From: Government Security News

By: Torsten George

In October, the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that outlines disclosure practices for public companies, in light of the most recent spike in cyber security attacks and associated data breaches.

The guidance document hints that companies have to pay more attention to assessing the impact of cyber security attacks and their outcomes; especially as it relates to weaknesses in the security posture and preventive measures of their organization.

While it will be interesting to see how this new guidance will influence the interaction between chief information security officers (CISOs) and their business peers as it relates to securing bigger budgets to address the risk associated with Advanced Persistent Threats (APT), here’s the overarching question: “Is the SEC guidance a sufficient measure to overcome the chasm between compliance and security?”

Thus far in 2011, we’ve seen record numbers of cyber security attacks and associated breaches, among them some very public disclosures from Citigroup, the International Monetary Fund, RSA (The Security Division of EMC), Lockheed Martin, Google, Sony, ADP, and NASDAQ. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing cyber attacks and breaches of information security with more frequency and greater sophistication — often with discovery coming after the fact.

The 2012 Global State of Information Security Survey, which was conducted by PricewaterhouseCooper US, in conjunction with CIO and CSO magazines, among more than 9,600 security executives from 138 countries, reveals that only 16 percent of respondents believe their organizations are prepared for — and have security policies that are able to confront — an APT.

Even General Keith Alexander, head of the U.S. Cyber Command, acknowledges that the Pentagon and intelligence agencies must do more to protect their computer systems and coordinate with private companies to safeguard public networks.

Taking these statistics and statements from leading government and commercial sector security officials into account, the question arises whether the SEC guidance fell short of its objectives and stricter regulations are required to implement a risk-driven and security-driven approach throughout public and private industry.

It is well known that the majority of organizations puts compliance first; not security. Unfortunately, being compliant does not equate to being secure, as compliance lacks the correlation to risk and is conducted periodically, rather than continuously. Thus, only regulations that mandate prioritizing security in the overall picture will really move the needle.

Shawn Henry, the Federal Bureau of Investigation’s executive assistant director recently went beyond talking about regulations, when he said that “we can’t tech our way out of the cyber threat” and called for a secure, alternate Internet. Henry’s comments reinforce the importance of protecting the cyber networks that are so much a part of our daily lives, due to their interconnectivity, economic impact and importance to our national security. His call for the creation of an alternate Internet and non-anonymous networks would take years to put in place, and would require a major consensus in the U.S. and on a worldwide level.

Instead, a determined and collaborative effort driven by the White House, security vendors, industry leaders and politicians is required to protect our nation’s critical infrastructure against disruptions and attacks. So, while the SEC guidance is an honorable step from a government agency, regulations should be considered that put security in the spotlight, as organizations have to overcome the “tick-box” mentality of traditional compliance mandates.

As a result, any consideration of stricter regulations to tackle cyber security threats should mandate the implementation of a pro-active Information Security Risk Management system and related best practices.

The degradation of core security capabilities, as described in 2012 Global State of Information Security Survey, is illustrated by the fact that organizations’ vulnerability measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business.

Fortunately, the public, lawmakers and regulators in Washington, DC, are becoming better informed as it relates to threats and vulnerabilities of the nation’s critical infrastructure, so that further actions are expected in the near future. Until then, private and public organizations should consider the SEC guidance as a wake-up call and overhaul their approach to Information Security Risk Management to counter cyber attacks and prevent data loss, unauthorized disclosure, and data destruction.

At the same time, they should pursue close collaboration with the U.S. Department of Homeland Security, which has set up a trial program to share cyber threat data with industry players in order to prevent intrusions. By implementing an Information Security Risk Management program, an organization can not only increase its security posture, but become better prepared for stricter regulations related to the cyber security threats that are looming in the future.

Torsten George is vice president of worldwide marketing at Agiliance.