Posts Tagged ‘C-Level’
Posted by Melissa Stevens in Cybersecurity, Network Intelligence, Risk Management, Security Intelligence, Threat Management
I just read a really compelling article written by Pam Baker called, “Moving Security from Cost Center to Brand Differentiator,” and if you haven’t had a chance to read it, you definitely should.
In it, Baker states,
“…given recent, constant and costly security breaches of the past 18 months or so, it is imperative to move security to the forefront of business planning as a matter of survival. For many CIOs, the problem is convincing their companies to look at security in this new light.”
This issue is something we’ve been talking about for a while now. As security professionals, we’ve all known how important it is for people outside of security roles to pay attention to security- but the struggle has been convincing business leaders that security is more than just a costly burden.
According to Baker, that attitude is finally starting to change. While awareness of the risk of breaches is increasing due to coverage of high-profile breaches in the news, recent studies are also helping to make the case for investing in security. These studies show that security breaches do more than just embarrass a company and cost them money in remediation expenses. They also damage brands and in some cases, may generate law suits and cause you to lose customers.
In October, Ponemon and Experian released the results of an executive-level study which showed brands suffered anywhere from 12% to 75% loss of value after a breach. Close to 50% of the respondents also felt their companies could not survive after a breach because their reputation and brand image were so inextricably linked. Last week, Unisys released consumer study results that show people are ready to sue companies who lose their data, and are also ready to take their business elsewhere.
These are signs of change if you ask me, and hopefully business leaders are paying attention! So, what do you think? Is it finally time for security to move into the forefront of all C-level executives’ minds? Can having better security actually be a differentiator for a brand?
Posted by Tom Turner in Cybersecurity, Threat Management
Clearly, CIO’s, CSO’s and CISO’s are concerned about cyber security, but are there other C-Level executives who should be concerned? According to a new report from Internet Security Alliance (ISI) and American National Standards Institute (ANSI) entitled “The Financial Management of Cyber Risk: An Implementation Framework for CFO’s“, CFO’s need to play a leading role in defending their company against cyber attacks as well.
Why? One reason is that American businesses lost more than $1 trillion dollars in intellectual property in 2008 and 2009 due to cyber attacks and the severity and frequency of these attacks is only getting worse – and
this number doesn’t include the cost of losing customers and the negative impacts on share value. Yet, despite the threat and potential for loss, only 5% of US companies have a CFO directly involved in protecting their organization from cyber attacks.
In most cases, cyber security is handled by the information technology (IT) department who must then attempt to work across a number of departments in order to secure the organization’s entire network. This creates a significant challenge for IT directors, as they’re often resource constrained departments struggle to keep pace with downsizing and reduced budgets while facing an exponentially growing threat. In addition, this leaves organizations needlessly vulnerable, a notion supported by Verizon’s 2008 Data Breach Investigations Report that shows that 87% of breaches could have been avoided through reasonable security controls. At the same time PricewaterhouseCoopers’ “The Global Information Security Survey” shows that organizations that follow best practices have zero downtime and zero financial impact from cyber attacks.
The report goes into great detail on how to begin the process of engaging the CFO and implementing an organization-wide approach to cyber security: I’ll leave you to discover that on your own. I do, however, want to touch on one of the key issues regarding changing the dynamics within the organization so that cyber security moves from being the sole responsibility of the IT department to a focus on risk management & business intelligence, organization wide integration and streamlined automation across the entire organization, or the Intelligent Integrated Automated model.
We know that the IIA (integrated, intelligent and automated) model works because more than 1,000 organizations world-wide have adopted it. We know that it dramatically improves an organization’s security posture because it helps security professionals prevent, defend against, respond to, remediate and analyze policy violations, intrusions & exploits. We also know that IIA both delivers the tools that the IT department needs to protect the organization’s assets while allowing stakeholders to gain access to information that is important to them so that they can make a decision.
The primary barrier to changing the dynamics in the organization and begin to work toward total security intelligence (operationalizing security management into your business or organization) is that the business case is difficult to make to, what technology experts are calling, digital immigrants – ie. those who don’t speak technology as a primary language – and this barrier can be even more difficult in organizations where compliance mandates – ie. PCI, FISMA, etc. – do not force the issue. IIA makes the business case for you as it helps non-technology executives understand what to do before an attack, during an attack and after an attack – and then shows them how it gets implemented & scaled and how it can take a complex network that generates over 2 billion logs a day and reduces that down to 25 high priority offenses that can be remediated.
In order to get the IIA message through to digital immigrants, cyber security professionals need to be able to break down the risks and potential losses that the company could incur due to a cyber attack and show what proactive measures are currently in place, what steps are in place if an attack does occur and what to do in a post-exploit environment.
Maybe the best message to engage other non-technology C-Level executives in the cyber security conversation is that it is not just about compliance, it’s about protecting the company financially from the growing risk of cyber attacks by putting in place the best people, superior technology and a template to ensure best practices are followed, as PricewaterhouseCoopers’ report shows, to work to achieve zero downtime and zero financial impact from cyber attacks.
The latest on Cyber Security