Lawmaker says assume the bad guys are going to get in and focus on detection, mitigation and damage control

Representative Will Hurd (R-TX), is the head of the House  Information Technology Subcommittee and a former CIA Agent who spent 9 years in Afghanistan, Pakistan and India, working on counter terrorism and cyber security before working for the cyber security firm FusionX.

He has a somewhat depressing but very accurate view of cyber security.

In an interview with Baseline (see here), Rep. Hurd said that it is almost impossible to keep people out.  It is possible to protect systems and data but it requires a higher level of vigilance.

Hurd says you should start with the presumption of a breach and focus on three things:

  • How quickly can you detect a breach
  • How effectively can you box in the attacker (to mitigate the damage)
  • How quickly can you figure out what the hackers got access to.

If you think that keeping the bad guys out is hard, handling the three bullets above is a whole bunch harder.

He makes several recommendations for companies –

  • Conduct an enterprise risk assessment.  Figure out what is most valuable and most vulnerable. (Note: this should be done at least annually – things change – a lot!)
  • For BYOD and computers outside your control – you need to make sure that you have the right controls in place.
  • The C-Suite needs to be more engaged in cyber security
  • Your network needs to be examined on a frequent basis by a qualified third party.  They bring a different perspective.
  • Finally, if you are using cloud services (email, web services, file storage, etc.) you really need to understand where the data goes, where it is being stored and how it is being managed.

None of his suggestions are simple, but they are all valid and worthy of consideration.