Before cybersecurity became a standard part of our lexicon, the practice of keeping information and data safe was simply known as information security. Although the two terms are still used interchangeably, there is a definite distinction between the two, which provides context and explains the evolution this discipline has recognized over the past two decades. This paradigm provides perspective and instruction for when your organization starts to build and implement a cybersecurity program today.
Flashback to twenty years ago: the development of information security
About twenty years ago, new compliance requirements were passed for financial institutions. The Gramm-Leach Bliley Act (GLBA) of 1999 essentially held the financial services sector accountable for how they handled information, whether it was electronic or hardcopy form. Because there were so many electronic transactions going on, GLBA included new rules that financial institutions had to follow in order to protect their customers’ sensitive and personal information.
The legislation required financial institutions to have a written information security plan (WISP). They had to conduct a comprehensive risk analysis for handling nonpublic information like account balances, account names, dates of birth, and social security numbers. Institutions also had to measure effectiveness, by testing the program attributes to ensure the controls over how information was stored, processed, and transmitted were functioning correctly.
Realizing there was a problem
When GLBA was put into place, financial institutions were tasked with one major item: protect the data that they held and were accountable for. Sounds simple, right? Not exactly.
Since their focus was to protect customers’ data and personally identifiable information (PII), they realized that they had to start implementing a variety of security controls, like firewalls, IPS and IDS tools, antivirus software, and so on.
While the security controls were better than anything they had up until that point, financial institutions began to see that they weren’t enough. Breaches kept happening, and data continued to get compromised. Cybercriminals were getting more sophisticated by finding other ways to gain access to data using indirect paths, including less obvious assets within their network environment – that were more easily exploitable.
Because of this, there was a shift from just focusing on the data itself. Instead, a more holistic approach was needed to safeguard all parts of their network – not just the obvious assets that contained the data. When organizations realized they needed to protect their whole environment from a cyberattack instead of only protecting information, the discipline of cybersecurity took effect across organizations worldwide.
Ten years later: the emergence of cybersecurity
Flash forward a decade, and organizations are seeing much more sophisticated attacks across multiple vectors. DDoS attacks, remote access exploits (like Target and Home Depot), and zero-day vulnerabilities – entry-points that have not been seen before – were being leveraged all the time. Attackers quickly manipulated new network vulnerabilities to proactively exploit networks. Organizations also started getting breached due to their third-party vendor getting attacked. For example, Target’s HVAC vendor was the source of their sizable data breach in 2013 that affected 41 million consumers.
The emerging threat landscape continued to build on the notion that an organization’s own security is only as good as its weakest link. We could no longer just focus on our critical assets.
Where we are today
Cybersecurity events of some kind will inevitably happen to organizations whether they are small, large, private or public – no one is immune. With proper controls in place, incidents can be identified as early as possible to protect the organization’s assets and network. Exploits out there are vast, and they can take advantage of unsuspecting networks in a second if protections are not in place.
Cybersecurity is a holistic, all-encompassing approach organizations take to engrain its practices across people, process, and technology. Characteristics of a mature cybersecurity program is that it’s an integrated part of an organization’s mission and culture. In other words, people know their roles and responsibilities, and they understand what security actions need to be taken internally and externally. Ultimately, if an organization can take a programmatic approach to identifying, protecting, detecting, responding to, and recovering from a security event of any sort, that organization will be resilient in our ever-changing threat environment today.