Can a New CISO Improve Sony PlayStation Network Security?
Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?
Mon, May 02, 2011
Network World — Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?
The Sony division now cleaning up the huge mess from the data breach incident certainly hopes so, as Sony Network Entertainment International (SNEI) over the weekend announced it is "creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of parent company Sony Corp." The hope behind the future CISO appointment is to bring "expertise in and accountability for customer data protection and supplement existing security personnel."
Can one person with the title of CISO -- a role that usually means voicing criticism from a security angle on how information technology staff want to deploy products and services, often stepping on toes -- really make any difference? Some evidence suggests it can. And when a data breach does occur, the costs of response and remediation are often considerably less when a CISO is on board.
Patricia Titus, CISO at Unisys (UIS) since 2002, said she'd advise the future CISO to "start at the architectural review and incident response level" to discern how the breach was possible and what was the response. On the governance level, it will likely mean a change in the management process to make sure people and technology are both in place to detect attacks and respond, she said.
It's known that last month an attacker stole the personal information of some 77 million customers of PlayStation Network and Qriocity. Over the past weekend, Kaz Hirai, head of Sony's gaming division, held a news conference in which he described how Sony took the two services offline on April 20 after an intrusion was detected on network servers housed in an AT&T data center in San Diego.
Sony indicated it's working with the U.S. Federal Bureau of Investigation and is still investigating the scope of the attack, which involved stealing customer account information involving names, passwords, birthdates, email addresses and other personal information.
The commencement of the attack may have come somehow disguised as a purchase. While 10 million accounts have credit-card numbers associated with them, which Sony says were stored in an encrypted database, it remains unclear whether credit cards can be considered untouched by the attacker or not.