Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger.
“Pay no attention to the exploit behind the curtain” is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you’ll be safe from what goes bump in the night.
Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile.
We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures.
-U.S. businesses continue to hemorrhage credit card numbers and personally identifiable information. The tab for the Heartland Payment Systems breach, which compromised 130 million card numbers, is reportedly at $144 million and counting. The Stuxnet worm, a cunning and highly targeted piece of cyberweaponry, just left a trail of tens of thousands of infected PCs. Earlier this month, the FBI announced the arrest of individuals who used the Zeus Trojan to pilfer $70 million from U.S. banks. Zeus is in year three of its reign of terror, impervious to law enforcement, government agencies, and the sophisticated information security teams of the largest financial services firms on the planet.
While the White House’s Office of Management and Budget has set a deadline of November 15 for federal agencies to begin submitting their cybersecurity compliance reports via a new application called CyberScope, rather than with voluminous stacks of paper, 85% of federal cybersecurity managers have yet to use the new software, according to a recent survey.
In all, only 15% of the high-ranking government IT officials who were surveyed as part of the study in July said they had used CyberScope. While those who had used the tool rated it with an “A” or “B” grade, the rest largely say they don’t understand CyberScope’s goals and submission requirements.
Assess the present threat environment; discover the limitations in existing approaches
These findings come despite the fact that CyberScope was introduced in October 2009, that the Department of Homeland Security has been offering CyberScope training, and that top officials like federal CIO Vivek Kundra have repeatedly discussed CyberScope’s value in addressing concerns about FISMA.
“November is right around the corner and Feds should realize the value in embracing this new FISMA reporting tool,” Tom Conway, director of federal business development at McAfee, said in a statement. “We are working diligently with our federal customers to help leverage their current large investments in security solutions to meet this new compliance mandate.”