With the combined efforts of hackers, hacktivists, cybercriminals and nation-states, it is easy to believe that the world of information security is becoming riskier. Quantifying that risk is not always easy, but there is some data to support the idea of an increase in information security threats.
A survey carried out last year by Deloitte, the accounting and consulting firm, found that 79% of US-based chief information officers believe their companies have changed their approach to managing risk over the last three years.
The report also found that boards are paying more attention to risk, and are increasingly asking IT departments to help manage those risks. A key area for IT is the risk posed by data security itself.
The latest study by the Ponemon Institute suggests that data loss is becoming more expensive. The most recent ‘Cost of Data Breach’ study, covering breaches that took place in 2012, found that the cost, per person, of a lost record has risen from £79/$125 to £86/$135. The cost to organizations increased from £1.75m/$2.7m to £2.04m/$3.16m. Customers, too, are becoming more likely to “churn” and take their business elsewhere, if their personal data is compromised, the researchers found.
On the CEO’s Agenda
If nothing else, the sheer potential cost of data loss is ensuring that IT and information security risks demand, and are attracting, board-level attention. But information security professionals have to tread a fine line between raising awareness of threats and risks at the board level, and over-burdening senior executives.
Business leaders, for their part, need to avoid the temptation to micro-manage information security, and direct CISOs and CIOs to chase after the latest threat to make the headlines, rather than address the real risks to the business. Information security needs to move away from ‘saying no’ to the business, due to real, or even perceived, risks.
“Boards can’t help but be aware that risks are increasing, but whether they realize that they have a significant role to play in reducing an organization’s risk is another question”, says Stephen Bailey, head of operational risk at PA Consulting Group, the management consultants.
“Many [board members] believe that security is about IT, and so is an issue for the CIO or the head of IT security.” If boards do consider information security risks, Bailey says, they are likely to focus on the perimeter, rather than, for example, insider threats.
Another factor, especially in the US, is the guidance given by the Securities and Exchange Commission (SEC) to listed companies when it comes to data breaches. In particular, companies need to disclose if they have lost intellectual property that might affect the prospects for their business. “That has changed the way companies report financials, and the way they report information security risk at a board level”, says Jin Hietala, head of security for The Open Group.
This, in turn, should be prompting the information security community to report those risks in terms that CEOs and boards can understand. This, Hietala concedes, can be a challenge for some CISOs. “It is not helpful to show red, yellow and green charts of threats to senior executives, as that doesn’t map to how they look at the business”, he says.
Often this means having a more concrete discussion about the reputational, regulatory and financial impact of a data breach, even if it remains hard to say for sure what the financial impact would be of a lost laptop containing customers’ personal data, for example.
“In any number of surveys, cyber risk is at the top, or near the top, of the risks senior executives are grappling with”, agrees John Wheeler, a research director covering compliance, risk and leadership at analysts Gartner. “But we also see the need for IT security to adopt a more risk-focused mindset. In the past, IT security has been very compliance focused.”
As Wheeler points out, focusing on compliance is often the easiest way to attract the CEO’s attention and to safeguard, or even bolster, the IT security budget. With regulators mandating certain security measures on firms – especially around standards such as PCI-DSS, or in the US, HIPAA – some compliance-driven information security work may be inevitable.
Compliance by no means guarantees security, however, and while it is possible to comply with regulations at a technical level, safeguarding an organization’s information assets and ability to operate almost always needs a wider, risk-driven approach.
Data First
This can be made all the more difficult because of fines or other penalties that regulators levy directly for compliance failures; failures in risk management are more likely come to the fore because of their impact on the company’s operations or its reputation further down the line. If compliance is seen as a cost of doing business, risk management is often viewed as a form of insurance.
Organizations taking the longer-term view can balance some of the tension between compliance and risk management, by adopting a data-centric approach.
According to PA Consulting’s Bailey, this means viewing data as assets, carrying out a threat or risk assessment, and then putting in place the appropriate levels of protection. The value of a data asset can change over time, as can the threats facing an organization, even if compliance regimes tend to be more static. “What you do may be driven by compliance, but boards need to be sure that risk is being managed, and managed well”, he says.
Another part of the challenge facing companies, though, is that the trend toward e-commerce, electronic information sharing, and greater mobility is creating more areas where data can be at risk, either of accidental loss, or deliberate theft. Companies’ approaches to risk management have not always kept pace with the developments in technology.
“A riskier world is the natural outcome of ubiquitous communications and mobility”, says Dave Dalva, at Stroz Friedberg, a firm specializing in digital forensic investigation. “That fact creates its own set of issues, around travel security, or sharing information securely. That needs to be managed.”
A weakness for a compliance-driven approach to security is that compliance rules are usually written after the fact – in reaction to a data breach or a perceived failing in security – and it is hard for lawmakers to stay ahead of rapidly developing technology.
“A true risk-based approach can be at odds with what a compliance regime tells you that you should be doing”, says The Open Group’s Hietala. “The risk to an organization is specific to that organization.” Compliance rules, by necessity, are more generic. “But done correctly, risk management focuses security spending on the areas that achieve the greatest risk reduction.”
“Security measures need to be commensurate with the business”, says David Robinson, UK and Ireland chief security officer at Fujitsu. “It is not ‘fit and forget’ but ‘fit and evolve’. And that requires proper risk analysis.”
An organization with the right approach to risk management, however, should find compliance easier, and there is evidence that lawmakers and regulators are moving toward this point of view: objections raised by information security experts to the proposed EU data protection regulation, which would have forced organizations to focus on specific compliance measures, rather than security or privacy outcomes, supports this view.
But, says Mark Corley, UK and Ireland CTO at IT integrators Avanade, this should also lead companies to assume that there is always a level of risk, just as it is impossible to create complete security. A risk-based approach to data protection means having the right level of protection for a particular data asset or business process, but also an understanding that breaches will take place.
It Did For the Dinosaurs…
Dealing with this means defense in depth, and a certain degree of resilience in the way an organization operates; building security into business processes is critical to managing real-world risk.
“You can have levels of silos between systems, so if someone does get in, they do not necessarily have access to the whole business”, Corley says. “There is also a business continuity and disaster element there for the really unpredictable events.”
Risk management and risk mitigation also depend on people, so training employees to understand how their actions affect risk – and affect the organization’s ability to respond if there is a breach or cyber-attack – is critical.
Once again, this process depends on the correct classification of data, or an understanding of the importance of the business process and its resilience. In addition, risk reduction measures need to match this view.
“You need to ask what assets you own, and what the impact is if something negative happens to them”, says Tom Salkield, head of professional services at Integralis, the security arm of NTT. “Then the business needs to decide whether to accept the risk. They need controls, to ensure they have the right level of risk for their comfort levels.” A meteor strike might be devastating, but in business terms at least, it is highly unlikely. But there are many smaller risks a business faces that could cause it losses, if left unchecked.
“Any organization of any complexity has to assume it will be breached”, says Stroz Friedberg’s Dave Dalva. “The question is whether they have an appropriate incident management plan in place, and the right investigative and forensic tools. There are threats out there we can’t do anything about: they are the Air Force’s job to tackle. As companies, we have to reduce the impact of vulnerabilities, and their likelihood.”