When developing an information security strategy, it helps to start with determining exactly what data the business is responsible for and then implement necessary risk management measures. After all, how can you protect what you don't even know you have? Too many companies, however, don't understand the scope of their data assets and create information security holes, according to Robert Shullich, enterprise security architect at Tower Group Companies in New York City.
In this video from the RSA 2014 Conference in San Francisco, Shullich sits down with SearchCompliance editor Ben Cole to discuss why companies that remain ignorant of their information assets are dramatically increasing its data security risks.
In your position as an enterprise security architect for Tower Group, what are some of your top priorities to ensure information security and reduce risk?
Robert Shullich: It's actually in the privacy area. Tower is a property and casualty insurance company, so we're in the financial industry. We have a lot of regulatory compliance. We're listed on the exchanges, so you have stocks. We have GLBA. We have the breach notification laws. It's basically protecting a lot of the personal information, protection of the PII. It gets down to pretty much privacy. As a matter of fact, I report to the privacy officer. If you keep the data safe, there isn't that much more to do as long as you protect the data. That's what you need to protect.
What are some of the challenges in doing that, especially with all the modern threats that are out there?
Shullich: A lot of the threats that have to be dealt with are more of the insider threats. But an insider threat is when people walk away with PII or people who do dumb things, like clicking on links that allow them to get infected. It's hacking the human. Humans are a big threat.
What are some of the most dangerous new types of security attacks that companies should be concerned with? Also, what kind of security measures can help them overcome these attacks?
Shullich: Many companies work along a risk space, and the problem that we have, in my personal opinion, in several companies that I've worked for and consulted for, is that it's not like in an insurance company. If you're in life insurance, you do actuaries and you figure out how long the person is going to live. You can figure out those types of numbers. Those types of number crunching for risks, they know.
In information security, we don't know the components of the total risk, such as the probability that it's going to happen and sometimes what the impact is of what's going to happen. A lot of times, the business believes 'oh, it's not going to happen' or 'we'll never see it happen,' or that 'nobody wants our data.' They're not realizing that it's automated attacks and nobody knows who they're attacking anyway.
Most of the attacks are undirected -- script kiddies and everybody else. Within the threats that you know you have to deal with, you may have another threat out there. A lot of organizations don't know what their inventory is. They don't ever do data asset management, or they don't do it properly. Even if they're doing threat intelligence, and you get information like 'we have a threat against the Linux box.' Sometimes, people don't know what version of Linux they're running, how it's patched, whether the threat applies to them. They may assume that they don't have Linux.
More from RSA 2014
Collective intelligence could provide big data security boost for CISOs
CISOs, IT stare down the next generation of information security threats
I worked for a company before that said, 'oh, we don't have to worry about Solaris,' but they had acquired a company that had Solaris. Mergers and acquisitions can be very, very dangerous. Even after an M&A, you have to have that inventory. You need to know what your data assets are that could be attacked. You need to know who's attacking you. At some organizations, management doesn't know who their enemy is, or they don't know what the probability of an attack is going to be, or they don't know the impact. You need to know those numbers. If those numbers are miscalculated and they're on the low side, then there's a lot more risk there that's not being accounted for.
How can companies determine that information? Is it just a matter of research into what your risks are?
Shullich: I think a lot of the challenge is educating your C-level, even if you're a CISO. This includes educating management, the board. You have to talk in business terms. You have to show that this is the type of risk, this is the type of problem you're going to have. There are a lot of cases where things happen, and you don't realize it until somebody comes out of the woodwork. Take a third-party relationship: You have a third-party relationship, then you end that third-party relationship. Then a couple of years later, something happens. OK, that was our data. They still have it. What do we do?