ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Lessons from the Sony breach: Four things that need to happen now

Lessons from the Sony breach:  Four things that need to happen now

| Posted at 3:24 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (4)

##When the finger pointing about attribution stops, the recent Sony breach will endure as one of the three most significant cybersecurity events of 2014 because it once again highlighted a number of critical gaps in the ability of individual organizations to defend themselves against targeted attacks. A breach of this magnitude can make us all wonder, how are organizations supposed to defend themselves when attacked by a nation state, or a highly organized criminal group with deep pockets and high levels of know how?

Think about it this way. If an organization’s headquarters or a branch office were under physical attack by armed assailants, they normally would call the police, who would dispatch the SWAT teams and other resources needed to physically protect the organization from further harm. But in today’s world of advanced cyberthreats, when an organization is under siege, there generally is no such protection offered to them.

Organizations must defend their information assets in today’s threat landscape. And here are four steps they should take immediately.

  1. First of all, organizations must develop a stark sense of reality about what they can do well and what they cannot in cybersecurity. CIOs, CISOs, and security leaders must revisit the organizational structure and skills of their security teams and IT staffs that have any responsibility for securing information assets. This analysis involves a deep review of what currently are or can be core competencies for the organization, and where they might need help from outsiders. Important questions to ask include:
    • What is the right structure for the security team?
    • What skills are required and where are the gaps?
    • If we need to have these skills in-house, do we need training and certifications?
    • Which additional skills should we hire, and which should we outsource to service providers who are more experienced in these areas?
  2. Foster deeper collaboration within your industry and across industries. We all know that the bad guys share information freely and across borders and do not have to play by the rule of law. So, it is critical for the good guys to have more opportunities at all levels to collaborate both electronically and in person to share information and intelligence about current attack techniques and emerging threats. We need more effective collaboration forums than we have today. Better collaboration will help alert companies to the latest threats and help them identify the right solutions and service providers. There is some great collaboration happening in certain industry sectors today—the financial services is the most successful example—but we need a significant increase in information sharing and collaboration—and this change requires more trust among practitioners and changes to regulatory and legal frameworks. One of the missions of ISACA’s Cybersecurity Nexus (CSX) is to create additional collaborative environments going forward for practitioners at all levels to share information.
  3. Take a back-to-basics approach by focusing on protecting that which matters most to the organization with solid security controls. More organizations should implement effective governance and controls frameworks, such as the U.S. NIST Cybersecurity Framework and ISACA’s COBIT framework. When an organization fully commits to implement a model framework, it has a much higher likelihood of success in protecting its crown jewels—with the added benefit of not having to reinvent the wheel. If a company focuses on good controls based on accepted standards and frameworks, some of the cyber risks they are facing would be greatly reduced.
  4. Do not just create good contingency plans and incident response plans—practice them. It is critical to involve a wide variety of players across the organization—not just IT and security. Communications, legal and senior management all must be involved—and so must the necessary outside service providers who augment an organization’s key cyber skills. For incident response plans to be effective, the internal and external ecosystem must be well understood, and all parties must be ready to act. Given what we all observed in 2014, practice may not make perfect, but it sure will help a lot.

Last, but certainly not least, it is critical that security practitioners understand the relationship between their organization, its people, its IT assets and the kinds of adversaries and threat actors they are facing. It is only through this analysis can the right cybersecurity program be designed and implemented where budget, skills, intensity, and performance all are balanced at the appropriate levels.

Eddie Schwartz, CISA, CISM
President, White Ops, Inc.
Chair, ISACA’s Cybersecurity Task Force


99.9% Contract SLAs prevent most of this from ever happening

Great Post - thanks!
I have found that in most organizations, IT risk management is never more than an interesting academic exercise that never percolates "down" to IT operations - which is driven by SLAs and corresponding KCOs which specify the requirement to patch and maintain "99.9%" of all assets - regardless of relative risk.
I don't keep up at night worrying about 99.9%, I worry about the 10% "crown Jewells" - but my contract SLAs make me spend my limited resources on the other 89.9%.
In my opinion, the Sony and Target class of breaches will never be resolved until we start changing the language of SLAs to allow focus on the 10% - but I haven't seen any examples of this (yet).
Andrew589 at 1/8/2015 9:05 AM


Eddie, great post!  I especially like the point about developing a clearer sense of reality. However, I would suggest that this should be done first and foremost at the executive level. There is a significant, and growing gap between executive’s perception of risk, and the real level of exposure facing their organization. Cybersecurity, and enterprise resiliency for that matter, must become a standing boardroom agenda item, not just a backroom set of activities delegated down the chain.  In addition to develop a clearer sense of reality, executives need to set the tone and define what matters most for the organization – what is their value chain. This tone at the top will help align everyone’s focus and efforts, and improve the return on risk management investment.
Alberto Jimenez at 1/12/2015 4:05 PM

Even more important steps than the suggested four ......

There's no dearth of Standards, Policies, Procedures and Best Practices.  It's the laid back approach towards securing systems effectively that opens doors to breaches.  Time and again audit findings are not taken seriously and are put in the back burner by IT Management.

1. Management should not get complacent over lack of security breaches until now.

2. Management should view Audit as a "value added" service and implement the meaningful findings all seriously.

3. Companies should setup Ethical Hacking teams and empower them to be proactive.

4. Companies should not pinch money by cutting out on Cyber security trainings.
Sohaha at 1/13/2015 10:24 PM

iso27001 framework

Just to add to NIST and COBIT framework.  I feel ISO27001 is a better fit.  It covers point 4 of testing BCP, point 3 of inventory of assets in order to protect it. 
lancePENG at 2/10/2015 4:26 AM
You must be logged in and a member to post a comment to this blog.