The role of the chief information security officer must adapt as businesses rethink IT security.
Over the past decade, the security landscape has changed, from one where everything was locked down to the nth degree, to a more open approach that encourages collaboration across company boundaries. As the smartphone phenomenon has taken off, chief information security officers (CISOs) have needed to rethink what personal computing security really means.
So the CISO's role is having to change to establish a security policy for risk and protecting corporate data that is not restrictive, yet will protect the firm's crown jewels. Corporate governance is a major driver, with changes to EU data protection regulations and requirements for businesses to disclose data loss.
At the same time, the threat landscape has evolved, with sophisticated targeted attacks and a range of devices that require legitimate access to the corporate network. A raft of surveys published in recent weeks illustrate how well business is coping and point to the weaknesses. The studies are generally positive. In fact, criminals are increasingly having to resort to exploiting niche IT loopholes and targeting emerging technologies such as mobile devices, according to IBM's X-Force 2011 Trend and Risk Report.
Strong and weak sectors
In Verizon's 2012 Data Breach Investigation report, the company notes that the most-afflicted industry, once again, is accommodation and food services, comprising restaurants (around 95%) and hotels (about 5%). The financial and insurance industry dropped from 22% in 2010 to approximately 10% last year. According to Verizon, the trend to the industrialisation of cyber crime is still in full swing, with the emergence of a supply chain of hacking tools, some with support and some even with service level agreements.
Verizon warns that such attacks can be carried out against large numbers in a surprisingly short timeframe with little to no resistance. “Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cyber criminals understand this very well. Thus, the number of victims in this category continues to swell,” warns Verizon.
In the PwC Fighting Economic Crime in Financial Services report, respondents reported cyber crime as the second most common type of economic crime experienced by their organisations in the last 12 months, after asset misappropriation). Cyber crime accounted for 38% of economic crime incidents for financial services organisations, compared to 16% for other industries. PwC states that is not wholly surprising, as the financial services sector holds large volumes of the type of data cyber criminals are interested in and there is an established underground economy servicing the needs of the market for stolen and compromised data.
Cost of data breaches
The Cost of Data Breach Reportfrom the Ponemon Institute looked at security breaches in 356 UK companies across 11 industry sectors. The study, sponsored by Symantec, covered breached records per incident ranging from approximately 3,500 records to more than 78,000 records. Average per capita cost of a data breach has increased from £71 to £79.
If the organisation has a CISO with overall responsibility for enterprise data protection, the average cost of a data breach can be reduced by as much as £18 per compromised record. Outside consultants assisting with the breach response can save as much as £11 per record, according to Ponemon Institute. When considering the average number of records lost or stolen, these factors can provide significant and positive financial benefits. Specific attributes or factors of the data breach also can increase the overall cost. Data breaches caused by third parties or a lost or stolen device increased the cost by £9 and £6, respectively.
The study reported that 36% of data breaches involved negligent employees or contractors. However, malicious or criminal attacks have increased slightly from 29% to 31% of data breaches experienced by organisations. The researchers found criminal activity was the most costly.
Accordingly, organisations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
So CISOs should take a lead. Analyst Forrester says the CISO needs to become a trusted business advisor. However, given the strong focus on the technical skills required for a CISO, along with close links to IT, Forrester warned that security professionals may lack strong business understanding and connections.
In Forrester’s role description for the chief security officer paper, analyst Andrew Rose noted: “It’s important that CISOs reach beyond the aspects of the role for which they are directly accountable and take an interest in a wider portfolio of topics. Emotional intelligence skills such as creativity, intuition, empathy, leadership, flexibility, resilience, stress management, integrity and interpersonal skills will decide if the CISO succeeds to make security discussions a regular boardroom topic or not."
After years of battling with security, CISOs are managing to get a handle on it. But risks are ever-present. And many computer literate end-user staff still have little understanding of data ownership, the responsibility to keep records safe and not copying or e-mailing customer databases out of the organisation.