There are big fines waiting out there for organizations that do not take information security seriously. In 2019, Capital One paid an $80 million civil penalty for its role in a security breach that exposed the personal data of more than 100 million people. The fine was issued due to “the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
The first misstep is that the bank failed to establish an effective assessment process. It is impossible to protect organizations completely in information security, so the focus needs to be on following best practices and executing proven tactics like security assessments. Capital One did not create technology that caused the issue, but they neglected a critical security tactic in using the technology.
Capital One knew of the skipped assessment process and failed to take prompt action; the report stated that the board of directors “failed to take effective actions to hold management accountable.”
Leaders must stop at nothing to ensure proper actions are taken to protect their organization.
In Identity & Access Management (IAM), the same principle applies; the team lead or the architect must have absolute ownership of the project’s success. It takes years of experience and mastery of the technologies to be in an IAM leadership position, but the most successful leaders rely heavily on following best practices.
In the case of Capital One, skipping out on a best practice step cost them over $80 million in cash and caused an enormous hit to their reputation.
Use their mistake to prompt self-reflection in your organization. Ensure leaders understand how disciplined you and your team are at following best practices and owning that responsibility. As we progress in the 2020s, the IT Security threat landscape will only grow, and the best defenses will be found in following the best practices of the given field.