amazon Web Services, Avanade, Avid, IBM Security, MarkLogic, Aspera, Light Point Security, MicroStrategy, SAS, Scaeva Technologies, Western Digital, Brainstorm, Zaszou IT Consulting and Bob Gold & Associates.
To access the IBM Security presentation, click here.