Cybersecurity in 2016: Predictions from Elsewhere

Cybersecurity(Own)(4)One of the best things about this time of year is the spate of predictions that accompany the season. Herewith, a look at some of the more interesting security-related predictions from various IT and security industry observers.

Forrester Research “is one of the most influential research and advisory firms in the world”—according to the company’s website. Hard to argue. On Nov. 30, 2015, Health Data Management published “5 Cyber Security Predictions for 2016,” a summary of predictions from Forrester. Here’s what Forrester predicts, according to that article.

  • We’ll see ransomware for a medical device or wearable
  • The U.S. Government will experience another significant breach
  • Security and risk pros will increase spending on prevention by five to 10 Percent
  • Defense contractors will fail to woo private industry with “military grade” security
  • HR departments will offer identity and credit protection as an employee benefit

On Dec. 15, 2015, Network World published “A Few Cybersecurity Predictions for 2016,” an article by Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). ESG is a firm with “a 360o perspective” and “remarkably detailed, nuanced views of technologies, industries, and markets”—according to the company’s website. Herewith, a summary of Mr. Oltsik’s predictions from that article.

  • Greater focus on cyber supply chain security
  • The consumerization of authentication
  • Cyber insurance continues to boom
  • A rise in ransomware

A wide range of predictions can be found in “The 2016 Websense Cybersecurity Predictions Report.” The report is produced by Raytheon|Websense Security Labs, part of a joint venture that combines Websense with Raytheon Cyber Products. The venture “brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats,” its website says. The predictions from its report appear below.

  • The U.S. elections cycle will drive significant themed attacks
  • Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
  • The addition of the gTLD [generic top-level domains] system will provide new opportunities for attackers
  • Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
  • DTP [data theft protection] adoption will dramatically increase in more mainstream companies
  • Forgotten ongoing maintenance will become a major problem for defenders [of IT security] as maintenance costs rise, manageability falls and manpower is limited
  • The Internet Of Things will help (and hurt) us all
  • Societal views of privacy will evolve, with great impact to defenders

Perhaps some of the most interesting predictions for 2016 and beyond can be found in “McAfee Labs Report 2016 Threats Predictions.” McAfee Labs, now part of Intel Security, “is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership,” according to the report’s introduction. The report begins with a five-year look into the future, created by 21 of Intel Security’s thought leaders. Here’s a summary of what they predict for the next five years.

  • The cyberattack surface will continue to grow, thanks to continuing explosive growth in users, devices, connections, data and network traffic
  • Attacks and defenses will continue and increase a shift in focus, away from systems and applications and toward firmware and chips themselves
  • Attacks will continue to become more and more difficult to detect
  • Virtualization will present more and different cybersecurity threats and opportunities, especially as network function virtualization (NFV) grows in popularity
  • New device types, including wearables and those connected to the Internet of Things (IoT), will challenge security efforts, and cyber threats will continue to evolve
  • IoT security standards will evolve and improve
  • The growing value of personal data will lead to more sophisticated thieves and markets, and more security and privacy legislation.
  • The security industry will fight back, with new and evolving tools including behavioral analytics, shared threat intelligence, cloud-integrated security and more automated detection and correction.

The range of these predictions and the common elements that link many of them provide valuable guidance and validation to any of you who are seeking to improve security at your enterprise. And of course, we at Shavlik have our own predictions to add to the mix, as well as a review of how well we did with our end-of-2014 predictions. You can download these here. We hope you’ll find all of these predictions, from Shavlik and elsewhere, helpful and inspirational. Here’s to a happy, productive, profitable and secure 2016 for you and your enterprise.

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

The Communicator’s Corner: Patching 101

PatchWithoutBorderIn this article, I’d like to get back to the basics and describe the best process for performing your patch management tasks. If you follow the steps provided here, you will reduce the number of deployments to your machines and make your workflow more effective.

Start with the Big Stuff: Apply all Service Packs

The best approach to maintaining patch levels on a machine is to start with service packs. Service packs are very involved. Vendors typically recommend installing service packs one at a time. Shavlik Protect enforces this recommendation programmatically by not allowing more than one service pack in a deployment. You will almost always want to perform a reboot before applying additional service packs or patches.

Detailed Course of Action

Here is your best course of action when applying service packs and patches.

  1. Start with any operating system service packs.

Be sure to adequately test the service pack before deploying it to your entire organization. After deploying the service pack you should reboot the target machines and then perform a fresh scan. Rescanning will give you the new state of the machine so you can continue applying service packs.

  1. Apply major product service packs such as Office, Visio, and SQL.

Order does not matter here, but we do recommend rebooting in-between each of these major service packs. Though not as common, these product service packs can also change the state of a machine considerably.

  1. Deploy any remaining service packs and then rescan the target machines.

The remaining service must be pushed in separate deployments but you can perform the deployments with no reboot. Provide an adequate delay between each deployment. When the last service pack is applied, reboot and rescan the target machines.

  1. Deploy any missing patches and perform a reboot.

This will include patches for:

  • Microsoft operating systems
  • Microsoft product such as Office, Internet Explorer, etc.
  • Third-party patches

You may need one or more additional reboots here, depending on the state of the machine.

  1. Rescan and confirm that everything has been applied.

Notes and Tips

The steps described above may span several maintenance windows. In the case that you cannot perform all of the above in a single maintenance window, each step should be followed by a patch deployment to ensure you are not open to security vulnerabilities between maintenance windows.

Ideally, the steps above should be built into your machine build policy. This will ensure that your machines go into the field in the best shape possible. It is much easier to simply maintain your machines than it is to be in catchup mode and constantly be late applying many months’ worth of service packs and patches.

If you have more tips for patching, leave them in the comments below.

Your “ART-ful” Enterprise: Security and Trustworthiness

TechArt(own)resizesAs discussed here previously, to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into trustworthiness, why it matters, how to achieve and sustain it and the critical role of security in those efforts.

Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or business you could not trust. It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way. Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

Or, to quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies. Hank Barnes is a research director at Gartner, focused on go-to-market strategies for technology providers. In a Feb. 3, 2015 blog post, Barnes wrote, “Trust levels are the underlying current that drives buying. And providers are usually starting from a weak, un-trusted position. Everything you do needs to be about building trust between the buyer and you, your product, and your organization.”

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book “The Speed of Trust: The One Thing That Changes Everything.” from which the above quotes come. He is also the son of Stephen R. Covey, the author of the worldwide bestseller, “The 7 Habits of Highly Effective People,” and was CEO of the Covey Leadership Center. In three years, Stephen M.R. Covey grew that Center from $2.4 million to $160 million in revenues, before orchestrating its merger with Franklin Quest to form Franklin Covey.

A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust. As he says in his book, “Above all, success in business requires two things: a winning competitive strategy, and superb organizational execution. Distrust is the enemy of both. I submit that while high trust won’t necessarily rescue a poor strategy, low trust will almost always derail a good one.” Franklin Covey also operates a Web site that features case studies, task lists, and other resources intended to improve organizational trustworthiness.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said that they simply refuse to buy anything from those they don’t trust, while 80 percent will only buy from those they trust. Or as Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”

How to Achieve and Sustain Trustworthiness

Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.

Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.

Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy for them as possible to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.

Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders –from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business. Especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. And include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.

Next: tying it all together!

Your “ART-ful” Enterprise: Security and Resilience

Cybersecurity(Own)As discussed previously (in “Security and the ‘ART-ful’ Enterprise” and “Your ‘ART-ful’ Enterprise: Security and Agility“), to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business resilience (or its less common synonym, “resiliency”) is, why it matters, and how to achieve and sustain it.

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject seem to indicate. Those discussions tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity. True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption – planned or unplanned, minor or catastrophic.

Not all hackers are bad: insights from the Cybersecurity Summit

Cybersecurity(Own)A few weeks ago I had the opportunity to attend a Cybersecurity Summit in Washington D.C. One of my favorite presentations was titled Understanding the Hacker Community. The speaker for this presentation, Bruce Potter, Chief Technology Officer of KEYW Corporation, provided some very interesting insights into the minds of hackers. As I’m sure many of you are just as interested in this topic as me, and with hacking once again in the news due to the recent hack of the CIA director’s email account, let me share a bit of what I learned.

Announcing Protect 9.2 and Empower

Empower_option04Social-2FacebookWe are happy to announce the launch of Protect 9.2 and Empower. With Protect 9.2, here are three things to remember: speed, automation, and flexible scheduling. Empower is a new cloud-based product that brings asset management, Protect integration, and Mac patching. Let’s explore details for Protect and Empower.

Protect 9.2

Speed

One of the first things existing customers should notice are significant improvements in assessment time. Protect 9.2 can now assess patches in as much as half the time compared to previous versions. This improvement should be great for narrow maintenance windows or when quick compliance checks are needed – not to mention regular patch cycles.

Your “ART-ful” Enterprise: Security and Agility

techart2(own)As explained in “Security and the ‘ART-ful’ Enterprise,” to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business agility is, why it matters, and the critical role security must play for your enterprise to achieve and sustain it.

Agility is more than simple, reactive adaptability. It’s even more than what’s usually covered by that discipline many of us know as “change management.” (An aside: to succeed with change management, it is often necessary to…change management.)

Security and the “ART-ful” Enterprise

While every enterprise is different, there are three fundamental characteristics that appear common to every successful modern enterprise. The successful modern enterprise is:

Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.

Resilient – able to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

Trustworthy – able to credibly demonstrate and document operational transparency, in ways that both create and justify high levels of trust among all stakeholders.

One might even describe such an enterprise as “ART-ful.” If one were prone to such constructions. But I digress.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security.  Specifically, user-centered security.

What is “user-centered security?” It’s a focus on what users use to do their jobs—applications, information, devices and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important and valuable, you can also protect users from being conduits into the enterprise for malware and other threats. All while keeping critical enterprise resources safe as well.

How to Achieve User-Centered Security

User-centered security is not only desirable, but achievable. Building upon research conducted by elements of the Australian government, the Canadian Cyber Incident Response Center (CCIRC) estimates that up to 85 percent of targeted attacks on IT environments are preventable by four simple steps:

  • Application whitelisting;
  • Timely application patching;
  • Timely operating system patching; and
  • Restricting of administrative privileges to those users who really need them.

Unfortunately, such protections are like smarter eating and exercise habits. More of us know what would be best for us to do, but we don’t always do those things.

Take patching. In an April 2015 alert, the US Computer Emergency Readiness Team (US-CERT) identified the “Top 30 Targeted High Risk Vulnerabilities.” The newest of these dates from 2014; the oldest is from 2006. That means that there are patches designed to remediate all 30 vulnerabilities but that many if not most enterprises have not yet installed those patches, for whatever reasons.

The bottom line here is that agility, resilience and trustworthiness are impossible without pervasive, ubiquitous, invisible, user-centered security and that such security begins with comprehensive, timely patching. Agility, resilience and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, starting with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation that supports the pillars of agility, resilience, and trustworthiness.

Of course, none of these strengths can be achieved or sustained by any processes or technologies alone. As with almost everything else a successful enterprise does, ART is achieved and sustained by people. Specifically, you and your people. In concert with colleagues from across your enterprise. Evolution into an ART-ful enterprise requires leaders, evangelists, champions and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience and trustworthiness—possible.

During the next few weeks, additional posts will dig a bit more deeply into the market forces driving the rise of the ART-ful enterprise and how your enterprise can achieve and sustain agility, resilience, and trustworthiness. Next up: “Your ‘ART-ful’ Enterprise: Agility.” More to come. Meanwhile, as always, your comments, questions, and stories are welcome.

Cybersecurity: We Are All Vulnerable. We Are All Responsible.

Ashley Madison, the Web site that encourages married people to have affairs, is dealing with the theft and public release by hackers of personal information for thousands of its clients. The Impact Team, the hackers who claimed responsibility, didn’t hack the site for money, and didn’t steal the personal information to sell it. According to a Washington Post report, The Impact Team accused Avid Life Media, the company behind the Ashley Madison site, of “fraud, deceit, and stupidity,” and of faking most of the site’s female user profiles.

Target’s balance sheet and reputation are both still suffering from its widely reported 2013 data breach. That incident involved personal data, including credit and debit card information, of up to 40 million customers. Most recently, Target has reportedly agreed to pay up to $67 million to Visa, on top of the $10 million Target had previously agreed to pay to customers affected by the breach.

Such current events make one thing increasingly clear; hacking can happen to any organization, at any time, for any reason or no obvious reason at all. You and yours can be deeply affected by a hack, whether you work for the hacked organization or not. Truly, we are all vulnerable.

But if it’s true that we’re all vulnerable, it’s equally true that we all have a role to play in making ourselves and our organizations more secure. In fact, it is credibly arguable that cybersecurity is too big to be left up to IT and security teams alone.

A recent article on CSO.com highlights how enterprises such as Automatic Data Processing (ADP), Johnson & Johnson, Akamai Technologies, and others are “crowdsourcing” their cybersecurity efforts. These companies are sharing information about threats, vulnerabilities, and countermeasures with internal teams and external organizations, including peer companies. They are also encouraging users, including customers, to report incidents and suspicious behaviors to IT support, security, or both, as soon as possible. The thinking is that applying more bodies and minds broadens the range of possible effective solutions to security threats.

This is part of a larger trend of extending responsibility for cybersecurity beyond IT. Instead, organizations are increasingly separating cybersecurity budgets and activities from mainstream IT and spreading security budgets, efforts, and awareness across the entire enterprise. One implication of this is that companies can end up investing more in security-related measures, such as user training, than reflected by the security or IT security budget.

According to a recent article in The Register, such dispersed spending can improved security when combined with some other key political moves. “In an ideal world, the CISO will have an independent role and a friendly ear on an informed board. They will have a strong interest in ensuring that IT in particular conducts its operations securely and will work with the CIO from a position of influence to help achieve that. To that end, the CISO will demand that each relevant line of business allocate some of their budget for cybersecurity purposes and task them to show results for it,” the article says.

Everybody, at every enterprise, is an actual or potential victim of cybersecurity threats, and everybody, at every enterprise, can make meaningful contributions to the avoidance and remediation of those threats. Those responsible for leading cybersecurity efforts simply need to engage, encourage, and guide the participation and support of every user and decision maker at their respective enterprises, within and beyond IT and security. It’s a daunting task, but the rewards can be considerable.