Breach, Critical Infrastructure Security, Data Security, Network Security, Vulnerability Management

The case for articulating security risk in a down economy

Recently, the hacker group known as LulzSec announced that it was closing up shop, yet the news did not provide any comfort to security professionals. 

And true to form, other hacking groups are taking center stage with claims that they have even hacked the hackers.  Whatever these groups morph into, the simple fact is we all remain at risk. 

The hackers will likely continue to grow in number as the underworld of cybercrime becomes more powerful and profitable. Organized crime's “Cyber Dons” will continue to set their sites on high-value targets, such as financial institutions and organizations with items that can be stolen and monetized. 

We've already seen hacking groups joining forces to share tools such as the Zeus trojan. We'll certainly see an increase in terrorist-sponsored cybercrime, as these organizations graduate from just using the internet to spread propaganda to launching full-scale cyberwarfare against critical infrastructure. 

Furthermore, opportunities for hackers will continue to increase as we become more reliant on technology to perform our daily jobs.

In order to protect ourselves, we have to strike a balance with technology and innovation within the security field.

If there's a silver lining to be found following the recent hacks, it is that security professionals now have the most extensive arsenal of proof that the cost of doing business in cyberspace could go as far to cost an organization its reputation. Security professionals need to get in front of the CXO levels of their organizations and explain the threats and vulnerabilities in order to put a security plan in place.  

Hacking and attacks have been plaguing the security scene for the past couple of decades, but the targets are clearly changing and prompting many executives to question the safety of their enterprises. At the same time, convincing executives to open their checkbooks during tough economic times isn't a winning situation – regardless of the threat level.

Interestingly enough, some security professionals see this as a time of opportunity and want to use the “fear, uncertainty and doubt (FUD)” factor to attempt to increase staff and budgets.

Once you are victim of the first hack or attack, you can expect to be back in front of the same executives to explain how this happened when they gave you more resources. But it's important to articulate that the increase in spending only increases the insurance policy, and you need to remind them that nothing in IT security is 100 percent hack-proof, short of disconnecting from the internet.

Part of the historical dilemma has been that security professionals by nature are risk averse, while IT professionals are willing to step closer to the edge to meet the demands of the customers. 

Recently we've seen the another C-level position beginning to unfold – a new position at the executive level to manage risk for the organization, including IT and security risk. 

Do we really need yet another C-level executive?

One reason this might work for some organizations is that many CIOs and CISOs do not sit at the executive table and end up managing risk from the operational trenches. Providing the executives with information around threats and vulnerabilities can help weigh the value of security controls against business enablement, all while potential challenges are looming on the horizon. 

If your CIO isn't taking part in business decisions, this might be a useful position for your organization. To help give you some objectivity around this, the National Institute of Standards and Technology recently published a risk management framework.

We are still in dire need of security protocols and controls for new technology deployments, such as the smart grid, cloud computing and IPv6 – all of which have well-documented security vulnerabilities and concerns. 

As a nation, we have to get to the point where security is one of our first considerations as we increase our reliance on cyberspace. And we can't stop there. The recent push in the federal government for continuous monitoring gives many security professionals hope that through better reporting and education threats, we will become more transparent to the executives helping to bridge the gap between the business and IT.

So as the world of cybersecurity becomes more perilous, we should resist the urge to blindly run to our leaders requesting more resources. Instead, CIOs and CISOs need to get into the boardrooms and to the C-suites to clearly articulate the risk to the business. 

The knowledge we can gain from recent hacking events can give the CIO and CISO the ability to see into the ecosystem of the adversaries. With that knowledge, we can determine the best balance between addressing those risks and ensuring optimal customer service and responsiveness to business needs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.