[BreachExchange] Should we change our thinking around data breaches?

Destry Winant destry at riskbasedsecurity.com
Tue Mar 5 10:30:14 EST 2019


Cybersecurity expert Steve Tout says that a more proactive approach is
crucial to guard against data breaches.

Data breaches are a growing risk and can have devastating effects on
the organisations that experience them as well as the people whose
information is stolen.

As founder of Forte Advisory and previous CEO of VeriClouds, Steve
Tout has seen trends develop over his 18 years in the security
industry with firms such as PwC and VMware.

Tout is a seasoned expert in identity and access management, and he
told Siliconrepublic.com that the way many security professionals
approach breaches needs to change to truly tackle the issues in a
proactive manner.

What should be done to change the narrative around data breaches?

In 2019 we are already seeing data breach incidents that are largely
preventable. The patterns I am seeing are: overprivileged access, lack
of visibility in multicloud environments, little to no access
governance in place and poor password hygiene. None of these problems
are related to technology – they are leadership and management

Historically we’ve seen business leaders look at investment in their
cybersecurity portfolio as a cost centre, as a cost of doing business.
Their rationale has been: ‘We haven’t had a breach yet and if we did
the recovery costs would amount to less than doubling or tripling our
budget on protection.’

The CFO will look at breach avoidance as an operating expense on an
Excel spreadsheet, and there is no compelling return on investment
(ROI) when looking at cyber in this way.

I’ve always talked about there being two ROIs in the investment in
cyber: the risk of ignoring and the ROI. The main point I would make
about changing the narrative around data breaches is that most of them
are totally avoidable. Customers and citizens are beginning to hold
companies and governments to higher standards of ethical behaviour and
due care.

Can you talk about the issue of credential compromise and how this
relates to dealing with breaches?

The game strategy is so simple that my 11-year-old daughter
understands it: use the same compromised credentials that hackers do,
albeit in a secure manner, but as a protection mechanism, not a hacker
scheme. Problem solved.

The reality today is that many leading organisations think they are
protected from these types of attacks by enabling 2FA or by calling on
the popular service Have I Been Pwned (HIBP) in a programmatic way,
and that is just a false sense of security.

2FA is not and cannot be deployed everywhere, and HIBP is not a
security solution. Having the ability to prevent logins using breached
credentials is a transformation for most organisations, and fills a
huge gap left by low adoption rates of 2FA solutions. 2FA and HIBP are
not enough.

How can organisations streamline their cybersecurity responses?

The best way for an organisation to streamline its incident response
is to not have an incident to begin with. That comes from being
proactive with regards to investment in its cybersecurity technology
portfolio, embracing adaptive, intelligence-driven security solutions,
and investing in maturing the disciplines and capabilities of the
programmes themselves.

First off, we looked at how investing in a cybersecurity programme can
have ROI measured in top-line growth. Not only can an organisation
achieve a better security posture overall, delivering safer online
experiences, it can touch the customer in important ways that enhance
the lifetime value of that customer.

Secondly, there are some excellent new technologies available today –
PETs such as identity proofing, identity threat protection and
authentication protocols like FIDO U2F security keys – that enhance
security posture while providing enhanced user experiences across
desktop, mobile devices and things.

Thirdly, technology alone doesn’t cut it. Every security programme has
risks. Not acknowledging them or planning for them puts the programme
at risk of failure (best case) or leaves the business vulnerable to a
data breach, and none of us want that to happen.

What poor habits lead to breaches in terms of both individuals and

A major shortcoming in business today is the fixed mindset of security
leaders – ‘This is my security strategy for 2019, so I’m set’ – and a
false sense of security that comes from the idea that ‘I have MFA
enabled, so I’m protected’.

I posit that weak and compromised credentials have never been the
leading cause of data breaches. That just so happens to be how
cybercriminals get into a network, which is right through the front

It’s the fixed mindsets of business and security leaders that leave
organisations vulnerable to cyberattacks and consequently to
devastating data breaches. The fixed mindsets and false confidence are
dangerous, yet I encounter them a lot more than I’d like to.

Do you think a change in outlook is on the way for how we deal with
breaches? If not, what will it take for it to happen?

The silver lining in all that I’ve said so far, which might sound
gloom-and-doom, is that I do see a change in outlook for how we, as an
industry, are beginning to think more proactively about breaches.

There are some companies who are finally going far beyond asking Have
I Been Pwned to assuming a state of breach, that we are all victims
now and U Have Been Pwned already.

In 2018, we saw a renewed interest in zero-trust security, which
acknowledges that controlling access through legacy perimeter-centric
models is no longer effective. A lot of companies are already on board
with this movement. Like any model or framework, zero trust has its
own set of challenges, but it’s promising. I just hope that it doesn’t
come and go like the Macarena dance did.

I’m also encouraged by the amount of interest in privacy by design and
the potential to persuade businesses to proactively invest in better
security controls that differentiate their offerings, if not to simply
do the right thing.

In October 2018 the Oasis group announced support of dozens of
companies and 12 countries (including the UK, China, Canada and Korea)
to define a new international standard for consumer privacy by design.
This is the ISO Project Committee 317 aiming to prevent data breaches
and give consumers more control. With companies such as American
Express, Amazon, Equifax and many others behind this initiative, I am
optimistic about the future of privacy.

Ryerson University and Deloitte have partnered to offer privacy
certification that shows promise of ushering in a new era of privacy
protection for the consumer.

My hope here is that more vendors will join the movement and help
organisations become more proactive and less remedial with less

More information about the BreachExchange mailing list