This November marks ten years since Secure Digital Solutions (SDS) began as a company delivering thought leadership to clients in a way that accomplishes business objectives. In those ten years there has been a lot of change.
In 2005, companies defined information security as policy, procedures, firewalls and vulnerability assessments. A lot has changed in ten years, and still a lot has not. Today in 2015 we are still focused on policy, procedures, vulnerability assessments but also on securing mobile devices, personal devices in the workplace, health information is now online in a big way, credit cards are stolen at an enormous rate and we are suppose to believe that technology is making our lives easier.
The average employee spends roughly 28% of their workweek reading and responding to email according to a McKinsey study conducted in 2012. Taking a look at data for a moment in 2005, 136 data breaches were made public impacting 52,815,610 records. Contrast that to 2015 where 155 breaches were reported to the public and that has impacted a staggering 153,021,381 records. This information is reported by the Privacy Rights Clearing House chronology of data breaches. Comparing 2005 to 2015 there are only 19 more data breaches reported today versus ten years ago. However, it is clear the amount of information compromised is a much higher multiple with over 100M more records compromised in 2015 compared to 2005. This clearly tells us that larger breaches are occurring but also in general businesses are storing more sensitive information online than ever before.
As a digital society we still have not solved information security. We continue to bring digital revolutions to consumers and deliver automation for our businesses with security being a bolt-on feature in many instances. Ten years later our firm is still writing new security policies, emphasizing the importance of procedures and we frequently are called upon to help clients conduct vulnerability assessments and penetration tests. These activities are important and intentions are sound however it also means we as digital society still have not “solved” some of the fundamentals of information security. In 2015, CISO’s are working to solve the approach and information to report to the Board of Directors the state of their information security programs and progress. This is a reaction to the Target breach and Home Depot data breaches. Whenever an executive is called upon to report to Congress the state of security, ladies and gentlemen, we as an information security industry have arrived. But yet, I’m not impressed at the attention information security is receiving. Why have Board of Directors not demanded reports from the CISO prior to 2014? The industry is still very reactive in nature but I do see hope as we are learning from our mistakes.
Circling back to our ten-year anniversary for a moment. In 2014 our team embarked on a journey to automate the measurement, analysis and communication of information security programs. Our business rule for doing so was to ensure we were not going to create another audit tool or GRC tool. Indeed we have accomplished this goal. We have solved what CISO’s are struggling with in 2015 and beyond; reporting to the Board of Directors and executive stakeholders in a meaningful and consistent manner. We do this by measuring the processes that form your information security program based on maturity levels of six criteria from COBIT 4.1 (Awareness, Policy & Procedure, Accountability, Expertise, Automation and Measurability). Each of these criteria is measured based on its’ maturity level for each individual process so you know what aspects of a process actually needs improving and how well other criteria of the process are actually performing.
For the month of November we are offering qualified clients an opportunity to try Accliviti for thirty-days with no further obligation. To understand more about how we measure information security programs using Accliviti refer to the blog titled “Processes are for Managers”. Accliviti is all about elevating the conversation around information security programs.
As CISO’s and information security programs in general have dramatically shifted and matured over ten years so has our practice at Secure Digital Solutions. We plan to continue to develop exciting new features in the Accliviti platform, as it quickly becomes the go-to CISO platform. Supporting the CISO to become successful with the business for the business. Cheers to the next ten years!