Either that or the criminals and "events" will cause you to react in ways that you will regret.
There is a good presentation from last year's Arch Con(Saint Louis Arch): http://www.youtube.com/watch?v=7GCC-0a_mVs
The opening keynote by Richard Bejtlich (@Taosecurity) - Applying Strategic Thought to Digital Defense
Is very interesting to contemplate after the Sony and Anthem breaches and the coming year ( the convention was on September 24, 2014)
Of course when discussing with executives a "Cyber Security Strategy" consider the following: CEO and CFO execs do not really understand the computer and Internet they use every day. They want it to work and be secure period.
Now you need to wake them up 🙂 It is 2015 and remember the Y2K scare if you will... The Y2k issue was when computer people realized there may be a problem with some software as it only accounted for the last two digits in various software when describing the year (such as 98 for 1998) So the wise IT people woke up one day in the late 90's and said: what happens in the year 2000? When the year 00 is actually greater than 99? So all of a sudden all software that for whatever reason(programmer laziness etc.) only had 2 digits for the year now needs to be 4 digits.
The switch from 2 to 4 digits was not a fast switch, all programs had to be rewritten to 4 digits. The ones most scary were what is called the BIOS (Basic Input Output System) it is the program that initially connects the operating system to the computer parts (hardware). So if this program quits working nothing will work on the computer. The whole IT industry went into a major overdrive and overtime to fix all the software by 12/31/1999. And then hoped that all the fixes worked on New Years day Y2000. Fortunately all the effort paid off, and the few problems that arose were handled.
It is my belief we need a Y2K effort for cyber security for 2015. There is no time like today - this year this time we will do it.
We must have better security - spend the money this year get to a higher level of security and then it will not be a big deal in the future. Reduce the capabilities of the criminals by upping your security Just as recommended here:
http://www.fixvirus.com/catch-any-malware-including-equationgroup/ (setup an IPS firewall to catch all attacks from inside and out) Also similar http://oversitesentry.com/your-cyberdefense-still-2000s-thinking/
We need a new level of security testing and thinking, otherwise we will have worse and more serious attacks than Sony, which means the attackers will try and delete and disrupt actual commerce. Do you really want to live with http://www.fixvirus.com/what-if-the-hacker-is-in-your-network/ ?
Richard Bejtlich has a good Outline to follow for all of hte people in the company to improve security:
theme Who is in charge? Actions - goals
Program Goals Board And CEO Minimize loss due to intrusions
Strategies CEO/CIO Rapid detection, response, and containment
Operations/campaigns CISO or security director match and hunt for intruders
Tactics Security Staff Collect, analyze, escalate & resolve incidents
Tools Vendors Various software
The Directors and CEOs have an important role and have to be brought up to speed. It is up to us the IT people to talk their language.
Contact Us to get your security up to speed Y2015 and beyond don't go back to Y2000.