Target’s data breach has sent the message “we need to talk”
to C-level executives and IT managers throughout the business world. To get
things moving, Syed Ali, Vishy Padmanabhan, and Jim Dixon of the management
consultancy Bain and Company co-authored the report Why cyber security is a strategic issue. In the report, the authors start the
ball rolling:

“With stakes so high, CEOs and boards
must begin to think about security in a new way. IT security—a task that could
once be delegated to the IT staff—has become a top-level strategic issue
because the consequences of failure can ruin a business. Any organization may be
only a few hacks away from disaster.”

The paper’s authors, before discussing the new way of
thinking, look at the current security landscape.

Companies
are more vulnerable

According to the report, the amount of money spent on
shoring up a company’s defenses does not reduce the likelihood of a data
breach. Something else the report highlighted, “An increasing number of
organizations are being targeted directly with financial gain as the primary
motivation resulting in the loss of sensitive data that can easily be
monetized.”

 

 

The next finding reflects what recently happened to Target,
“Organizations are having a harder time detecting and resolving security
breaches, and the average financial impact of each breach on an organization is
increasing.”

 

 

To be fair the Bain report was released before the latest
news reports proclaiming that Target personnel were warned about certain
security anomalies early on, and for whatever reason, chose to ignore them. In
any case, the bad guys are not sitting still. They continue to perfect their
craft.

New
cyber security challenges

The bad guys are going where
they get the best return for their effort. So in the quest to run companies
more efficiently to save money, companies could be making it easier for the bad
guys.

For example:

More
digital assets: Due to increased capabilities, companies are now
harvesting more data from customers including personal, financial, and transaction
information. Then consider all the internal data every company needs to
function. The report mentions the authors’ concern that company officials do
not understand the value bad guys place on both types of data.  

Shift
to hybrid cloud architecture: The move to cloud services, whether
private or third party, locates the digital assets out from the company’s data
center to remote locations. Being relatively new and untested, the security
ramifications of using cloud services are not fully understood.

Pervasive
use of mobile devices: Whether mobile devices are company-owned or BYOD, they
introduce new security challenges that will require a new methodology to manage
the devices and how they access and store company data.

Compliance
should be the starting point: This point is of special interest.
The Bain researchers depart from what most organizations consider adequate
security—that of complying with all required agency regulations:

“Compliance should define the lower
bound for security capabilities while the upper bound should aspire to meet the
organization’s strategic priorities, including IP protection, continuous
operations, and a secure corporate reputation.”

C-level
execs need to rethink IT security

The coauthors do not pull any punches, bluntly saying that
CEOs and boards must look at security in a new way:

“IT security—a task that could once be
delegated to the IT staff—has become a top-level strategic issue because the
consequences of failure can ruin a business. Any organization may be only a few
hacks away from disaster.”

The Bain report coauthors stress the importance making IT
security a strategic concern because a large percentage of organizations
suffering through data breaches recently have had formidable security measures
in place. Yet, they were not enough to keep the bad guys out of the company
network.

The report then offers a reason why this is the case, “Too
many organizations fail to align their IT-security capabilities with the
company’s larger goals and appetite for risk.”

Recommendations
from Bain

The Bain Report came up with several recommendations to help
ensure C-level executives and IT departments are on the same page. If one looks
closely at the recommendations, a common thread appears—business and IT leaders
need to communicate with each other in an understandable manner:

  • Understand the organization’s key assets and appetite
    for risk: Business
    leaders and IT departments must understand and agree on “value versus risk”
    assigned to key assets, in particular customer data.
  • Identify the
    security risks and gaps: C-level executives and IT departments must be on the same page when
    discussing the company’s current security capabilities versus perceived
    security risks.
  • Define the
    cybersecurity strategy: The IT department does what it is good at: develop a plan to meet the
    strategic needs agreed upon by both business and IT management.
  • Emphasize gaps, priorities, and strategy to the CEO
    and board: This
    recommendation places the onus on IT departments to explain the risks,
    potential and existing, in a manner the top-company executives understand.
  • Engage recognized security specialists: The complexity of the Target
    breach should help everyone understand that it is impossible for any one IT
    department to know everything, and using outside experts is the cost of doing
    business.