Congress is getting ready to vote as early as this week on the controversial Cybersecurity Information Sharing Act (CISA). This bill defines the framework for information sharing between the federal government and private industry and allows private sector companies to voluntarily share cyber threat indicators with the federal government without risking liability.
Proponents of this bill say it will encourage private organizations to share information about cyber threats – and that as a result, other organizations who receive this data will be able to strengthen their security posture. Opponents are primarily concerned with the lack of protection for private citizens’ data that would be provided to the U.S. government.
There is a lot of talk today in the media and across government and private industry about how information sharing will significantly reduce security incidents and resulting data breaches. In fact, Comprehensive Applied Security Solutions (COMPASS) recently co-sponsored an executive-focused conference with Johns Hopkins University’s Information Security Institute about this very subject, Information Sharing and Consumer Data Privacy.
After listening to experts with strong opinions for and against this piece of legislation, I think the bill is premature and misses a key point about the state of today’s IT security hygiene in most organizations. Although information is potentially a piece of the puzzle and may reduce security incidents, I find it comical to think that organizations are ready for this as one of their next steps in securing data.
In fact, most businesses are not even doing basic information security hygiene.
The reality is that organizations are barely doing the basics when it comes to securing their data, and most are not doing anything at all. It is naive to think that they would even know if they have been breached unless they are informed by an external entity such as a cyber security firm or law enforcement agency. When organizations are not performing basic patch management, segmenting their network infrastructure, or teaching their employees how to create strong passwords, they can hardly be expected to take action from information sharing.
Information sharing can be an important component to enhancing an organization’s data security but if they don’t have the proper processes, tools, and trained people in place to take action, the information is not very useful.
Organizations should focus on developing a security roadmap that addresses the Three Pillars of Cyber Security: technology, people, and policy. Once they have addressed the basic aspects of information security it may be beneficial for them to have access to current threat intelligence based on information sharing. Meanwhile, they should resist looking for a single “magic bullet” when it comes to information security and focus on the basics.
COMPASS has developed a methodology that combines the discipline of project management with the latest cyber-security technology and data-protection best practices to perform comprehensive and cost effective assessments that can include information classification. This methodology enables our clients to cost effectively address their cyber security needs.
In today’s hyper-connected world, every organization is just one data breach away from being a leading story on the news and social media, which can severely damage its reputation and brand. Find out how to protect your institution. Contact COMPASS to learn more about our methodology and service offerings and how they can help your organization develop a robust cyber security ecosystem.
