First came the data breaches. Then came the string of high profile resignations. Now reports are beginning to piece together the financial impact of the cyber attacks on Sony, Target, JPMorgan and others.
The Japanese electronics giant has already spent $15 million on remediation and is facing multiple employee law suits, while Target recently revealed a $162 million hit and security experts believe losses could increase to as much as $1 billion after legal costs.
If nothing else, these doom-laden headlines should help impress upon enterprise leaders the importance of information security. But without business-literate CISOs to report into the board and co-ordinate a risk-based approach to securing sensitive data, there’ll be no shortage of corporate cautionary tales to read about in the future.
>See also:The world's first CISO explains why technology alone has never beaten cyber crime
The Target breach, like countless before it and many more after, was a classic targeted attack. The modus operandi varies slightly from breach to breach but usually involves the covert theft of valuable corporate information – in this case customer card and personal data – in order to sell on to the highest bidder or monetise some other way.
Target’s first failure was not to have a dedicated CISO in charge. It was a mistake that ultimately cost the CEO and CIO their jobs. Now rectified, it’s come at a heavy cost to public and investor confidence in the company. We’ve also heard that JPMorgan had only just appointed a dedicated CSO at the time it was breached in a major cyber attack. Home Depot – another US retailer hit last year – is also reported to have struggled with a high turnover of staff in its information security division.
Board vs. IT&
Having a CISO in place doesn’t preclude an organisation from being breached – it’s merely the most obvious indicator that the board doesn’t take security seriously enough. That’s ‘information security’ – the protection of key business data – not ‘IT security’, which could be interpreted as the more technical discipline of locking down IT systems against attack.
If a CISO is in place but is marginalised or can’t speak the language of the business then there’s still a high probability that the organisation in question will suffer some form of successful cyber attack or data loss incident.
These occur because the tech side sees security as an IT issue and not a business risk that needs articulating to the board. Countless IT leaders complain security budgets are reducing. But that’s happening because they’re not explaining well enough the importance of their function to the business.
So what happens is mutual ignorance – the board doesn’t appreciate the value of info-security and IT doesn’t get what the business is doing.
The problem historically has been that business leaders operate according to risk – they take risks to gain a competitive advantage. On the other side the IT team is risk averse, which is why it’s so often seen as a block on productivity, business agility and growth.
It’s why, for example, we’ve seen shadow IT spring up in so many organisations all over the globe, as normal users look for ways to circumvent what they see as over-rigorous, productivity-sapping IT controls.
Say it with metrics
Metrics dashboard are commonly used by executives to understand the spend, risk exposure and operational efficiency of projects as they progress. Done well, they can help the CISO present to the board a de facto balance sheet for the security function – outlining where spending is lagging and where investments need to be focused.
The key is to take a risk-based approach. The sheer volume and sophistication of today’s threats means you can’t protect the organisation from everything. So it’s up to the CISO to evaluate where the key assets lie, attach a value to them and calculate how much it would cost the business if they were compromised. That’s the kind of language that the business can understand. It’s the people and process side of information security rather than the technology we’re often so fixated on.
This isn’t to say that the technology itself should be ignored. A great way to test how fit defences are for purpose is to implement a ‘red team’ testing initiative. Work with HR to define suitable parameters and then authorise a trusted team of white hat hackers to stress test your entire environment. The bolder the better – think targeted attacks and attempts to gain physical entry to the building. Data from this kind of exercise can feed back into that all-important metrics dashboard.
The bottom line is that data breach costs are growing – by over 30% globally from 2013 to 2014, according to PwC. Even in Europe, where the costs associated with follow-up litigation have historically been less pronounced than in the States, things are changing with new breach laws coming which could fine transgressors up to 5% of global turnover.
If you haven’t got one already, it’s time to appoint a CISO that understands the business. The next challenge, of course, will be finding one.
Sourced from Bharat Mistry, Trend Micro