In the annals of executive management, it’s safe to say that chief executives and IT security professionals don’t have a close working history. However, in the wake of such massive and highly publicized security attacks on corporate giants like Google, Amazon, Citibank, JPMorgan and Lockheed Martin, today’s CEOs have realized that IT security is an issue that is as much their area of concern as financial performance. In fact, the two are very closely aligned.
The central issue in the fight to secure enterprises is that CIOs are unprecedentedly challenged and effective security requires more than a set of disparate tactics. It’s not that IT leadership hasn’t kept pace; it’s simply that enterprise technology is substantially more complex, more mobile and more outsourced than it was five years ago. Meanwhile, recent research indicates that the average organizational cost of a single data breach has increased to $7.2 million, costing companies an average of $214 per compromised record (Source: The Ponemon Institute and Symantec, 2010 Annual Study: U.S. Cost of a Data Breach).
This should be a warning bell for chief executives everywhere. It’s up to CEOs to set the agenda and priority for how IT security will be addressed across the business. The financial implications of not doing so are only the tip of the iceberg. While a breach in IT security may result immediately in large financial losses, that’s just the beginning. A loss in credibility can also impact business performance and client trust. It’s imperative that today’s CEOs have a clear understanding of their most dangerous security threats and be actively involved in developing and executing a strategy to mitigate these threats.
(Source: U.S. Representative James Langevin, 2011 Cybersecurity Forum, University of Rhode Island)
With the amount of money being poured into IT security, chief executives may think (or, at least, would like to think) that the latest doom-and-gloom Trojan or botnet is the biggest threat facing the protection of critical data. Surprisingly, that’s not the case. Human error is the largest threat to IT security. Most breaches in critical corporate data are not the result of malicious intent. They are the result of mistakes made in the way security is managed and configured across the business – especially at the network level.
Even the most sophisticated IT organizations are not exempt from this threat. In October 2010, Microsoft blamed human error after two computers on its network were hacked and then misused by spammers to promote more than 1000 questionable online pharmaceutical websites. In April 2011, the State of Texas discovered that the personal and confidential data of 3.5 million teachers, state workers, retirees and recipients of unemployment checks had been left unprotected on the Internet nearly one year. According to Gartner, Inc., more than 99 percent of firewall breaches are caused by misconfigurations rather than firewall flaws. The State Department’s 2008 breach of the passport system was a result of under-configured access control and a defendant’s “idle curiosity” peaked by the simple discovery that he “could.”
So, why is security so rife with human error? The answer is that today’s enterprise networks are overwhelmingly complex. Updating a company against a single Trojan or virus may require the manual configuration of dozens (if not hundreds) of separate firewalls and other network devices. Furthermore, it has become increasingly difficult to enforce IT security procedures throughout the enterprise and the volume of logging and event data generated by disparate systems and equipment spread across the enterprise can be daunting.
This complexity has led to an overworked, overburdened IT workforce. Frost & Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study (GISWS) reports that the proliferation of new threats has led to “information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.”
To improve IT security effectiveness, it’s critical that chief executives guide IT to find ways to reduce network complexity and minimize the risk of human error across the security process. These answers should point to ways that will de-burden security administrators.
Cloud computing shouldn’t be a new term for any executive interested in cutting IT costs, including CEOs. While volumes could be written on cloud computing and virtualization, the simplest explanation is that cloud computing allows companies to outsource IT infrastructure (from storage to applications) to a virtual environment that can either be shared with other organizations (the public cloud) or not shared (the private cloud). As a chief executive who challenges leaders to reduce technology costs and redundancies, cloud computing represents an effective strategy for doing both.
In January 2011’s “Results of a Survey Conducted for Electric Cloud,” Osterman Research shed light on the rise of cloud computing in the enterprise. Cloud computing – especially the public cloud – has reached critical mass in Corporate America as many companies elect to reduce, simplify and streamline the costs and resources required to run IT. According to Osterman’s report, 55 percent of companies using public cloud computing first adopted cloud computing in 2010. While a higher number of companies elect to use a private cloud, a growing number are turning to the public cloud to maximize the cost benefits of a shared virtualized environment. Osterman reports that 20 percent of the survey’s respondents are currently using a public cloud, with another 34 percent that intend to implement a public cloud in the near future.
So, with abundant cost savings to be had, what’s the problem? You guessed it: security. Gartner Research reports that security is still the top concern for companies looking to migrate to the cloud, with a “lack of confidence in the cloud provider’s security capabilities” being the top reason.
And, worried they should be since the simple fact of the matter is that cloud service providers also face the same security challenges of the average enterprises (e.g. visibility, monitoring, access control, complexity, etc.). In April 2011, Amazon’s web server division, which houses information and applications for thousands of companies worldwide, suffered a disastrous server failure. The breach of service took down the online presence of hundreds of thousands of websites including high-profile clients such as FourSquare and Reddit. We may never know if this outage was the malicious intent of hackers or a technical glitch, but the fact is that when availability is breached, the security of your corporate assets and data are on the line.
Human error – another threat to cloud security – is even possible from the technically savvy. This was demonstrated by the recent “programming error” in popular cloud storage provider Dropbox’s customer account passwords. This error allowed users to access any other customer’s account.
Before chief executives and CIOs migrate or expand service dependency to cloud computing, several issues should be explored. How do you know that another company isn’t incorrectly accessing critical data? What happens to your business if you’re not able to access a certain application in the cloud? How will you be able to assure your customers that their data is protected?
The explosion in mobile device usage may very well be the technological phenomenon that defines the past two decades. Telecom research giant Comscore reports that the number of U.S. smartphone users at the end of 2010 was 60 percent higher than in 2009. As such, the number of mobile devices – both company-owned and personal – accessing corporate data in the enterprise has greatly increased. Mobile device security is further complicated by the dual use nature of many “smart” devices, which effectively builds bridges between the private/corporate enterprise and cloud and social media services.
The problem here is that mobile device security is still in its infancy – both technologically and strategically. Viruses, botnets and other security threats can easily enter the network through mobile devices, yet few companies pay as much attention to securing their mobile devices as they do to securing their desktops and laptops. The rising use of mobile devices in the enterprises has attracted more attention from hackers. McAfee reports the number of cell phone-specific malware increased by 46 percent in 2010 compared to 2009.
This issue is compounded by the fact that the device itself is a liability if left in the wrong hands. According to American Medical News, one-third of health professionals store patient data on laptops, smartphones and USB memory sticks, yet only 39 percent of healthcare organizations encrypt that data. In June 2010, a security breach in a Web service used by Apple’s new iPad 3G exposed personal information of thousands of AT&T customers, including White House Chief of Staff Rahm Emanuel and New York City Mayor Michael R. Bloomberg.
CEOs and other chief executives must drive the prioritization and development of a company-wide mobile security policy that addresses how corporate data can be accessed and stored on mobile devices. This policy should specify guidelines for device usage and liability and cover both personal and company-owned devices.
How do you manage the dual-use nature of smart mobile devices securely? What happens if a product engineer’s iPad is stolen or left behind in a cab or coffee bar? Or how is the network being protected against incoming threats from smartphone emails or malware-as-application?
Chief executives have a responsibility to their employees, customers and shareholders to preserve enterprise integrity, credibility and security. IT security plays a major role in how executives are able to deliver on this responsibility. Actively engaging in the development of a strategy that protects against the aforementioned threats will demonstrate the company’s commitment to security from the top down.
Chief Executive Group exists to improve the performance of U.S. CEOs, senior executives and public-company directors, helping you grow your companies, build your communities and strengthen society. Learn more at chiefexecutivegroup.com.
0
1:00 - 5:00 pm
Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process
Executives expressed frustration with their current strategic planning process. Issues include:
Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns. They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning. Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process. This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented. If you are ready for a Strategic Planning tune-up, select this workshop in your registration form. The additional fee of $695 will be added to your total.
2:00 - 5:00 pm
Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations.
Limited space available.
10:30 - 5:00 pm
General’s Retreat at Hermitage Golf Course
Sponsored by UBS
General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.
The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.
