Major corporations have made serious mistakes with information security recently, resulting in spectacular failures to protect business and customer records. After years of warnings, why do so many businesses still fail to deal properly with this issue? Eugene H. Spafford, a professor of computer science at Purdue University who frequently advises government, law enforcement, and big companies, has some ideas. He spoke with technology journalist Brian Krebs for Technology Review.
TR: You recently testified to Congress about the Sony breach, which appears to have happened after the company ignored warning signs about holes in its PlayStation network. How does an organization as big and as technologically advanced as Sony fail so massively on security?
Spafford: Some business management organizations simply do not have a proper IT security organization, and often that function is still kept under the company’s chief information officer. When that happens, the people who deal with security are way down the line, and they don’t have [access to] the CEO or the company’s board. So the security function of that organization isn’t funded and doesn’t have the authority at a high enough level to really operate the way it should. Many IT organizations have grown up from the level of system administrators who started at the bottom of the organizational hierarchy. These typically are people with computer science and technical training, but they don’t speak business. They don’t always understand risk or cost-benefit analyses. As a result, they are not able to present the business case for security and privacy issues. We learned recently that Sony didn’t have a chief information security officer [CISO] prior to the attacks that exposed personal and financial data of more than 100 million customers.
But is there any evidence that Sony’s lack of a CISO contributed to the breach? In other words, is the answer to these types of breaches really just to spend more money on security and add additional layers of organizational bureaucracy?
Well, CISOs aren’t exactly duplicating someone else’s job. For one thing, there is a bit of a conflict by design between the CIO and the CISO. The CIO’s job is to make information available, and the CISO’s job is to make sure that certain information is not available—limiting where information goes, setting rules for those who should have access to it, and then setting rules and consequences for when those rules are violated.
To your second question, there are many things that companies need to do and spend resources on that have no obvious return on the bottom line, including maintenance of their buildings and grounds, or equal-opportunity and antidiscrimination training. It’s the same thing with security policies: if you don’t spend enough on them and keep at them, at some point something bad is going to happen and you’re going to end up paying an awful lot more than you would have if you’d gone about it more proactively. It’s the responsibility of informed parties within an organization to understand the risks and appropriately plan the investment up front to build defenses against the most expensive risks, and to make plans about how to cope with what’s left when they occur. That has to be part of overall business planning, but someone at a high enough level in the organization has to understand that.
Sony’s case doesn’t appear to be an anomaly. It seems almost daily now that we’re hearing about breaches that expose huge caches of consumer information. Why do you think that is?
It’s a whole set of things that have come together, and not any one factor. We have more systems and data available on the Net than ever before. There are more people who are on the Internet and who are Internet-savvy, so there are a greater set of targets and greater sets of people who want to exploit those targets. And these crimes are occurring faster than the increase in law enforcement resources and our ability to deal with them. The crimes also are being masked better, and as a result the criminals are able to be bolder and there is less deterrent value. So many of them are going after much bigger targets.