Philip Lieberman President Lieberman Software

The latest repeats of the massive data breaches seen at Target and other major retailers should be proof that existing “detect-and-respond“ perimeter security solutions are utterly ineffective. The lesson learned by these companies is that their expensive next-generation firewalls and threat analytics/SIEM systems are worthless against the current breed of attackers.

The challenge today is that politically expedient, plug-and-play perimeter protection has failed. Senior management must now do what they failed to accomplish over the last decade: take a real leadership role in IT. Often this means forcing corporate IT security to adopt technologies and processes that require a breakdown of existing political power bases within the company. In effect, it's an act of creative destruction that reorganizes the company's operations along military lines of information compartmentalization. The necessary systems are purpose-built to be resilient against attacks.

Until now IT and senior management have been able to ignore security fundamentals by buying into the inadequate detect-and-respond technologies recommended by analyst firms. In addition, they are completing make-work exercises for outside auditors to prove they are secure. The stark reality is that these prevailing best practices and recommended solutions are a modern replay of "the emperor has no clothes." The headlines are proof that neither IT nor senior management can ignore the fact that a lack of internal security makes them sitting targets for exploitation. Even the excuses that they did what the analysts recommended or as they were requested by their auditors hold no weight, nor do they provide a safe harbor for the company. Ask Target how well the solutions recommended by their analysts and auditors worked; then ask Home Depot, Goodwill and all the rest.

The Cat is Out of the Bag

Any security framework that doesn't address the internal vulnerabilities of corporate IT is a failed strategy and a gigantic waste of money. Today we see IT professionals starting to back away from legacy technologies and analyst-recommended solutions, since these are proving toxic to their companies and to their careers. But it will take strong senior leadership to fix the current debacle of weak internal security, and there are no "get out of jail free" cards from auditors or the analyst community. IT knows this as pointed out by our survey and is looking to senior management to take a leadership role in guiding their companies out of the security mess that's been allowed to build during the last couple of decades.

For additional research on this subject matter, see this report by FireEye and Mandiant: A Real-World Assessment of the Defense-in-Depth Model.