Chief Information Security Officers would do well to consider Benjamin Franklin’s advice to his fellow signers of the Declaration of Independence, “We must, indeed, all hang together, or most assuredly we shall all hang separately.”
Those of us responsible for information security don’t face armed combat or the literal prospect of being hanged, but today’s environment of security risks make it necessary for different and competing players to stand united against an organized, motivated enemy out to disrupt, steal or both. The need to work together to protect company data, customer information and corporate brand has never been greater. Business survival depends upon it.
Information security professionals, no matter how big the enterprise they work for, are currently overwhelmingly outgunned by cybercrime. The threat of these criminal enterprises is large and growing and if left unchecked will have a disastrous impact on our economy in the near term. McKinsey & Company estimates that cyber attacks will slow the pace of technology and business innovation over the next few years and cost the economy as much as $3 trillion annually. Data breaches have already taken a heavy toll and costs are on the rise. An IBM-sponsored survey conducted by the Ponemon Institute found that the average cost to the company of a corporate data breach is now $5.9 million. Of this, the cost of lost business from a breach averages $3.2 million. However, this average can be misleading because some of the more widely publicized breaches in recent years have cost the affected companies billions of dollars in revenue and shareholder value.
Cyber criminals run highly organized and collaborative enterprises that operate with troubling and destructive efficiency. Juniper Networks conducted a study that found that global cybercrime takes in larger profits than the illegal drug trade. “The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states,” the report said. And even when the goals of the attackers are not monetary gain, the costs can be enormous. Though not a penny of its cash was stolen, the attack on Sony last December cost the entertainment company billions of dollars through the release of data. Types of data stolen can include financial data, personal health information (PHI) and associated insurance information.
What’s more, cyber attackers have adopted the practice of gaining strength in numbers. There is a network of collaboration these criminals easily tap into to help them with their schemes. With these hackers constantly working together to do damage to businesses, it only makes sense for businesses to start working together on a large scale.
For a while, those attacked were somewhat limited in what they could do in response. Anti-trust law prevented the kind of collaboration needed to anticipate and fight these growing threats. Vibrant competition and the need to protect corporate intellectual property worked against information sharing about cyber attacks and data breaches. Corporate culture and internal policies played a role too. Many enterprises would refrain from disclosing the full extent of attacks to avoid inspiring others or exposing too much about their security practices. Companies find themselves isolated as they face the onslaught of attackers accustomed to working together. This has to change.
Despite the increased visibility of the threat with high-profile data breaches and attacks on well-known financial, retail and media companies, many organizations don’t have the needed security staff in place. One large healthcare company in a major metropolitan area managed a network of more than 30,000 healthcare professionals and had only two employees dedicated to information security. Those in tune with the business of IT security know this is outrageously understaffed, but unfortunately this situation is also common.
At last October’s Global CISO Executive Summit in New York, Malcolm Harkins, vice president and former chief security and privacy officer for Intel noted that, “No single person or company has all of the skills and resources needed to address all of these security issues as fast as required. The necessary level of security is only achievable in unison.” He points out that a collaborative approach across sectors and verticals will enable companies to benefit immediately, no matter what their current security situation. And even highly profitable companies with well-structured security systems can frequently find the challenges of attacks overwhelming.
According to Harkins, the greatest systemic weakness facing organizations today is the misperception of risk and defining each attack as isolated and unique. The solution to this misperception is a diversity of perspective to assess and diagnose the threats which, in turn, requires a diversity of input. This can only be achieved by collaboration across industry sectors.
On the tactical side, collaboration is going to have to become a part of daily life for companies. Day in and day out there’s blocking and tackling in motion as new threats arise and are assessed and combated. Security officers need to be able to tap into the experiences, knowledge and skill sets of others who have “been there, stopped that” to help them deal with threats in as close to real time as possible.
Robert Dethlefs is founder and CEO of Evanta, a leadership association of business executives. He is also founder of the CISO Coalition, a membership organization for chief information security officers at U.S. corporations.
