Secrets of the Cyberconfident CIO
Read the full Spring 2012 issue.
With new data security threats appearing all the time, it’s easy for CIOs to get rattled. But if they plan to operate securely in the digital world and seize new opportunities, they need to reach for a new goal, something we call “CyberconfidenceTM.”
Cyberconfidence is the ability to protect key assets and build the resiliency needed to survive a cyberattack. With priorities clearly identified and risks managed, a cyberconfident organization can move more quickly and build more trust among its customers, suppliers and employees.
The traditional approach to security has changed. We are seeing a new class of cyberattacks — sophisticated attacks that are motivated by financial and political gain rather than mischief. We can no longer count on basic security practices, nor is it possible to guarantee that an organization won’t be attacked, or that the attack won’t inflict damage.
For organizations to achieve Cyberconfidence, CIOs must evaluate their operations, assess and manage risk, and then monitor continuously for threats so when they are attacked, they can weather them, sustain their operations and recover swiftly.
When evaluating operations, organizations need to identify and prioritize their assets and business functions. This is the first step toward achieving Cyberconfidence. For example, not all assets require high-level security, and if they are needlessly secure, that can reduce an organization’s agility and diminish the resources necessary to secure the most important assets.
That’s why CIOs should proactively know what data and functions are critical to their organization’s survivability. With this information, an organization can sufficiently secure its most vital intellectual capital and know which systems to take offline in the event of a breach or threat. This first phase is key to ensuring that an organization’s security investments and processes will be effective.
The second step to Cyberconfidence involves identifying risk, particularly to an organization’s most critical business functions and systems. Once an organization has identified its potential for risk, it then needs to manage that risk and continuously evaluate and alter its approach as new risk factors emerge.
In this second phase, CSC uses its Enterprise Security Roadmap to help determine a client’s risk profile — a toy manufacturer has different security needs than a defense contractor, for example — and address their security needs from both a business and technological perspective.
Organizations have to have a targeted plan for moving forward with their security. They must understand their risk and the effectiveness of the security controls they have in place, and then have mitigation strategies, short-term and long-term, based on their business drivers.
Traditional efforts to address evolving cybersecurity threats and challenges have been narrow, with organizations using bolted-on technologies resulting in numerous point solutions that present information in different formats, are stored in different places and report to different locations. This approach is no longer effective.
CSC created an evolutionary approach, called the “Security Stack,” to facilitate “security by design” and ensure that security is architected and consists of an integrated set of security controls. In turn, this approach enables situational awareness through integrated security controls, continuous monitoring, threat intelligence, and risk compliance and governance.
Detect and protect
Once an organization has prioritized its operations and can manage its risk potential, the third step toward Cyberconfidence is to monitor what’s happening internally and externally. This awareness gives an organization the ability to detect a potential threat, and potentially the time it needs to protect its assets.
The ability to detect and protect are critical components of overall situational awareness. When a targeted attack starts hitting an organization’s environment, more than likely it will be something new, something unknown. This is where the investment in being able to detect malicious activity pays off.
Once an organization has established its security priorities, identified its risks and can monitor for threats, it will have Cyberconfidence, which, in turn, leads to greater agility and trust. When a new market or technology appears, a confident organization can quickly grasp new opportunities, secure that it won’t expose its data and systems to unreasonable risk.
As cybercrime escalates, trust is becoming increasingly important to customers, partners, employees and stockholders. Last year’s theft of Sony’s online gaming consumer data cost the company at least $170 million, and some analysts estimate related costs tied to the company’s brand and consumer confidence push that number much higher.
Regulators and analysts are recognizing that cybersecurity is a component of business and that it needs to be addressed as a risk factor. For example, last year the U.S. Securities and Exchange Commission moved to make private companies not just disclose cybersecurity risks, but mitigate them as well.
Data is an organization’s greatest asset and, if left unprotected and unaddressed, creates a liability. Cyberconfidence, on the other hand, strengthens stakeholder trust in an organization.
GORDON ARCHIBALD, director of Global Security Solutions portfolio advocacy and sales enablement for CSC.