What the Sony breach means for security in 2015

Ben Rothke

sony pictures sign
Credit: REUTERS/Mario Anzuoni via CSO Online

The recent (and perhaps ongoing) Sony breach was certainly one of the worst corporate data breaches we have seen to date. As 2014 draws to a close, no one knows the details with certainty of who the perpetrator was. Even so, it's undeniable that it's a breach that will forever change the way Sony does business.

As the year of information security ends in 2014, what does the Sony breach tell us about what will happen in 2015? Here are a few things I think can be said with certainty:

This was yet another wake-up call -- but many will still sleep through it. Home Depot, Target, JPMorgan Chase were but a few of the most major breaches of 2014. Many firms are simply shell-shocked and hope that nothing will happen to them. Information security has had myriad events that promise to bring sea change, quantum change and countless other transformations that many information security professionals are still waiting for. The reality is that too many firms will try to spend the least on security and hope for the best.

More breaches will occur - be it state-actors, hacktivists, disgruntled employees and the like. There's no reason to think things will get better in the short-term. The information security infrastructure is porous and decades of poor design can't be fixed by patching alone. This means more mega-breaches are an inevitability.

Fixing security and doing it right takes time, money and staff - And if there is anything management dislikes, it's putting time, money and staff into something perceived as a cash cow. Management often needs things done last quarter to make the financial analysts happy this quarter. Fixing a faulty information security program will take many quarters. Let me reiterate this, there's no overnight fix here. The only way to possibly accelerate this would be to hire external resources to apply a surge strategy. But that may be unpalatable or unsupportable to many organizations. The alternative is simply getting IT responsibilities out of house, such as to cloud providers. But that also is not a quick fix.

Buying security hardware and software ` having a secure infrastructure - Fixing security and doing it right does not equate with buying lots of hardware and software. Many security hardware and software vendors will see increased sales in 2015, some of it significant. But these may be reactionary purchases, similar to when a new Pixar movie comes out. After a few months, the Toy Story memorabilia gathered dust in dollar stores. So too many of these security purchases may end up as shelfware.

1  2  Next Page