Target’s data breach has sent the message “we need to talk” to C-level executives and IT managers throughout the business world. To get things moving, Syed Ali, Vishy Padmanabhan, and Jim Dixon of the management consultancy Bain and Company co-authored the report Why cyber security is a strategic issue. In the report, the authors start the ball rolling:
“With stakes so high, CEOs and boards must begin to think about security in a new way. IT security—a task that could once be delegated to the IT staff—has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster.”
The paper’s authors, before discussing the new way of thinking, look at the current security landscape.
Companies are more vulnerable
According to the report, the amount of money spent on shoring up a company’s defenses does not reduce the likelihood of a data breach. Something else the report highlighted, “An increasing number of organizations are being targeted directly with financial gain as the primary motivation resulting in the loss of sensitive data that can easily be monetized.”
The next finding reflects what recently happened to Target, “Organizations are having a harder time detecting and resolving security breaches, and the average financial impact of each breach on an organization is increasing.”
To be fair the Bain report was released before the latest news reports proclaiming that Target personnel were warned about certain security anomalies early on, and for whatever reason, chose to ignore them. In any case, the bad guys are not sitting still. They continue to perfect their craft.
New cyber security challenges
The bad guys are going where
they get the best return for their effort. So in the quest to run companies
more efficiently to save money, companies could be making it easier for the bad
More digital assets: Due to increased capabilities, companies are now harvesting more data from customers including personal, financial, and transaction information. Then consider all the internal data every company needs to function. The report mentions the authors’ concern that company officials do not understand the value bad guys place on both types of data.
Shift to hybrid cloud architecture: The move to cloud services, whether private or third party, locates the digital assets out from the company’s data center to remote locations. Being relatively new and untested, the security ramifications of using cloud services are not fully understood.
Pervasive use of mobile devices: Whether mobile devices are company-owned or BYOD, they introduce new security challenges that will require a new methodology to manage the devices and how they access and store company data.
Compliance should be the starting point: This point is of special interest. The Bain researchers depart from what most organizations consider adequate security—that of complying with all required agency regulations:
“Compliance should define the lower bound for security capabilities while the upper bound should aspire to meet the organization’s strategic priorities, including IP protection, continuous operations, and a secure corporate reputation.”
C-level execs need to rethink IT security
The coauthors do not pull any punches, bluntly saying that CEOs and boards must look at security in a new way:
“IT security—a task that could once be delegated to the IT staff—has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster.”
The Bain report coauthors stress the importance making IT security a strategic concern because a large percentage of organizations suffering through data breaches recently have had formidable security measures in place. Yet, they were not enough to keep the bad guys out of the company network.
The report then offers a reason why this is the case, “Too many organizations fail to align their IT-security capabilities with the company’s larger goals and appetite for risk.”
Recommendations from Bain
The Bain Report came up with several recommendations to help ensure C-level executives and IT departments are on the same page. If one looks closely at the recommendations, a common thread appears—business and IT leaders need to communicate with each other in an understandable manner:
- Understand the organization’s key assets and appetite for risk: Business leaders and IT departments must understand and agree on “value versus risk” assigned to key assets, in particular customer data.
- Identify the security risks and gaps: C-level executives and IT departments must be on the same page when discussing the company’s current security capabilities versus perceived security risks.
- Define the cybersecurity strategy: The IT department does what it is good at: develop a plan to meet the strategic needs agreed upon by both business and IT management.
- Emphasize gaps, priorities, and strategy to the CEO and board: This recommendation places the onus on IT departments to explain the risks, potential and existing, in a manner the top-company executives understand.
- Engage recognized security specialists: The complexity of the Target breach should help everyone understand that it is impossible for any one IT department to know everything, and using outside experts is the cost of doing business.