Summary Bullets:

• New research from the IBM X-Force threat intelligence team said the most sweeping developments in cybersecurity are threat actor exploiting exposed systems, gaps in supply chain defenses and fissures in interlinked application and cloud ecosystems to increase the volume and effectiveness of their attacks.

• IBM X-Force saw a dramatic rise in the number of active ransom groups, noting that cybercriminals are employing leaked tools and playbooks while using AI to automate attacks.

It is no secret that the enterprise is under threat from ambitious and aggressive cybercriminals, and that these threats have been escalating. Recently published research from IBM X-Force bears that out, highlighting the fact that adversaries are quick to exploit some major vulnerabilities to breach their targets. Compiling data from incident response, penetration tests, the dark web, and other intelligence, the newly published X-Force Threat Intelligence Index 2026 uncovered that the most common entry point for bad actors is publicly-facing applications. Citing the increasing complexity of applications and the frequency of misconfigurations, these applications are easily breached. There was a 44% increase in the number of publicly facing applications breached this year versus last.

Summary Bullets:                

• A good security defense requires equal measures of investment in not only technology but also people and processes.
• Detecting breaches is not the end game, but the beginning of a process to understand the scope and impact and then respond quickly to minimize the damage.

Thinking about the latest revelations around the Target breach, and how Target’s FireEye deployment had alerted the company to the breach early on, it struck me that the company had invested appropriately in technology, but underinvested in its people and processes.  It’s easy for technologists to fall for the silver bullet trap, investing in technology with the belief that it will make a particular problem or pain go away.  It’s a whole lot harder to muster the resources required to properly exploit the benefits of the technology when budgets are tight and skilled security analysts are in short supply.  It’s time for enterprises to invest more in training to develop the skilled staff necessary to meet the challenges posed by today’s threat landscape.  At the same time, it’s equally important to invest in developing the processes needed to deal with the glut of alerts and follow-on investigations effectively required to scope out the extent of those potential breaches.  When key security employees leave, the appropriate training and processes can help fill the void left to insure such inevitable changes don’t negatively impact the organization’s security defenses. Continue reading “Good Security is a Three-legged Stool: Technology, People and Process” →

Summary Bullets:

• The steady rise of data breaches poses a danger that C-level executives will come to view those as a cost of doing business.
• But with those costs on the rise, organizations can’t afford the price tag, and they have to get better at managing risks in the new reality of mobility, cloud computing and consumerization of IT.

A few years ago at RSA I met an auditor who told me that at the time a lot of organizations that she dealt with considered fines from non-compliance with regulatory mandates to be part of the cost of doing business.  With the frequency in the number of breaches associated with such lapses in compliance increasing at a steady clip, are we approaching a time when organizations will view the cost of breaches as yet another part of the cost of doing business?  Have some organizations reached that conclusion already?  The Identity Theft Resource Center reported that breaches increased by 30% in 2013 over 2012 across a range of industries, with its total number of breaches reported at 619.  The total number of records exposed were 57,868,922, which included the 40 million reported by Target. Continue reading “Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?” →

With 2012 drawing to a close in a year punctuated by a continuous stream of security breach headlines in mainstream business media, it’s an appropriate time to contemplate what New Year’s resolutions might look like for the CISO/CSO and others charged with securing IT infrastructure and the valuable business assets they carry. I’d like to offer up a couple of suggestions for those individuals to consider.  Those follow, in no particular order. Continue reading “My New Year’s Resolution Suggestions for CISO/CSOs” →

Summary Bullets:              

• IT security specialists need to expand their skills range, especially in technology areas that are seeing  the greatest amount of new investment
• Employers looking for good candidates need to put resources into training and mentoring programs in order to cultivate the mix of skills they are seeking

Here’s an interesting conundrum:  There is an acute skills shortage in the IT security job market, but at the same time those with security skills are being turned away when they seek to advance through new job openings.  It appears to be a combination of factors that have created this scenario.  In a recent TechTarget article, George Hulme argues that there are unrealistic expectations on the part of those hiring.  Many organizations appear to be looking for candidates with multiple talents.  Not only do they want specialists, they want candidates to be specialists in multiple areas, and they want those candidates to have some leadership skills or business acumen. Continue reading “The Great Security Skills Shortage” →