1. 2014 taught us that massive security breaches are the new normal for U.S. companies, government
agencies, and universities. Some of the most prominent were Target, Home Depot, Neiman
Marcus, Apple's iCloud, Michaels, the U.S. Postal Service, the IRS, Community Health
Services, UPS, Staples, the State Department, Sands Casinos, USIS, eBay, PF Chang’s, JP
Morgan Chase, and, to sum up the year, Sony Pictures. The sobering reality is that it is
now no longer a matter of if but when and how often that we’re going to be breached. In
2014, we witnessed CEOs being fired, CIOs let go, boards of directors personally sued,
and company data stolen or sabotaged on a grand scale. What will the extent of the damage
be to our company, shareholders, and customers? What are the bad actors really after?
Innovation is the primary engine that has driven the U.S. economy over the past 100 years.
Our innovation has evolved over decades of extensive and compounded investment in trade
secrets, technology, and processes, including personally identifiable information (PII). Today,
companies have untold trillions of dollars invested in U.S. innovation. It is precisely our
innovation that is of superior value to data thieves. An estimated $500 billion is stolen
from U.S. companies and the U.S. economy each year. It is much faster, cheaper, and more
effective for bad actors to steal our innovations than to make their own investments in dollars,
people, and time. Nearly all of our innovation is converted and stored electronically as data.
A more frightening fact is that most of the breaches reported in 2014 were from retailers - which
account for only 20 percent of breaches. Publicly held companies are required to report all
breaches and that is especially true for retailers when it involves consumer PII. Conversely,
80 percent of (non-retailer) companies either choose not to report the breach due to a
potential stock hit or, worse, don’t know that they have been breached. Innovation and
trade secrets are more nebulous than PII and therefore more difficult to protect and notice
when breached or stolen. This fact is sobering.
The data protection strategy on which most companies focus today is defending the
“perimeter” or “castle walls.” This strategy has evolved over the past two decades with a
collage of products to address an array of security issues. By definition, individual products
have inherent limitations and quickly become obsolete. When mapping numerous vendors’
products together into a security solution, gaps in coverage appear. These gaps are further
widened by the assault on access points by smartphones, apps, and pervasive free Wi-Fi. In
2014, we became painfully aware that the perimeter strategy is no longer effective.
In 2015, It’s All about
the DataT. Casey Fleming , CEO
BLACKOPS Partners Corporation
Eric Qualkenbush, Board of Directors
BLACKOPS Partners Corporation
A New
World
Holy Grail
80/20
Rule
Perimeter
United States Cybersecurity Magazine | www.uscybersecurity.net00
2. Today, security strategies must quickly evolve into a hybrid model that critically focuses
on the data itself. Data must be classified as to its importance, with emphasis placed on
carefully controlling and vetting access all the way through the supply chain. A hybrid
model must also address all aspects of the human element, including insider threats,
external spies, disgruntled, separated, or careless employees, contractors, and suppliers.
A vacuum exists in nearly every company between the tactical and strategic views of information
security. Those career-focused employees who take the initiative to take personal ownership
of the 360-degree view will become indispensable to their company executives and fellow
employees. Employees who become experts in both perimeter and hybrid data-centric
models of defense and the current intelligence that drives them can expect to advance
rapidly as they fill important gaps in their companies. There are also opportunities
for C-level executives to engage their boards of directors in providing relevant
intelligence and solutions.
Data and information security is the responsibility of every employee, executive, board
member, contractor, and supplier. Each individual must be trained and certified each year
with the latest intelligence-driven and research-based tools. Training raises the awareness
level among all employees to maintain a higher level of data security for the protection
of everyone’s jobs. Awareness creates and maintains vigilance. Data security is everyone’s
responsibility, because stolen data may mean lost jobs.
Hybrid
Get
Engaged
All
Hands
T. Casey Fleming serves as Chairman and
Chief Executive Officer of BLACKOPS Partners
Corporation, the leading management advisors
of America’s elite executive thought leaders from
intelligence, technology, federal law enforcement,
information security, and management consulting.
Mr. Fleming is a leading expert in the advanced
protection of innovation, trade secrets, and competitive
advantage for Fortune 500 companies, U.S. government agencies,
universities, and research facilities. Mr. Fleming is a former
innovative information security and management consulting
executive who created organizations for Good Technology,
Deloitte Consulting, and IBM Global Services.
Eric L. Qualkenbush is a member of the Board of Directors of
BLACKOPS Partners Corporation. Eric is a former intelligence
community senior executive with extensive experience leading large
multicultural organizations through transformational change. He is an
innovator who has created organizations and programs that deal with
the worldwide proliferation of weapons of mass destruction, insider
threat, and competitive intelligence. During his CIA career, Eric led
the CIA’s principal training organization and the office that created
and managed cover arrangements for all CIA personnel and others in
the US government. Eric also managed undercover CIA operations in
five overseas offices. Eric has done pioneering work on mitigating the
threats from insiders in private and public organizations.
®
PARTNERS
About the Authors
United States Cybersecurity Magazine | www.uscybersecurity.net 00