In Cyber Crisis

We are a country in crisis in regards to adopting adequate Information Security practices.   I am not an alarmist but when I review the Cyber Security update that my team compiles and sends out a couple of times per week and see multiple breaches in every update and when I see reports like the one conducted by Adam Dodge or the Verizon Report that show steady amounts of information security breaches every year I have come to believe that we are a country in Cyber crisis.

Puzzling to me is that for some reason we, as a society have decided that the safeguarding of personal information should be a soft skill that is done by committee instead of by the certified and trained professionals we hire into Information Security roles.  Interesting enough the members who are sitting on the committees making Information Security and data protection decisions are often times not Information Security professionals.   To use an analogy – it seems that instead of deferring to our qualified “pilots” we are allowing the passengers to fly the airplane without providing them flight instructions first.  If we really want to protect our corporate data then we cannot  keep making Information Security decisions, such as should Personally Identifiable Information (PII) be encrypted, by consensus.  We also need to see the cost benefit with hiring Information Security professionals and then listening to their advice. Due to a large data breach the State of South Carolina recently ended up paying $12 million that could have been put to better use; they could have asked any of us Information Security professionals if the data they lost should have been encrypted at rest and in transit to save $12 million.  Instead (and this is pure conjecture on my part) they probably made the decision not to do so by a consensus of the CIO and other IT professionals, none of whom were trained Information Security professionals.

In my personal life I refrain from telling my accountant how to complete my taxes or from telling my surgeon where and how to make her surgical cuts.  It is time, if we truly want to protect our data or the data we are entrusted to safeguard, for our communities to start adapting the course of action that Information Security Professionals and Information Security Standards advise. If we don’t start allowing our certified and trained professionals to specifically mandate how organizational PII, Intellectual Property, e-PHI, collectively referred to as restricted data, should be protected we will continue to allow this data to be lost or stolen.

While there is no silver bullet that will prevent 100% of this type of data loss most experienced and certified information security professionals know that there are many controls and safeguards we can put in place, if allowed to do so,  that will minimize the loss of restricted data.

Note – my use of the words Information Security is synonymous with Information Assurance.

© Kevin L. McLaughlin, probably cited re-use is acceptable

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s