enterprisesecuritymag

Is it the Best of Times or the Worst of Times for Information Security?

By Mark Connelly, Chief Information Security Officer, Thomson Reuters

Mark Connelly, Chief Information Security Officer, Thomson ReutersMark Connelly, Chief Information Security Officer, Thomson Reuters

Cyber attacks are in the news every day. The frequent headlines and intense media scrutiny have brought the topic to the forefront of public attention. Could this be the worst of times for information security?

Given the reports, it may seem that way. The likes of Sony, Home Depot, JPMorgan Chase, the U.S. State Department, and the White House (among many others) have lost millions of records and or billions of dollars in market capital as a result of these attacks.

Not only are cyber attacks becoming more frequent, but hackers also seem to be one step ahead in the ‘arms race.’ And the financial impact and reputational damage seems to be growing at an ever-increasing rate.

As a result of heightened awareness, most corporations have elevated the issue from a technology problem to a board-level matter, recognizing the potential legal, financial, and reputational implications. Those of us who are in the know understand that this is not a battle, but an ongoing war that we fight daily, across multiple channels and addressing threats outside or inside our organizations.

For example, consider these sobering statistics from the 2015 Verizon breach report:

• 90 percent of all incidents in the report indicate patterns of compromise come from people.

• Ten phishing emails yield greater than a 90 percent chance that someone will fall prey to the phishing attempt, providing access for the attackers.

• Employees in communications, legal and customer support are all more likely to click on links in phishing emails.

• 99 percent of exploited vulnerabilities were compromised more than a year AFTER the CVE (Common Vulnerabilities and Exposures) was published.

In addition, the regulatory environment isn’t getting any easier, as data and cyber security laws are changing rapidly.

The worst of times? One could easily come to that conclusion. It’s clear that cyber security professionals need to do more than stay ahead of the conversation…they need to drive the conversation and prompt action and policy change.

The Best of Times

The good news is CISO/CSOs and our peers can help lead the evolution to a better time. The growing scrutiny and heightened awareness of the issues at stake means  companies are devoting more resources to information  security, and people are becoming more aware of these  impacts every day.

In addition, with Board of Director-level focus,  companies are now seeking digital and cyber security  experts to join board discussions to help understand,  support and mitigate risks. Organizations that effectively  manage this threat and who help clients do the same will  stand out from the pack and remain successful.

Striking Back

CISO/CSOs need to lead the charge. We must work in  tandem with business leaders, technology partners,  peers, law enforcement officials, attorneys, and the  government. Organizations that succeed will be  rewarded for their efforts because effective information  security programs will be a market differentiator, and  that has value.

We need to work across industry verticals and  geographies to better understand threats and engage  with experts across a wide spectrum of markets.

This can be a turning point to better times if everyone  gets on board to fight the threat. The conversation needs  to pivot from a “sky is falling” mentality to an effective  and directive position. We need to help move the  industry and our customers with a more coordinated and  impactful unified voice.

How to fight back and win

Cyber attacks are global and impact all markets and  levels throughout the supply chain. No one is immune.  CISO/CSOs need to own the message and drive greater  impact. For example, you can lead the transformation  charge by meeting with chief technology officers, chief  procurement officers, chief financial officers and legal  professionals to develop a comprehensive approach.  Within the security organization of your firm, a few  suggestions include:

• Establish an effective program supported by  executive management. The plan should address not  just technology, but potential compliance, operational  and reputational risks. A cultural transformation is  needed that makes cyber security a top priority for every  organization.

• Execute on the basics. Work in tandem with compliance,  enact effective control maturity, and continuously  monitor threats. Measurement and demonstrating ROI  are critical to driving continued support from senior  levels.

• Leverage external vendor relationships and engage  with internal partners in IT. While cost-management  is important, finding best-in-class partners will limit  negative impacts in the long run. We should push  vendors to test their products routinely and provide  security attestations to those tests as well.

• Help push the Information Security agenda forward.  Help enact policies to facilitate greater cooperation  and protect our corporate assets. Push the technology  community to develop better tools and services to mitigate  attacks and limit damage. Join professional networks that  push to make a difference like the Information Security  Forum, FS-ISAC, or other DHS subgroups, and Security  Innovation Network. These groups provide forums for  enhanced partnerships and will help pivot us from the  worst of times to the best of times.

Driving the Conversation Forward  CISO/CSOs need to unite and push a common agenda.  Building momentum within spheres of influence will  drive the conversation forward and lead to constructive  change. Companies, shareholders, employees,  customers and countries will respond positively, and in  doing so, all boats will rise and we will have a stronger  risk posture to protect our assets from those who seek to  do harm.

At the end of the day, it’s all about creating value for  the business and executing a cultural transformation that  embeds security into the fabric of what we do, who we  are, and what we represent.   

Read Also

How Do We Know We're Secure?

How Do We Know We're Secure?

Joshua Danielson, Chief Information Security Officer, Copart [NASDAQ:CPRT]
Security in a  Digital Age

Security in a Digital Age

David Behen, DTMB Director & CIO, State of Michigan
Enterprise Risk Management and Cyber Security

Enterprise Risk Management and Cyber Security

Monica Khurana, CIO, RS Investments

Weekly Brief