If you think cybersecurity is someone else's problem, think again. It's on the agenda of every board of directors meeting, and boards most often look to the CIO to explain the ever-increasing risk of security breaches and what their organizations are doing to prevent them.
You need only look at the statistics to understand why the issue is critical. According to a report from the Identity Theft Resource Center the number of data breaches in 2014 increased 27.5 percent over the previous year. Health records are prime targets. A recent Chicago Tribune article cited a study published in the Journal of the American Medical Association that found that between 2010 and 2013, some 29 million health records were breached.
At a recent CIO event, a Gartner analyst explained the risk and how it is growing exponentially. He shared some insights on how board members elevate this subject on the agenda of every board meeting. However, you do not have to be a board member or CIO to understand the impact: If you've shopped at retail outlets that have experienced data breaches, including Home Depot, Neiman Marcus and Dairy Queen, you may have had to deal with the fallout of having your credit or debit card information stolen. For the retailers' part, their brand images and customer loyalty were tarnished, and each company spent hundreds of millions of dollars trying to repair the damage and implement improved security breach protocols.
In a recent USA Today article, Michael Bruemmer, vice president of consumer protection at credit information company Experian Consumer Services, pointed to a relatively unknown breach in Korea where a worker at the Korea Credit Bureau hacked into a database and stole 27 million records containing personal and credit card information.
Today, every CIO should develop a cybersecurity strategy and try to constantly learn more about the topic. Bryce Austin is CIO of Digineer and a recognized cyber security expert. I interviewed Austin for my book, The Strategic CIO: Changing the Dynamics of the Business Enterprise, and recently caught up with him to discuss how he approaches cybersecurity.
Phil Weinzimer: Everyone is talking about security today as the No. 1 issue. Why is it so important?
Bryce Austin: Quite simply, because we are failing. The hacks of the last few years have shown in a dramatic and very public fashion how serious and widespread the problem is. The high-profile breaches that large retailers experienced in 2013 and 2014 made it appear that the retail industry was under attack. However, it isn't just one industry. It's healthcare, with breaches like Anthem; financial services with breaches like JPMorgan Chase; and entertainment, with breaches like Sony.
All of these events have shown us that any company is vulnerable to criminals and nation states seeking their valuable information. Any company can be actively and aggressively targeted by hackers. In order to protect themselves and their clients, they need to be prepared.
How has the security landscape changed in the wake of these recent retail, healthcare and entertainment company hacks?
The stakes have increased dramatically. Hacking organizations have proven to be talented, persistent and adaptable. They are doing billions of dollars of damage to our economy. Now that they have our complete and undivided attention, it's up to us to employ the processes, user training, and technology required to keep our companies and our clients safe from this threat.
We also must acknowledge that the methods that hackers use are constantly changing. This is not the basic task of "building the castle walls high enough and no one will get through." Hackers are looking for new ways to get around security measures, and are continually changing their tactics. As such, we must work hard to better anticipate that and stay a step ahead.
Which areas of security best practices are enabled by end user behavior, and which are enabled by technology?
This is a fantastic question. The end user is often the most important part of security. The analogy I like to use is this: The most advanced and hack-proof car keys in the world are useless if the owner of the car leaves them in the ignition with the doors unlocked.
End-user training is critical. Often it is the most basic things that cause security breaches, such as failing to recognize a phishing scheme and reporting it to your security team. It can be writing down your user passwords and keeping them on a sticky note under your keyboard. Sharing usernames and passwords. These things are a recipe for disaster, yet people continue to do them, often due to a lack of understanding the ramifications of their actions. I believe the key is making these best practices part of the mandatory, ongoing training efforts that all team members — from interns to the CEO — need to participate in.
Another area to consider is technology, which plays a huge role in security as well. Encryption, "locked down" firewall rules, anti-malware software, and newer behavioral systems that uncover breaches (and even attempted breaches) are all pieces of the security puzzle. More often than not, it is improper deployment or configuration of these technologies that leads to breaches, which goes back to the people side of the equation. Technology professionals need regular training on these tools and to stay current on ever-changing security best practices. I believe it should be a required part of their personal development plan.
While it may sound like I'm emphasizing the burden that the end users and technology professionals must bear, I'm optimistic that the future is bright for cybersecurity. Multi-factor authentication — a combination of "something you know," "something you have," and in particular, "something you are" authentication — will make it more difficult for criminals to steal a user's credentials. Likewise, new fingerprint, voice recognition, and facial recognition technologies — driven in no small part by the latest generation of smartphones — will enhance the end-user experience while strengthening security.
One of the reasons many people write down their passwords is because password complexity requirements make them hard to remember, and the best practice of using a different password for every system magnifies that issue. Multi-factor authentication can increase overall security while reducing password complexity requirements, such that we mere mortals will be able to remember them. In a perfect world, we will do away with passwords altogether and rely on other means of authentication. Microsoft's upcoming OS, Windows 10, will include built-in "something you have" and "something you are" multi-factor authentication options, which could make for a very secure authentication strategy where no password is needed.
What are some of the most effective paths CIOs can take to reduce technology security risk to their company?
Three areas stand out. The first is accountability. There needs to be a position that is ultimately accountable for the organization's cybersecurity, regardless of the size of the company. The second is education — education of end users and technology professionals. The third is reducing the amount of sensitive data.
A few years ago, a technician in a veterinarian's office handed me a paper form that required my Social Security number. Why in the world would my dog's doctor need my Social Security number? Furthermore, why does a large retailer need my credit card number? That information could be sent directly to the credit card company or issuing bank, and then reconciled with the cash register transaction via a one-time token. In many instances, there isn't a genuine need for sensitive information to exist on most of the systems that currently contain it.
What advice would you give CIOs that realize they need a security strategy? Where do they start?
I recommend a four-stage approach:
- The first stage is to recognize that when a company begins down the road of a security strategy, often they don't know what success looks like. An assessment of your industry, your infrastructure, and your data is critical. Many companies specialize in this type of assessment for a given industry, and Digineer has partners that can help with this step.
- The second stage is to interpret the results, define success criteria, and develop a plan to reduce your cybersecurity risks to an acceptable level. This plan should include both the prevention of breaches and the detection of breaches already in progress.
- The third stage is to execute this plan for the enterprise, which will involve changes in the technology, processes and team member training.
- The fourth stage is continuous improvement. Keeping a company secure cannot be accomplished with a one-time initiative. A process to periodically assess and re-examine security needs to be defined; an owner of security processes and testing identified within the company; and an evaluation of any new initiatives must include a risk assessment. Digineer has a strong background in making companies successful with their security strategy.
Cybersecurity is a subject every company needs to address, and you, the CIO, are the point person to ensure that this initiative is successful. Be proactive and develop a security culture in your company that can detect and address security breaches. Your board of directors, fellow company executives, and most of all, your customers, will applaud your efforts to keep your company's information secure.
For more information and tips on security issues, check out the website of the United States Emergency Readiness Team. In addition, cybersecurity certifications are offered at the University of Southern Florida, University of Maryland and University Systems of Georgia, among other higher education institutions.
To hear more from Bryce Austin, watch the video of my interview below.
This article is published as part of the IDG Contributor Network. Want to Join?