Get this: 90 percent of computer security professionals havedetected security breaches at their organizations, according toa recent survey by the Computer Security Institute. But only 26percent of attendees at the recent CIO-100 conference (CIOs andother top executives) said their company had ever been hacked.”These people are being hacked; they just don’t know it,” saysDavid Cooper, CIO at Lawrence Livermore National Laboratory,featured in Tom Field’s “Protection Money,” beginning on Page172. Clearly there’s a disconnect between CIOs and theirsecurity staffs.
Such ignorance might explain the perplexing lack of interest ina last-minute addition to the CIO-100 agenda on security: apresentation by John Tritak, director of the CriticalInfrastructure Assurance Office at the U.S. Department ofCommerce, followed by a panel of security experts andsecurity-minded CIOs.
Tritak represents the federal government’s concern forprotecting our information infrastructure. But as 90 percent ofthis infrastructure is in private hands, he says, the governmentneeds to build partnerships with the private sector. So far, itseems, private industry hasn’t been all that receptive, andTritak issued a warning should that persist. “If companies arenot viewed as proactive and something catastrophic should takeplace, it could have a negative impact on private industry,” hesaid in an understated but clear threat of governmentintervention.
If you don’t think security threats are widespread, considerthis: An executive from an online business who attended thesecurity session told panelists that 30 minutes after theybrought their site up, it was being hit by hackers. “I’msurprised it took them that long,” said one of the panelists,Mudge, vice president of research and development at @stake. (Tohear him talk, the electronic world is like the Amazon riverduring a drought, filled with ravenous piranha just waiting forthe next dumb cow to venture into the water.)
Here are some take-aways from the security sessions:
The Internet and increasingly integrated value chains aredriving us to constantly extend our trust boundaries.
You can’t protect everything, so figure out what your crownjewels are–the critical assets you’re trying toprotect–then build your moats around those.
It’s the interaction of all your systems that define thesecurity of your business, not some piece of software or afirewall.
Don’t try to make a case for security measures in a vacuum;rather, build the business case for what needs to be protectedand tie the need for security measures to that.
And my own tip: Bridge the gap between you and the techiesmanning the corporate battlements now–or be willing to payTritak’s price in the future.