Business is losing the war against hackers right now. But corporate boards shouldn’t just blame their tech teams. Rather, they should be looking in the mirror.
“I don’t think we have a huge technology problem,” said Chris Young, general manager of the security group at Intel (“INTC”), in a panel discussion on cybersecurity at Fortune’s Brainstorm Tech in Aspen. “I think we have a debt problem.”
That “debt” is the investment in time and resources that companies haven’t made in cybersecurity—starting at the top. Directors at most corporations haven’t paid a lot of attention to security or allocated sufficient resources until very recently, Young argued.
“I think most boards can’t spell ‘security,’ ” said Young.
But as the list of high-profile breaches—Target (“TGT”), Home Depot (“HD”), Sony (“SNE”), etc.—grows longer, boards may be suddenly getting religion.
“The number of calls I receive from people looking for security-focused board candidates has gone up tenfold in the past few months,” said Young.
That’s a good thing, because hacking appears to be an unavoidable issue.
“The reality is that every major organization is being hacked,” said Dmitri Alperovitch, CTO of cybersecurity services provider CrowdStrike, which earlier this week closed a $100 million round of Series C venture investment led by Google Capital. “If you’re not being hacked you have a major problem on your hands, because no one cares about you.”
When asked how many of her company’s clients have impressive cybersecurity infrastructures, Vanessa Hood, director of government business at security firm Palantir, said that it was a relatively small number, maybe 10% to 20%. The onus is on the boards of the remaining 80%-plus to make improvements.
“The threats are knowable and the state of your network is knowable,” said Hood. “It’s an empirical thing.”
Keeping hackers out altogether, however, is not realistic. The right strategy, agreed several panelists, is being prepared to respond and prevent hackers from inflicting damage.
“It’s very easy to find one hole in a network, but hard to close them all—almost impossible,” said Chad Greene, director of security at Facebook (“FB”). “You have to prepare for the inevitable.” He posited that all Fortune 500 companies should have two different types of so-called red teams—one to identify vulnerabilities and one ready to respond to threats.
That won’t happen until corporate directors begin to pay down their “debt” and make cybersecurity a top priority.
“At the board level it could be this simple,” said Intel’s Young. “We have audit committees. Why don’t we have cyber committees?”