Dr. Fad, a well-known American inventor whose real name is Ken Hakuta, once said that lack of ideas, not money, is the main obstacle to progress. And while that may have been true for the creator of such children's toys as the popular 1980s Wacky Wall Walker, the thought doesn't seem to resonate with corporate leaders doling out money to information security endeavors.
For most CEOs, the main impediment to having stronger organizational security programs is insufficient funding in overall corporate budgets. But, part of the reason information security planning could be given short shrift is due to the general opinion that it may just be a discretionary investment. Although 68 percent of 100 CEOs recently surveyed believe that information security is an absolute necessity to protect a company's data, 17 percent say it is a desirable, but optional investment. Another 15 percent who responded to the SC Magazine/CompTIA survey, which was conducted by Millward Brown and SC Magazine, say information security isn't important at all.
Most corporations' IT security professionals battling it out each year with other divisional managers for financial support have a different take, however. To them, information security is far from a luxury in today's technology-dependent organization, rather it's an essential part of the total corporate plan.
“Security professionals definitely face a challenge when information security is stacked up against all other budget requirements that keep the lights on, as well as a difficult economy where budget dollars as a whole are shrinking,” says Shannon Culp, a long-standing information security leader who currently works for a large U.S.-based organization. “[But] as a security professional, it is my wish that every business executive recognize that information security is a key component of good business today.”
And that sometimes happens, she adds, with funding coming after corporate leaders find their companies falling victim to a data breach, become concerned about getting on newspapers' front pages after an incident, or realize the need to meet any number of regulatory mandates to which their organizations are obligated. Indeed, almost every company has some sort of compliance mandate to which it must adhere.
“Each regulation seems to continue to expand and further define security requirements because of the huge liabilities associated with doing business,” she says. “Companies are getting security implemented sooner than they would have without regulations like HIPAA (the Health Insurance Portability and Accountability Act), privacy laws, PCI (Payment Card Industry Standard), GLBA (the Gramm-Leach Bliley Act), Red Flag [and others].
And while information security is still frequently seen as having no real return on investment and is, therefore, viewed as an overhead expense, business leaders' opinions about it may be improving, says Gary Dobbins, director of information security with Notre Dame University. Based on the overall data gathered from the SC Magazine/CompTIA survey, most corporate leaders are making conscious efforts to expand on information security planning and increase budgets within the next five years. Dobbins says that this is probably a normalization of the industry at large.
“Car insurance was probably an unusual expense when vehicles were new. Computing is still relatively young, and such costs are slowly becoming recognized as necessary and appropriate,” explains Dobbins. “Anyone who thinks [information security] is optional is most likely in error. Did they lock their house and car when they came to work?”
Beyond budgetary struggles
Although 34 percent of CEOs responding to the survey say that tightening budgets in the last year are affecting resource, product/service and staffing needs, others say they're struggling with a few additional problems. Some 14 percent say effectively protecting customer and other critical data is an issue. And about 10 percent, respectively, note lack of security awareness among staff, contractors, partners and other stakeholders as a problem, as well as preventing employees from introducing applications and other tools that are outside the company's management to the environment. Another eight percent say a further worry is making certain that partners, contractors and others who have access or are using corporate and customer data are adhering to their corporate standards.
There were still more difficulties of note, but these were a bit further down on the list. Establishing and maintaining a plan that addresses information security risks, addressing ineffectual information security products, being in compliance with various regulatory mandates, and dealing with a lack of support for security undertakings from boards of directors or parent organizations for security initiatives all made the cut.
Encouraged that the protection of intellectual property and customer data ranks higher than compliance in the minds of the CEOs surveyed, George Dolicker, chief information security officer with Lenovo, has his own views on why regulatory mandates might be lower on corporate leaders' radars compared to the average security practitioner's.
“You know, compliance is a club. Why are you doing this? Not because it's important, not because you see the value, not because of any of that,” says Dolicker. “It's because otherwise ‘I'll go to jail,' and while that's been an effective way to get money, it's not a good way to educate the executive leadership. It's not a good way for them to understand and appreciate the importance of the function. It's just a pain-avoidance type of thing.”
Plus, many of the regulations in question, while some may still be evolving, have been around for a relatively long time, he says. This means that compliance generally doesn't hold the same top-of-mind position as it may have had in the past for the typical CEO.
“So mostly if they've been driven by compliance – if that was their focus, if that was their budget driver – they've been there, done that, paid the money and are on their way. They may be paying money on an annual basis to do it, but it's not something new that's on the top of their lists,” he says. “They are understanding that it's the information that is important, the private data that's important, and the appropriate threats from other people who are accessing the network that are important. So, actually, in the greater scheme of things, that's a pleasant result.”
Such a spotlight on the safeguarding of customer data also may be part of attempts to retain and even draw customers, adds Howard Schmidt, president and chief executive office of R&H Consulting and chief security strategist of the US-CERT, who also was once the cyber security advisor to the U.S. White House.
“Protecting customer data is something that's basically just core to the business – they can't be successful if they're not doing it – they'll lose [customers'] confidence and the company may wind up having problems,” he says.
But more than that, many companies are seeing that average end-users are concerned about their personal data and how companies with which they conduct business transactions are protecting their information, especially as they read about more and more compromises of personally identifiable information. In particular vertical markets, companies tout their information security prowess in hopes of gaining a competitive lead, says Schmidt.
One memorable example was when Citibank began advertising their identity theft protection methods with TV commercials that showed the victims of theft, elderly women or body-building business professionals, taking on the voices of the criminals enjoying their stolen credit.
“It's really been portrayed as ‘we're the ones you can trust because we really do security well,' and even to the point where you see a lot of the financial services companies providing secure ID tokens or [other devices] to consumers,” he says. “It used to be, not too many years ago, that it wasn't the enterprise's problem to make the customers secure. Now you see that they're offering free anti-virus software, free spyware software. They're using [information security] very much as a competitive advantage to say, ‘Yeah, I'm the one you want to go to because not only do I care about our data here, but how you interact with your data on your end.'”
Still, compliance demands seem to be moving information security products and services, says Mike Montecillo, information security analyst with Enterprise Management Associates, an independent industry analyst and consulting firm.
“I'm not saying that's necessarily a bad thing. I think that compliance does not equal security, but you can certainly leverage some of the initiatives that you're using to be compliant to better form a security strategy.”
Information security drivers
The challenges that are prompting corporate leaders and their staffs to invest in information security change from company to company, says Schmidt. It simply depends on the culture of the business.
“I've seen so many different reasons and rationale for doing security. One clearly is: ‘We have a customer base. If we lose their confidence [after] we lose their data, we're going to suffer as a business,'” he notes. “Others say, ‘Well gee, I've seen others lose [critical data] and I don't want to be in that position, so consequently I'm going to beef up my resources so I don't fall into that category.' Others are in the mindset of saying, ‘Well, yeah, this is just part of doing business these days. We have to look at the threat models across the spectrum of the business, look at the business risks, and make decisions based on that.'”
Though compliance was a little further down on the list of challenges for CEOs responding to the SC Magazine/CompTIA survey, it was one of the main drivers to make security a priority for 34 percent of the respondents. Also making the list of drivers was protection of critical assets, creating a competitive advantage, brand protection and customer confidence. For 21 percent of respondents, customer confidence alone was the incentive for information security in their companies, and 16 percent note protection of critical assets as the sole motivation. For 16 percent of CEOs surveyed, security is not a priority.
Luckily for him, the University of Notre Dame's Dobbins has the support he needs from his organization's leading stakeholders, but he observes that he may be among only a fortunate few who do.
“Regulations compelling compliance is what happens when too few self-protect against the risk associated with information,” he says of the list of priorities in the survey. “Perhaps too few recognize information as an asset.”
Whether or not one believes compliance demands have helped information security initiatives to flourish in organizations, regulations are requiring much more in the way of information security planning and implementation, says Culp, but getting funding for IT security plans remains a lingering problem.
“I have found in most organizations that unless it is required for regulations or … [needed] to remediate a situation, budget dollars are difficult to get for ‘nice to have security,'” she says. “Usually the ‘nice to have security' items are items that the security professional is passionate about needing and yet have a little more difficulty selling to management.”
The problem is that most corporate executives are simply not information security-centric, says Lenova's Dolicker. They're focused on maintaining a strong overall business and generating the profits necessary to do that, he explains further. They simply don't seek information about IT security of their own volition.
This is why André Gold, most recently the former head of security and risk management at ING U.S. Financial Services, believes the onus falls to information security pros to do a better job of educating their corporate stakeholders about governance, risk and compliance planning.
“We as a community have educated our CEOs about risk management as it relates to [its specific] IT components – a.k.a. firewalls, intrusion prevention, desktop encryption,” he says. “We've educated them to think that if we have these components we'll be OK. The fact is that [information security] is not just a technology game.”
Because most organizations rely on technology and the internet to conduct business, rather than focus on specific tools, security professionals must teach corporate and divisional leaders about the problems associated with their business processes and the threats that could jeopardize them, he further explains.
Doing this will make for a much more resilient environment that is robust and cohesive when it comes to information security measures being tied to the goals of the overall business, says Enterprise Management Associates' Montecillo. But, information security pros and their corporate leaders still have to do their homework.
“The secret sauce in security is being able to get non-security-focused stakeholders to implement the security initiatives and strategies without them knowing it,” he says. “I think they need to be aware of technologies and capabilities that help them evolve their strategies with the threat environment. I think the biggest thing with keeping up with threats and really enhancing your security posture in today's environment is being able to implement a technology, or rather technologies, that allow you to use your existing infrastructure and your existing security countermeasures in a manner that is going to evolve with that environment.”
And as we continue to see cybercriminals educate themselves about new technologies to develop updated ways to attack companies and steal information that can bring them a profit, those defending their organizations' critical data must strive to do the same.
“We're seeing major innovations and major evolutions within the threat landscape, and we're not necessarily seeing that in the defense posture and the security posture,” he says.
Preparing for the future
There are a few up and coming or existing threats that CEOs note as a bit concerning. For example, 62 percent say they have worries about the vulnerabilities associated with the increased use of wireless and mobile devices to access data.
Some 37 percent feel that the possibility of a breach by an employee is a potential threat in the future. And even though a great majority of respondents (84 percent) say they've not suffered a breach spearheaded by an employee, and another 80 percent say their companies haven't fallen victim to a breach launched by an external cybercriminal, there are those who admit they have (five percent), or that they simply don't know (15 percent).
Dobbins says that these corporate leaders must understand that threats come from all sides, whether internal or external. So any CEO who thinks that an internal breach, for instance, can't happen to their company is conducting business “with an incomplete security program.” Even employee error, not an intended malicious action, can lead to a breach, he adds. CEOs must be aware of all the possible ways of attack, and ensure their companies are taking appropriate steps to protect their businesses.
“Everything connected to the internet has been attacked or scanned as a potential target,” Dobbins says. “Chances are high that if no preventive and detective measures are in place, the lower 20 percent have been successfully attacked and just don't know it.”
Yet, 62 percent of CEOs participating in the SC Magazine/CompTIA survey say they feel they have taken adequate steps to prevent their company from becoming the next victim of either an internal or external data breach or compromise. Some 16 percent don't know if they have taken the steps necessary, and 22 percent admit they have not.
To be sure, attack methods have become even more sophisticated, says Culp. This means that CEOs can't afford to think they have it all covered or, worse, not know for sure whether they have or haven't done what it takes to build strong defenses against today's persistent cybercriminal.
“Recently, Patrick Gray of Cisco stated at a conference in Kentucky that one in 1,000 web pages are infected with malware, and that there are approximately 50 new instances of malware everyday,” says Culp. “I'm of the opinion that many CEOs don't know yet that their companies have been breached.”
To avoid this state, she advises that companies must get to a point where they have proactive procedures in place to deal with various security threats and attack methods. Defense-in-depth is key, also, in that, if done correctly, it can help organizations protect against all known attacks, as well as the newer, evolving kinds. Companies facing such issues as data mobility – related to the use of smart phones, PDAs, PC-based phones and laptops – or those that have an internet presence for company websites, applications and employee access, must find ways to mitigate and protect against all threats.
“We can never know how the bad guys are going to try to attack our data next, but we better be able to detect, respond and remediate,” advises Culp. “Security threats can never be mitigated and guaranteed 100 percent to be prevented. Hackers, malware writers or [other] bad guys on the internet have way more time to come up with ways to get to our data than we as security professionals have to come up with ways to protect against them. Companies must get to a point where they have proactive procedures in place to respond to any potential security threat or attack, as well as have defense-in-depth to protect against all known attacks and potential attacks.”
