The item rocketing to the top of today’s enterprise threat list is cyber-risk. It’s not surprising. With the increasingly central role that information plays in creating value, any threats to data that’s stored or shared online can represent a direct and potentially crippling hit to a company’s corporate reputation, customer satisfaction levels or ability to innovate.
The security landscape is getting more complex by the day, making the notion of being secure a moving target CIOs or Chief Information Security Officers (CISOs) are endlessly pursuing. It’s ironic that the same technologies transforming the workplace and unleashing whole new ways of innovating and collaborating—such as cloud computing, mobile technology and social business—are simultaneously an executive’s biggest security nightmare. Compounding this challenge is the old-school thinking that this is solely a technology problem and it can be solved by bigger, better technology. Realistically, security solutions need to be built on a three-legged stool: people, processes and technology. Within those areas, it’s critical to account for culture, structure and strategy.
With these two principles in mind—preventing security breaches completely is impossible and technology is only one part of the problem/solution—here are five key trends all CIOs should keep on their radar as they continue to fight the good fight against cyber-risk:
1. Trust erosion. Trust is the secret sauce of any successful organization. This applies not just to the trust that customers have in the company, but internally, too; each department represents a brand that makes implicit promises to employees. Unfortunately, trust in organizations has been steadily eroding, fueled by such factors as the Eurozone economic crisis, trading troubles on Wall Street and data breaches among everything from retailers and insurance companies to utilities and even a state department of revenue. It’s worth noting that many citizens are also employees; and some of them are CEOs or board members. Security precautions such as risk management, data governance and compliance are all based on a degree of trust between the IT department and others in the organization. In this era of eroding trust, IT leaders need to work actively to counteract growing skepticism about corporations and build renewed trust in the reliability of corporate information and technology.
How is this achieved? CIOs can earn the support of internal line of business clients by effectively leading business transformation projects, providing technology and services that meet internal needs and backing that with education for the user community. Delivering on these fulfills the implicit promise represented by the IT department “brand.” But building trust requires IT leaders to go one step further—they also need to be accessible to the businesses, responsive to user feedback and consistent and transparent in their communications. Only a robust and sound security management program, a well-communicated plan and a reliable framework to build on will establish the degree of trust needed by both the IT leader and his or her organization.
2. BYOx. Although the acronym BYOD (Bring Your Own Device) has gained much traction, the truth is that most employees aren’t bringing just a smartphone or an iPad into the workplace. They’re bringing their very selves; their beliefs and norms and intellectual property and network of friends. This has been true as long as people have been coming to work, but never before have employees been this empowered to act on their beliefs, express their ideas or share information so quickly and broadly, without even getting out of their office chair. The younger generation, who have never known a world without the Internet, is about to join the workforce, making it more important than ever for IT leaders to treat “Bring Your Own Everything” as a quiet rebellion, not an invitation.
Deployment of mobile devices can present a significant amount of risk to the enterprise security posture. The wireless networks on which mobile devices run outside of work can leave information at risk of interception. Additionally, many of these devices have storage capability and unencrypted data at rest; thus, information gathered from either the interception of data in transit or theft or loss of a device can result in loss of sensitive or proprietary corporate information. Mobile devices also carry the risk of introducing malware. These risks illustrate the potential pitfalls that occur when employees cross freely in and out of the workplace with personally owned mobile devices. Extend this blurring of the work/non-work boundary to other actions and beliefs of employees in a world of the increasingly empowered individual and it isn’t difficult to see how the risk to corporate assets is amplified.
3. The third platform. For years, the IT industry talked about technologies such as cloud computing, mobile computing and especially social networking as emerging technologies. Today, they’ve arrived; they make up the so-called “third platform”—cloud plus mobile plus social. Analyst firm IDC predicts that from 2013 through 2020, these technologies, along with Big Data, will drive around 90 percent of growth in the IT market, as companies seek to meet customer demand for consuming information and executing transactions when and where they want. With this increased openness and storage of data far outside the four walls of the organization come increased threats to information security, however.
Each of these platforms poses its own security risks. Cloud computing offers enormous benefits but the IT community must also protect businesses from “dark clouds.” The risks of locking-in, no interoperability, no transparency and the legal aspects of cloud should be on the C-level agenda today. We also live in an increasingly social world where companies are becoming social enterprises and information is the new currency. What’s at stake? In a word, privacy. Misuse of Personally Identifiable Information (PII), including how it’s correlated with other data, will present challenges in protecting both organizations and individuals. With mobility comes pervasiveness. This third element in the third platform connects this platform, making everything happen now, no matter where someone is located. It’s an incredibly powerful feature but it also brings a velocity that we aren’t used to, impacting areas such as legislation, adaptability and privacy. Taken together, cloud, social and mobility are subject to a multiplier effect; in other words, by the time employees are using mobile devices that store data in the cloud and share information via social networks, the security risks faced by their employers grow exponentially.
4. The fifth battlefield. The Pentagon calls it the fifth domain, along with land, air, sea and space, because it’s crucial to battlefield success. Companies, too, should treat cyber security with the same seriousness. As Ernst & Young authors pointed out in a recent book by the international professional association focused on IT governance, ISACA, the threat landscape has progressed over the last two decades from hackers and novice script kiddies to today’s state-sponsored attacks (see Figure 1).
Enterprises are being attacked because of who they are, what they do and the value of their intellectual property. An ISACA survey found that one in five enterprises has already experienced an attack from the Advanced Persistent Threat (APT), and an additional 63 percent of respondents believe it’s only a matter of time. In the U.S. alone, the Commission on the Theft of American Intellectual Property estimates that theft of U.S.-developed products costs the economy more than $300 billion each year. Information security professionals need to understand that if sophisticated and well-funded attackers pursue a specific environment, they will get in. The new mindset should be that our networks are already compromised, or soon will be.
5. The talent deficit. What all these trends add up to is a major transformation of the IT function. But like most transformations, the change is outpacing the industry’s ability to master the new skills required. The challenge is that the current talent mix in the IT industry hasn’t kept pace. Information security professionals who are accustomed to concentrating on technology need to switch gears and focus on business processes and data. With the risks posed by the Third Platform, BYOx and cyber threats, one of the most important new skills that security professionals need to master to add value is information risk management. This requires not only a new set of skills but a change from command and control thinking to a more strategic and holistic view of managing all the risks associated with information. Another key shift is the one to role of advisor. To help create trust among internal business clients, those responsible for information security need to evolve from watchdog to trusted advisor. They also need to master governance and compliance, privacy, metrics and data analytics and business consulting skills.
Mount an Ongoing Defense
Managing and mitigating threats to enterprise information is never a task that can be checked off the to-do list. Nor is it static; as the threats continue to change, so must our approaches. In light of the current set of realities, here are recommended approaches to keep pace with the current security landscape:
• Work actively to build trust in IT within the enterprise. Actions may speak louder than words, but the value of open and consistent communications can’t be overemphasized.
• If your enterprise doesn’t have a BYOD policy, make that a priority. There are business frameworks such as COBIT5 that provide detailed guidance on this from a governance perspective.
• Think about your third platform; revisit your security policies to close any loops that don’t address how cloud, mobile and social work together.
• To deal with the advanced persistent threat, evolve from focusing on prevention strategies and instead emphasize these five steps: complicate, detect, respond, educate and govern.
• Consider talent acquisition and management. Equip your information security professionals to evolve into the role of enterprise risk management specialists and trusted advisors to the business.
The combination of the forces of mobile, cloud and social is changing the way we work, live and play. CIOs need to be in front of this changing security landscape so that emerging technologies facilitate innovation and transform the business, rather than disrupt it.