C-level execs need to rethink IT security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/c-level-execs-need-to-rethink-it-security/

Target's data breach has sent the message "we need to talk" to C-level
executives and IT managers throughout the business world. To get things
moving, Syed Ali, Vishy Padmanabhan, and Jim Dixon of the management
consultancy Bain and Company co-authored the report Why cyber security is a
strategic issue. In the report, the authors start the ball rolling:

"With stakes so high, CEOs and boards must begin to think about security in
a new way. IT security--a task that could once be delegated to the IT
staff--has become a top-level strategic issue because the consequences of
failure can ruin a business. Any organization may be only a few hacks away
from disaster."

The paper's authors, before discussing the new way of thinking, look at the
current security landscape.

Companies are more vulnerable


According to the report, the amount of money spent on shoring up a
company's defenses does not reduce the likelihood of a data breach.
Something else the report highlighted, "An increasing number of
organizations are being targeted directly with financial gain as the
primary motivation resulting in the loss of sensitive data that can easily
be monetized."

The next finding reflects what recently happened to Target, "Organizations
are having a harder time detecting and resolving security breaches, and the
average financial impact of each breach on an organization is increasing."

To be fair the Bain report was released before the latest news reports
proclaiming that Target personnel were warned about certain security
anomalies early on, and for whatever reason, chose to ignore them. In any
case, the bad guys are not sitting still. They continue to perfect their
craft.

New cyber security challenges

The bad guys are going where they get the best return for their effort. So
in the quest to run companies more efficiently to save money, companies
could be making it easier for the bad guys.

For example:

More digital assets: Due to increased capabilities, companies are now
harvesting more data from customers including personal, financial, and
transaction information. Then consider all the internal data every company
needs to function. The report mentions the authors' concern that company
officials do not understand the value bad guys place on both types of data.


Shift to hybrid cloud architecture: The move to cloud services, whether
private or third party, locates the digital assets out from the company's
data center to remote locations. Being relatively new and untested, the
security ramifications of using cloud services are not fully understood.

Pervasive use of mobile devices: Whether mobile devices are company-owned
or BYOD, they introduce new security challenges that will require a new
methodology to manage the devices and how they access and store company
data.

Compliance should be the starting point: This point is of special interest.
The Bain researchers depart from what most organizations consider adequate
security--that of complying with all required agency regulations:

"Compliance should define the lower bound for security capabilities while
the upper bound should aspire to meet the organization's strategic
priorities, including IP protection, continuous operations, and a secure
corporate reputation."

C-level execs need to rethink IT security

The coauthors do not pull any punches, bluntly saying that CEOs and boards
must look at security in a new way:

"IT security--a task that could once be delegated to the IT staff--has become
a top-level strategic issue because the consequences of failure can ruin a
business. Any organization may be only a few hacks away from disaster."

The Bain report coauthors stress the importance making IT security a
strategic concern because a large percentage of organizations suffering
through data breaches recently have had formidable security measures in
place. Yet, they were not enough to keep the bad guys out of the company
network.

The report then offers a reason why this is the case, "Too many
organizations fail to align their IT-security capabilities with the
company's larger goals and appetite for risk."

Recommendations from Bain

The Bain Report came up with several recommendations to help ensure C-level
executives and IT departments are on the same page. If one looks closely at
the recommendations, a common thread appears--business and IT leaders need
to communicate with each other in an understandable manner:


- Understand the organization's key assets and appetite for risk: Business
leaders and IT departments must understand and agree on "value versus risk"
assigned to key assets, in particular customer data.
- Identify the security risks and gaps: C-level executives and IT
departments must be on the same page when discussing the company's current
security capabilities versus perceived security risks.
- Define the cybersecurity strategy: The IT department does what it is good
at: develop a plan to meet the strategic needs agreed upon by both business
and IT management.
- Emphasize gaps, priorities, and strategy to the CEO and board: This
recommendation places the onus on IT departments to explain the risks,
potential and existing, in a manner the top-company executives understand.
- Engage recognized security specialists: The complexity of the Target
breach should help everyone understand that it is impossible for any one IT
department to know everything, and using outside experts is the cost of
doing business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!