Cybercrime is big business. We spend money to solve the problem, but perhaps our approach is all wrong. Maybe we need a top-down approach. For that to work, IT leaders must communicate effectively with the board of directors and C-level executives. Here are some tips to help you along.
Maybe you have heard these words: “Cybercrime is big business.” Big business indeed. For the hackers that is. The 2016 Trustwave Global Security Report shows how hackers launching a malware infection campaign could expect to earn a breathtaking $84,100 in profit from an initial investment of just $5,900. This represents a return on investment of 1,425% – in just 30 days!
The Trustwave report also states that we’ve heard about cybercrime being big business so often that perhaps the idea is losing its impact. Is this true? Do companies still care? It seems that they do. A recent Computerworld article noted that the U.S. government is hiring 3,500 new IT cybersecurity professionals. And a recent CIO.com article stated that Omni Hotels and Resorts is looking to improve its security posture in response to a cyberattack that impacted 48 of its 50 U.S. locations.
Nevertheless it seems to me that the problem is never going to go away. And in some cases, it does seem we are fighting a losing battle. Where do we start?
I asked Richard Spires, CEO of Learning Tree International his thoughts on why that is. “Cybersecurity has become the No. 1 risk factor for most companies and government organizations,” he says. “Moving to more automation and interconnection via IT has become a competitive differentiator in almost every industry today. Yet any organization that holds sensitive information on people — employees and/or customers — has to deal with the specter of potential exposure of that data, and potential reputation and financial harm to the organization.”
Richard should know. He served as the CIO for the U.S. Department of Homeland Security and as deputy commissioner for the Internal Revenue Service.
The natural response seems to be to spend more and more money on technology to solve the problem. “When cybersecurity is discussed with management, it will result in visions of large expenditures making ongoing resource discussions difficult,” says Arnold Felberbaum, past chief IT security and compliance officer at Reed Elsevier.
In order to be effective, we need to start at the top – with board members and C-suite executives. Aiman Khalil, past vice president and global information security officer at AIG says, “While the C-suite understands and agrees that achieving adequate levels of security requires a holistic, long-term strategy, many organizations are still chasing the latest and greatest security tools that overpromise and underdeliver.”
It seems that many organizations take the approach of blindly throwing technology at the problem in hopes of solving it. And it might help for a little while. Until more sophisticated attacks emerge. Then you are back in defensive mode. Many times you are not even sure if the technology will even work. It is like throwing something at the wall and hoping it sticks. As Aiman says, “It is no longer sufficient to deploy the best firewalls and roll out the top antivirus and hope for the best. Technology is only a piece of the puzzle that must be coupled with a comprehensive risk-management strategy, strong processes and well-trained staff and workforce to achieve an acceptable security posture.”
Perhaps the solution lies with starting with from the top. A recent U.K. House of Commons report titled “Cyber Security: Protection of Personal Data Online” makes the following recommendation: “To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the board.”
It is noted however that in many cases the board does not have a clue about cybersecurity issues. In its 2014 “Boardroom Cyber Security Watch Survey,” IT Governance offers the following insights:
A large proportion of boards are still in the dark about the current state of their companies’ cyberdefenses: 32.5% of respondents said that their boards receive no regular reports on this topic.
The quality of those reports is also a concern: 21% of respondents said they believe their company’s board reports fail to provide the information necessary for them to make decisions, and more than 28% are unsure if this information is provided at all.
Many boards still lack the necessary knowledge to oversee cybersecurity effectively: 30% of respondents said that their boards lack the knowledge and qualifications to exercise effective governance in this area, and 19% said they don’t know.
Felberbaum believes security professionals need to improve their ability to communicate the issues, concerns, risks and mitigation measures necessary for their particular situations. Specifically, they need to communicate to the board and C-level executives. In order for these groups to understand the pressing issues facing the organization, security professionals need to stop delivering complex technical information with metrics that have no relationship to business. Felberbaum adds: “It’s not about how well your technical controls are doing; it’s how you have enabled business.”
Management needs to better understand the impact of security breaches. To this end, Spires believes organizations need to put in place appropriate risk-management processes to address cybersecurity risks. IT Governance’s Boardroom Cyber Watch Survey further recommends that, given the importance of security, board members should receive regular and frequent reports from their CIOs and CISOs on the state of their organizations’ cybersecurity.
Cybersecurity is not just a technical and operational issue. Cyber issues can’t simply be delegated to the security department. These are issues with serious potential business consequences. To overcome this barrier between the cyber world and the business, enterprises need to incorporate a cyber risk governance framework that is adapted to their specific needs.
1. Laying out the responsibilities and management of the myriad of cyber risks that may impact an organization.
2. Understanding what cyber trends are occurring in the industry.
3. Comparing cyber trends to the current allocation of resources and budget spent on cybersecurity.
4. Educating employees, partners and clients on an ongoing basis to instill a culture of cybersecurity.
5. Proactive tests and other exercises and drills to assess for potential cybersecurity weaknesses or gaps in the cyber response plan.
It seems that we are heading in the right direction. In order to move forward, organizations need to eliminate internal disconnects and get everyone on the same page in terms of priorities. Not only do companies need focus on addressing their most pressing needs, they also must have clear guideposts for measuring their performance and progress. Based on the findings of the reports discussed in this article, the majority of IT pros and executives are confident improvements can be made. The next step is learning to work together to achieve the desired results.
Mark Edmead is an IT transformation consultant and trainer. Over the past 28 years, he has provided IT transformation and business improvement services that align information technology with business goals to drive bottom-line performance and growth.
Mark’s focus is on change management, process improvement, enterprise architecture, technology road mapping, strategic IT planning, IT organization analysis, IT portfolio management and IT governance. Mark is TOGAF 9.1 certified and he is a Lean IT accredited trainer, a DevOps trainer, a certified COBIT 5 assessor, a certified Baldrige internal assessor, a Business Relationship Management Professional (BRMP) accredited trainer, a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), and a member of the Malcolm Baldrige National Quality Award Board of Examiners.
Mark has developed and delivered courses for the SANS Institute, the MIS Institute and the University of California, San Diego, the Institute of Internal Auditors (IIA), Technology Training Corporation and Learning Tree International. He is also an adjunct professor at Keller Graduate School of Management. Mark has delivered numerous international workshops in countries such as United Arab Emirates, Kuwait, Japan, Hong Kong, Taiwan, Singapore, Malaysia, Switzerland, Germany, Chile, Mexico and Scotland. His past clients include BMW, Catholic Health Services, AARP, the United Nations, Kaiser Permanente, Saudi Aramco and the U.S. Department of Defense. Mark is a master trainer, facilitator and storyteller, and he has an energetic and entertaining style that holds audiences' attention from start to finish.
The opinions expressed in this blog are those of Mark Edmead and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.