INTELLIGENT BRANDS // Enterprise Security
POWERED BY
regulatory nexus? The answer has always
been to get the job done for real.
There is the basic upkeep and hygiene and
those kinds of things but that alone won’t
stop the determined attacker. Unfortunately,
we see more organisations submitting to
that mentality of ‘why bother? They’re
going to get in.’
We can’t have that mindset. To stay ahead
of threats and minimise risk, we need to
focus on the current wars we’re fighting
– not the battles we’ve already lost – and
keep innovating at the speed of, or faster
than, attackers.
FireEye’s CSO
Steve Booth has
warned that any
company can come
in the crosshairs of
attackers
banks of an adversary, that would be an act
of war. However, if they do it with computers,
it’s not. And then you’re simply left asking,
‘is it not an act of war, or has it simply not
been declared an act of war yet?’
On whether any specific industry
should be on high alert:
Pretty much every industry needs to be on
high alert these days. The better way to ask
that question would be, ‘name an industry
you think is safe.’ A few years ago, you may
have said, ‘well they only generate power –
what could anybody ever want from them?’
But now everyone is talking about the
energy industry.
Steve Booth, Chief Security Officer at FireEye
On nation-state threat activity:
From the nation-state activity that we see
and that we see our customers coming up
against, we’ve observed that these actors
are not just sticking to traditional espionage.
Sure, there is a sizable chunk of APT groups
that literally have to fund their country’s
government – groups that are looking to
steal military technology for example – but
that is just part of it. Now you have nation-
state adversaries targeting the supply chain
and more.
The other part of it that ends up being
particularly interesting for me is that there
are no norms for this – there are no rules
of engagement. If a nation were to take a
bunch of soldiers and steal money from the
80
INTELLIGENTCIO
Or you may hear from a company that, ‘we
only make locomotives.’ The truth is that
there are petabytes of data created on that
locomotive and someone out there can
benefit from access to it.
It’s not even just a matter of destruction
or theft – some attackers may want to
manipulate the data, some may want to
just embarrass the organisation and some
may want to affect business. With that
thinking, any company can come in the
crosshairs of attackers.
On what organisations should be
doing to stay ahead of threats:
Shifting gears a little bit to regulation, I get
asked all the time about GDPR. How do you
see that changing anything? And do you
expect any other changes in the security and
Internally, in my group, we have ended up
with this kind of maniacal focus on ‘what are
the things we should abandon and put truly
zero security time on?’
For instance, I don’t have any conversations
with my server group telling them what they
should patch this month. That would be a
waste of security time. My teams know what
they have to patch. They have their jobs and
they have to get their jobs done; and they do
get them done.
One of the obvious changes is that
everybody seems to have their own
regulation. They have them not only per
country or per region but also per state.
There is even a ‘per industry’ inside
individual states. GDPR is interesting
because it does change the rules quite a
bit. Some folks are onboard and others not
so much.
I think GDPR has the potential to become
similar to a Sarbanes–Oxley (a 2002 US
act that sought to improve the accuracy of
corporate disclosures), although perhaps
without the freaking out. You go through and
you do all the assessments, privacy impact
analysis and those kinds of things. I think
GDPR is really going to get down to how
people become compliant.
As in, do you just sort of have one figurehead
data protection officer that covers
everything? Or do you have one per business
unit, or per product silo, in order to do it for
real? Some of this stuff hasn’t been tested in
court yet so it will be interesting to see how it
all turns out. n
www.intelligentcio.com