Degrees of Defensibility
The Equifax hack is well known by anyone who has picked up a newspaper or had internet access over the past week or so. Since the (latest) breach was announced, both the CIO and CISO have “retired”, the stock has cratered and millions of people are downright pissed (and rightfully so). The fallout of this hack will be felt by Equifax and anyone who happens to have credit in the USA and some other countries such as Canada (where the number of impacted went from 0 to 100K in a single press release) for years to come. This article discusses how you can use security certification to improve your corporate defensibility when you suffer a breach.
Nobody outside of Equifax really knows what happened. Was it a zero-day vulnerability when used to gain a foothold in the systems? Why on earth wasn’t a username/password combination of admin/admin ever discovered? Did the CFO block funding to implement what the CISO knew was needed? Was it poor governance? Does Equifax corporate policy dictate that critical application vulnerabilities can be patched within a two month period? There are so many questions that remain unanswered for anyone to pass judgement. Aside from the executives who I’m assuming will soon be charged with insider trading for selling stock prior to the announcement, the biggest PR problem with this hack appears to be the credentials the CISO had. Ms. Susan Mauldin has been put through the wringer because of her degrees in music. I have no idea when Ms. Mauldin’s obtained this degree. It doesn’t really matter either, because quite frankly, it’s irrelevant. In fact, I’m going out on a limb here and saying any degree in any discipline that is older than a few years (5 at most) is useless to address real-world IT security challenges today.
This IT security field is ever changing. What was best practice just 5 years ago is no longer applicable. We have moved from strong defenses at the perimeter to having a lot of data in the hands of 3rd parties along with many other customers in a multi-tenant cloud model. We have cyber supply chains that we never had just a couple of years ago. Encryption has moved well beyond being something limited to a VPN to now having models of data encrypted during use. What IT security will be in 5 years won’t be what it is today. Does a Computer Science degree obtained from MIT in 1995 address today’s security challenges? It doesn’t. It is however defensible. This is Equifax’s problem. A CISO with a music degree makes for easy bad press and negative social media.
How could Ms. Mauldin (and Equifax) have had defensibility? Certification in IT security. There are many choices out there she could have followed. She could have obtained her CISSP, CISM, CISA or any other appropriate security certification and easily had defensibility. She didn’t and now look what has happened to her career. Unjustly I’m sure, her CISO career is over and that’s a shame.
I think we have finally hit the tipping point that companies are going to be forced to get IT security workers at all levels certified. Is certification a silver bullet that guarantees your company will never be hacked? Nope. That said, had Equifax been able to point to Ms. Mauldin’s certifications and 100 security certified IT employees as a sign of their commitment to IT security they wouldn’t be in the PR disaster they are in today. I’m not saying having a deep roster of CISSP holders would have stopped the attack, but I do believe a deep security culture would likely have ensured a critical patch was addressed in less than 2 months and that systems wouldn’t have admin/admin as administrative credentials.
Using the CISSP as an example, our retail pricing on classroom CISSP training (5 days) is $2700. Taking the exam is another $600. Adding an average of $1250 per employee in wages to address “downtime”, this results in a grand total of $455K to train and certify 100 employees. Equifax posted a net income of $488 Million dollars last year. This proposed training plan doesn’t even represent 1/10th of 1 percent of Equifax’s profit from 2016. It’s easily manageable, the question is leadership commitment to IT security.
Like it or not, security and PR are more closely related than we security people may want to admit. Cloud Service Providers have been using security as marketing collateral for quite some time. Perhaps it’s time that all companies do the same by allocating some marketing budgets to assist in building up a deep employee roster of security certification holders. That way, when it does hit the fan, they’ll at least have a defensible position.
What are your thoughts? Should companies focus on certifications for employees to increase security and bolster defensibility?