An interesting statement was posted in a CIO article titled: IT Must Change Security Strategies to Keep Up With CyberCriminals. In the article Steve Durbin, Global Vice President of the Information Security Forum says: "Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace.” Information Security Risk management is, or should be, based upon the fundamental premise that security controls should be implemented commensurate with the identified risk. It may be accurate that the techniques companies are employing are inconsistent with the basic premise of risk management, but the concept is certainly agile enough to support risk management in cyberspace. The larger issue appears to be that most companies are dogmatically following standards, such as PCI DSS, as a process for risk management instead of actually adhering to risk management principles. Recent news should be enough to demonstrate that checkbox security as represented by industry, and even regulatory standards, does little to protect data and even less to protect companies against the consequences of a data compromise. Even in 2012 the idea of “hard outer shell, soft chewy center” seems to prevail in data security. Hacktivists, cyberthieves, and state sponsored espionage all utilize similar tools to penetrate network defenses. The primary difference between the groups lies in their motivation and objectives as opposed to their method of attack. Irrespective of the motivations, the best way to ensure data protection today is to be found in data centric risk management. On February 28th, 2012 RSA’s CEO stated to the crowd at the RSA conference: “Our networks will be penetrated. We should no longer be surprised by this.” While this is proving to be an accurate statement, companies should be focused on appending the statement to read: “While our networks will be penetrated, our data will remain secure.”
