Security professionals are at war, a panel of corporate security executives said at the RSA Conference in San Francisco Thursday.
Granted, the man leading the discussion was Mike McConnell, who, as former U.S. director of national intelligence, can be excused for using war analogies. The discussion was littered with battle references that made it clear military-style thinking is prevalent when discussing how to combat today's increasingly sophisticated and well-resourced cyber intruders.
Patrick Gorman, CSO of investment management firm Bridgewater Associates, discussed his "dynamic defense" approach to security. Dave Baumgartner, vice-president of cybersecurity for Target, talked about the use of "red teaming" (alternately referred to as "war gaming") to constantly — and covertly — attack the retail giant's defenses. Those defenses obviously have been shored up in the wake of the massive December 2013 data breach. And then there was David White, chief knowledge officer at cyber risk consultancy Axio Global, who used a medieval reference to describe security's past, and then proceeded to sound like a general readying his troops for combat.
"We're far past the castle-wall-and-moat era," said White. "We now know as a community that a well-motivated and patient attacker is going to get in, and we have to spend considerable time and attention on how we protect the enterprise from those inevitabilities."
Obviously, there's a huge difference between the risk profiles of war and cyberattacks. One involves death and carnage, and the other does not. But the takeaway for the security professionals listening to the discussion was that security today is a battle, and that they needed to marshal every resource at their disposal just to hold their own.
One of those resources is cyber-insurance. White stressed it was as critical as any other security component. Without it, Target would have taken a much larger hit to its bottom line after the data breach. Instead, the company reported receiving $44 million in insurance proceeds during the first three months following the breach, White said. The insurance payout likely reduced the sting of spending $61 million on the company's incident response activities during the first 90 days..
"The bottom line is whether the organization has enough resources to weather the storm," said White. "If you don't, I don't care if you have the best plans in the world, you're not going to survive the crisis."
Another resource that generated signficant discussion — but much less agreement — was the concept of information sharing. Much has been made of this topic at this year's RSAC, fueled by Congressional debates that culminated with the House of Representatives passing one of two pieces of information sharing legislation Wednesday.
While McConnell said he believed information sharing was going to help the industry tackle the issue of reducing the risks breaches present, Gorman questioned the view that information sharing represented some kind of security panacea.
"I think it's just a down payment on a larger discussion between the public and private sectors," he said.
David Lashway, a partner who leads the cybersecurity practice at global law firm Baker McKenzie, said one of the most promising aspects of information sharing is the liability it will establish. Lashway expects whatever law ultimately emerges to establish as negligent any company that fails to use the information it receives to prevent or minimize the impact of breaches.
"No longer will it suffice in the future to say 'I'm the victim of a crime,'" he said.
That said, Lashway said the legislation in its current form "doesn't go far enough" in spelling out that responsibility.
There will clearly be a lot to share when the time comes—from details of breaches that have occurred to best practices that have been acquired over time.
"Every time we have an event, every time we have an exercise, we learn several things," said Gorman. "It's not one big thing you learn, it's a lot of little things."