The “Ice Bucket Challenge” and Cyber Security

  • Saying "me too" isn't enough; some of the biggest security breaches and data losses in history occurred in companies that were PCI compliant.
  • Expertise and proper methodologies are key to establishing a security model that is both secure, cost-effective, and compliant.

This summer’s The Ice Bucket Challenge took the world by storm with celebrities, executives, captains of industry, politicians, and everyday folks drenching themselves and calling out friends and colleagues to do the same to support ALS research. While this particular challenge targets a worthy cause and has raised over $100 million dollars for ALS research, “me-too-isms” in the field of security and risk management can be dangerous.

Take compliance for example. We in the Security field often discuss the inappropriateness of thinking compliance is security. Some of the largest data breaches in history have occurred in compliant environments. Me-too-isms of compliance with popular security frameworks and catchy acronyms such as SSAE-16 (Statement on Standards for Attestation Engagements), PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and NIST Standards (National Institute of Standards and Technology) may make for good advertising, and may make for better security, but they require a deeper understanding and analysis.
A good security and risk management plan depends on knowing:

  • Your environment and your business
  • What has value, be it personnel records, customer data, intellectual property, national security information, Sensitive Personal Information (SPI), or Personally Identifiable Information (PII)
  • The impact of loss or exposure of such information
  • The likelihood that an event will occur that causes loss or exposure
  • The time-value of your business to the extent that loss of availability of data can cause damage

From this knowledge, a security and risk management plan can be derived that addresses a prioritized cost model for information protection. And from this plan, security and risk-management requirements can be derived. In turn, a good security architecture and design can be implemented based on these requirements.

The resulting architecture, then, can include PCI certification, SSAE audits and reports, as well as security services like DDoS Defense, Intrusion Detection/Prevention, Cloud-based solutions, and other common security mechanisms. But this time the services are not included as me-too-isms, but instead as well-planned and risk-mitigating designs.

Learn more about proactive network security AT&T Network Security services.

Jeff Huegel Cyber Security Chief Architect AT&T About Jeff