• SEC, Equifax, what’s next? Focus on – and fix – the stuff that matters in security.

    27 Sep 2017

    I recently consulted with a client on the SEC and Equifax breaches and had some thoughts that I left with that I wanted to share here:

    1. Your security program is only as good as your day-to-day processes and people. No amount of policies, plans, and technologies is going to prevent you from getting hit.
    2. Reactive security is apparently the new norm, at least according to SEC chairman Jay Clayton. I don’t disagree with this, in spirit. No one is 100% immune from hacking and breaches. However, you still have to make efforts find and fix the silly, stupid stuff that’s creating problems such as these. Just ask Equifax about web security penetration testing and patching and how seriously they should be treated.
    3. Unless and until the information security basics are mastered, you’re a sitting duck.
    4. More government, more regulation, more “cyber” whatever won’t fix these elementary security gaffes. It’ll certainly make it look like something’s getting done and (sadly) that’s often good enough…until the next breach occurs.
    5. Money spent on computer systems and applications does not translate to security. In fact, it can make it worse due to the false sense of security and because of all the system complexities involved. 

    Bottom line, pay attention to what’s happening. You can’t hit a target you can’t see – or aren’t even thinking about. Let these other peoples’ experiences and misfortunes be teachable moments for improving security in your business. Don’t repeat history because, as Stein’s Law says, if something cannot go on forever, it will stop.