1. Don’t Treat Nortel As The Exception – This is a good item itself, but it gets smeared with the stain of having to talk about APT. As item #8 implies, don’t limit yourself to just talking about APT.
2. Keep Proving You’re Not Nortel – This follows the need to have permanent, ongoing security.
3. Create A Robust Information Security Program – A good point, but please at least mention the need for staff in addition to tools.
4. Expect Defenses To Fail – Can’t say this enough, since it never really sinks in to unwashed managerial levels.
5. Don’t Fail To Investigate Data Breaches – Fair enough, but this is also a really big cultural and political problem, not to mention an empowerment one. One thing to learn from Nortel is that even the CEO levels need to capitulate to the security team. Honestly, the IT team knows a lot about a company (and has great access), but a robust security team probably knows or could potentially know even more. Accept it and embrace it for maximum value from your staff. This is hard, though, since analysts may see lots of little things that make no sense and they have to choose which to investigate, or may spend too much time tunning things to create black holes in an effort to be more efficient, or quite simply don’t want to create more work for themselves (unethical, but that’s human nature).
6. Conduct A Thorough Forensic Analysis – The next line is better: “Likewise, don’t expect breach investigations to be cheap. But short-term savings–skimping on conducting a thorough forensic analysis after a breach, for example–can have long-term repercussions, as Nortel discovered.” Tell a CEO you’ll need his laptop for a week to do forensics on a suspected issue. His reaction will tell you everything you need to know about a company’s security culture.
7. Expect Greater Accountability – Not sure if this will create accountability or simply just be more noise that desensitizes people to insecurity. Still, look forward to more economic pressures accountability…
8. Defend Against More Than China – Good point, but I really wish they had mentioned US, domestic, or even hackers in your own backyard.