I’m a CISO of a large company and today I woke up from a 30-year nap. My nightmares were nothing compared to this.
When I went to sleep, my company had a mainframe and dumb terminals. There was an internet, but my company wasn’t connected to it. Very few people had computers at home, and I had just paid $1000 for a 2400 baud modem.
Our customer lists and intellectual capital were only accessible by a select group of people who could only access them from inside our building. Most of our prized information wasn’t even stored on a computer – blueprints and diagrams were locked in file cabinets in locked rooms on locked floors in secure buildings.
I guess a few things changed while I was asleep.
Almost everyone got a computer. A lot of people have more than one. Companies have thousands of them.
All the computers got connected. Everywhere. We don’t even need wires anymore.
We take computers everywhere and they’re connected everywhere. The computers that fit in our pockets are orders of magnitude more powerful than anything I had access to in 1985. They’re even on our wrists.
The information I’m supposed to protect safely in our building? Ha! – I don’t even know what country it’s in. And there is a lot more of it now, so much of it important. We thought of RAM in kilobytes back then, and massive storage in megabytes. These numbers both got multiplied by about 1000. Twice. Our customer lists and much of our intellectual property are stored in Salesforce and in Office365, which are amazing applications stored on someone else’s computers in someone else’s data centers. “The cloud” — that’s cute.
So there is no perimeter around the information I’m supposed to protect – it’s everywhere. I don’t control all of the infrastructure it’s stored on. I don’t control all the devices employees use or the networks they connect with. I can’t even be sure about the people – they’re easily duped into giving away their credentials or clicking on links in their email (what the heck is email?) that install backdoors or other malicious programs. Others are out to steal data. Some of the people are contractors or business partners, and I’m even less sure about their intentions.
It’s not about the perimeter. It’s not about the systems. It’s not about the network. It’s not about the devices. I can’t blindly trust the people. We’re being attacked every second from all over the world. Where do I begin?
Can’t I just go back to sleep?
Ok, then what?
- First, we need to understand the assets I need to protect. Where they’re stored – physically if we can, logically if we can’t.
- We need to be able to see and control who has access to these assets.
- We need to watch – as much as I can. I need to know the people who use data, understand how they use data, when they use data, how much they use it, who they share it with and how, from which locations and which devices.
- We need to learn what normal activity looks like so we can have a chance of seeing something abnormal before it causes harm.
- We need to know when we don’t need these assets anymore so we can lock them down or maybe even get rid of them.
So where are we with these five things?
Unfortunately, based on my review with the team, we scored 1 out of 5. Here’s how my conversation went:
What do we know about where our sensitive information is stored?
We store millions of files with the private information of our customers, partners and employees and they’re all over the place. Some are in file shares. Some in the cloud. Some are in SharePoint. I hope you had a nice nap, sir. Feeling refreshed and all.
Can we go find them our critical data?
We started a classification initiative to find our critical data – the good news is we found a lot of it.
What’s the bad news?
Well, we’re not really sure how to lock it down without losing our jobs. You see, we don’t know if anyone is using it, or who, and we don’t really know who to talk to about it.
So you’re not tracking who is using it, you don’t know who it belongs to, and so you haven’t been able to lock it down – is that correct?
That’s about right, sir. We’ve made some great advances in mouthwash, by the way…
How would we know if someone with access to it started stealing it or deleting it?
Probably like last time, when the story ran on CNN. Have you tried a cinnamon bun yet sir? They’re really quite delicious.
How long do we keep this information that we don’t lock down or monitor?
We have no plans to delete anything. Even if our lawyers and compliance officers agreed to what we could delete – like things that haven’t been accessed in 3 years — we’d have no good way of finding all of that information.
What have you been doing for the past 30 years???