Friday, January 2, 2015

What Corporate Boards Need to Know About Information Security for 2015

Below are some recurring themes around security that will benefit directors. While providing leadership in security is hard, boards can improve their governance by groking these important aspects of security for 2015.

Security is a competitive advantage. Security is hard;  and that's a good thing. Many companies won't get it right. And as liabilities continue to increase along with customer, investor and employee expectations, the value of a robust security culture will continue to grow. Because creating an environment from the board & executives on down is challenging, this is an opportunities for forward-thinking companies to differentiate, minimize risk, and avoid the brand-risk associated with getting it wrong publicly. Proactive companies will view security more as a component of long term shareholder value as opposed to short term expenses that hit the quarterly financials.

Security is mostly basic and mundane (albeit requiring considerable operational commitment). "Well anyone can get hacked if an attacker tries hard enough." This is NOT an excuse to just write off securing your organization. While there might be some truth in this, the over-riding reality is that most security breaches could have been avoided with adherence to the most basic security principals and policies. This is more about security 101 and less about advanced technical topics.

Employees are the biggest risk. This is a corollary to the previous item. Most security incidents are due to an employee not following security policy rather than a technically sophisticated hack. And this is more of a training, culture and awareness issue than one of malicious intent. Whether it's an employee that falls for a phishing scam, inadvertently downloads malware or loses an unencrypted disk storage device, the damage is often the same. Even more sophisticated attacks often start with an email, when a user downloads malicious code onto their workstations. Because every step of an attack would typically need to succeed for a successful breach, even complex multi-sequence attacks could be thwarted by the most un-technical of approaches: educate your users about security and ensure your security policies are followed. 

Be aware of CIO and CISO conflict of interest. The board should be aware of the risk of having your security role report directly into IT. Directors need to understand the conflicting role of the CISO and the CIO. The CIO is the yes role. Yes we can improve access, yes we can add that feature, yes we can reduce cost,  yes IT is doing a great job, yes our network is secure. The CISO is the no role. No we should think twice before allowing this kind of access, no we can't reduce costs that much, no we need more time, no we need to think more about that, no our network is not secure. If your CISO reports directly to your CIO, then you should be aware of this potential conflict and filter the data you get about security risk accordingly. This conflict is not so much as a legal issue as an issue inherent in the objectives of the roles, but an Enron comparison is still valid: A key component of the Enron downfall was that Arthur Anderson was both consulting on financial strategy and auditing the books. I call that having the fox audit the hen house.

Advanced Persistent Threat (APT) is code for, oops we violated security 101. Executives at breached companies often use this term to justify a breach at their organization. However, as more information about a breach is released, these incidents are often revealed to be a function of violations of the most basic security principles. RSA's SecureID breach is a good example. They consistently labeled the cause of their incident as an APT. Perhaps it was advanced, and perhaps it was persistent, but the fact remains: had employees followed policy and been more security-aware, this incident would have been thwarted.

Compliance is not the same as security. Compliance addresses a regulatory requirement to meet specific standards. Unfortunately compliance with security standards can often be gamed or applied subjectively. This might be an effective strategy for compliance, but not security. Non-compliance in and of itself is a risk and achieving compliance is a business requirement. However, it is important for directors to understand that being compliant with a specific regulations like SOX, PCI or HIPAA does not imply security.

Your network is decentralized and so is your responsibility. There is no easy answer for this one, but directors need to be aware of the extent that their security is co-dependent on others and extends beyond their physical boundary. Vendors and partners have access to corporate data and network assets. Mobile, remote employees, global office locations and cloud services make the network edge fuzzy, along with the demarcation of your responsibility. More and more computing power  and data is distributed beyond the traditional core network. Remember, if a partner company gets compromised which leads to a data disclosure for your customers, the letter to your customers about their breach will be on your letterhead. The partner company's fault perhaps, but you own the brand damage.

Technology: Don't believe the hype. Security products often claim unrealistic capabilities. If it sounds too good to be true, or just too easy, be wary. The biggest risk here is that directors get blind-sided by a breach and thought they were covered because of some blanket statements promoted by the technology they have invested in. Unfortunately you can't buy your way out of the problem: security technology is only as good as the care in configuration and ongoing process that supports it. Investing in technology is just a small part of the investment involved. In the end, it has to be a part of a bigger technology strategy and process.

There are no easy answers in security. It's challenging and requires ongoing commitment. The upside is that while the liability and expectations around security continue to grow, it provides an area of competitive advantage for those that can build security into their company culture in 2015.

No comments:

Post a Comment