Running on Luck

It's time to make serious strides towards protecting employees, assets, access and the corporate brand.

Use of the internet for core business activities keeps surging - at a time of global unrest, rising computer crime and network independence. Everywhere we look, new technologies are emerging to feed our seemingly relentless appetite for the new; yet every new technology brings with it new security vulnerabilities.

Small wonder a growing number of analysts and computer security experts are urging us to consider whether we might not, one day soon, finally run out of luck.

It is not as if the warning signs have not been there. The distributed denial of service (DDOS) attacks that crippled Internet leaders over recent years cost giants like Yahoo!, eBay and E*Trade millions of dollars in lost revenues, and even brought down one of the UK's largest Internet service providers (ISPs). And each year the situation worsens, with business's growing dependence on Internet security seemingly an irresistible temptation for those with malicious intent. Disruptive Internet agents such as viruses, spyware, hacker attacks, denial-of-service attacks, attacks on e-mail and Web systems as well as company data and applications have continued to grow.

Yet business's growing dependence on the Internet means every point on every value chain now demands 24x7 applications and data at the ready, as the Internet increases demands of seamless information availability and up-to-the-minute data accuracy. When customers cannot obtain service and transact sales because the information cannot be accessed, systems are down and networks are not available, it is not just online sales that suffer. The brand name is diminished, goodwill goes out the window - and if customer data has also been lost, customers will likely never trust that firm again.

So industry observers and pundits like Aberdeen and Gartner are sounding the alarm bell on the tendency for business to remain far too complacent about the very real risks ahead.

Aberdeen Group reveals Internet-based core business disruptions set off by worms and viruses are costing companies an average of nearly $US2 million in lost revenue per incident, compared to an average cost of just $US74,000 per incident to recover systems and networks to resume normal business operations. Such Internet business disruptions do not just hit e-commerce, but retail, wholesale, manufacturing, government, utility, financial, health-care and other industry sectors equally. Aberdeen puts the median annual revenue loss rate between $US6700 for a $US10 million company to $US20.1 million for a Global 5000 company with $US30 billion revenue.

Customer sales and service functions are just the start of it, with the research showing marked increases in the use of the Internet for other core business functions, including procurement, sourcing, distribution and fulfilment. "Increasing usage of the Internet for these core business functions means that business disruptions from Internet security can seriously impact a company's revenue," Aberdeen analyst Jim Hurley says.

Aberdeen reports most businesses are worried that their operations are exposed to Internet-based threats. For instance, 80 percent of survey respondents indicated that they are worried about network outages, 86 percent are worried about Internet security threats, 84 percent are worried about compromised IT systems, 85 percent are worried about compromises to data integrity, and 71 percent are worried about human errors that may lead to Internet business disruptions.

Page Break

Gartner defines a security vulnerability as a weakness in process, administration or technology that can be exploited to compromise IT security, which can exist in any layer of the application stack and be caused by weaknesses in just about every IT administration, process or design function.

"Increasing Internet activity, along with the use of Web services, wireless connections and other new technologies, will lead to more vulnerable configurations. And these vulnerabilities will cause increased downtime for organizations that don't push security concerns into their processes for software development and procurement," warns John Pescatore, Gartner vice president and research fellow.

"Basic changes to the operating systems and hardware platforms used by servers and PCs will make dramatic leaps forward possible in some areas of software security," says Pescatore. "That said, through 2008, IT leaders will need to implement stopgap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms."

However, at least at this stage, such fears do not seem to be translating into effective counteraction.

At a time when the pace of technological change is increasing at a double-exponential rate, according to Raymond Kurzweil's essay on the confluence of exponential trends known as the Law of Accelerating Returns, Gartner research director Steve Bittinger says businesses are woefully unprepared for the implications of this dramatic development. Kurzweil's analysis of the history of technology shows that technological change is exponential, contrary to the commonsense "intuitive linear" view.

"So we won't experience 100 years of progress in the 21st century - it will be more like 20,000 years of progress (at today's rate)," he writes. "The 'returns', such as chip speed and cost-effectiveness, also increase exponentially. There's even exponential growth in the rate of exponential growth. Within a few decades, machine intelligence will surpass human intelligence, leading to a milestone known as The Singularity: technological change so rapid and profound it represents a rupture in the fabric of human history."

To Bittinger, the rate of technological advance should be setting alarms ringing across every business in the land. He maintains that many companies have underestimated or poorly understood the problems that are associated with security, particularly since every new technology brings with it a new security vulnerability.

"We have a technologically-based society and technology is zooming ahead faster and faster, and you can turn that around and say: 'Well, what does that say about vulnerability?'," Bittinger says. "We're getting all these new technologies . . . and every one of them brings with it new security vulnerabilities.

"Knowing that that's the state of the world, we can't be reactive. We have to get very serious about understanding what the architecture is that is going to provide us with a greater level of security. We have to actually be proactive in terms of consciously building in security from the beginning," Bittinger says.

The evolution of security attacks such as malicious codes and viruses has seen CIOs reassess and change the way they protect their systems. As the Internet has been such a critical component of many companies' successes, CIOs are starting to realize that to avoid Internet business disruptions, companies need to implement a security system that alerts, protects, responds and manages.

As one observer says: "The role of CIOs has changed from: 'I'm just looking after the gates around the house and making sure no one gets in' to: 'I need to know about neighbourhood robberies, what they are taking and how they are getting in'. This intelligence type of role is becoming more important as attacks become more aggressive and "zero day" attacks start to appear on the horizon. These attacks are defined as a vulnerability that is discovered and exploited so fast that a patch cannot be developed in time.

But while the CIO is a key player - and, for some organizations may be at the nexus of security efforts - it would be a mistake to view IT security as the responsibility of information technology group. "Nothing could be further from the truth," writes M Eric Johnson in the CIO (US) article "Information Security in the Age of the Extended Enterprise".

Johnson, who is professor and director, Centre of Digital Strategies at the Tuck School of Business explains: "During the quality revolution, the firms that found quality breakthroughs were the ones that realized that quality could not be delivered by the quality control department. It had to be part of the organization's culture. Security, like quality, is everyone's responsibility.

"Business managers cannot be passive, waiting for protection from the information security police. Rather information chiefs must articulate the risks, like any risk faced by the business, and as a team, executives must balance the risks. Brad Boston, Cisco's CIO, described how his organization moved from a traffic cop that simply said yes or no to business manager requests to one that helped them make good decisions. 'Our job is to identify the risk. The threat of that risk actually occurring, the probability, and tell what the options are to remediate it. Then a business decision is made about what risks are acceptable and which risks are not.'

"This responsibility resides at every level in the organizations - including the board," Johnson continues. "One CIO complained to me that when he presents updates to his board on new applications their eyes light up. But when he talks about security, he sees them glaze over. Having board members who understand the risks and can help other members see those risks is key to effective information technology governance and to building a culture of security."

Page Break

1 2 Page 1
Page 1 of 2
Security vs. innovation: IT's trickiest balancing act