Guest blog by Vistage member Kevin Dowd, Chairman and Director of Security Assessment, CNS Limited
As a founder and active consultant in an Information Security consultancy, I spend most of my time helping companies understand the current condition of their Information Security Management, and the ways in which to improve their defences. The field of information security is changing rapidly, and incidents affecting companies big and small are reported in the press on an almost daily basis, so it is not surprising that we are currently very busy, and that companies across all sectors are considering issues surrounding the security of their information. What is surprising is that, in the main, businesses are only addressing Information Security (and cybersecurity) as a result of outside pressure. While these pressures vary according to company size and sector, there are three main reasons we are called in:
1. Incident - the worst has already happened, an incident has occurred and our customer needs help with initial forensic response (finding out what happened, gathering evidence, mitigating impact) and with the rapid improvement of their defences.
2. Stakeholder pressure - can come from a number of different directions, but it is often institutional shareholders (particularly venture capital) or a particular customer or partner that insists upon a certain level of information assurance.
3. Regulatory or legislative requirements - businesses are often required to attain a certain level of information security management and sometimes apply particular controls as a result of legislation or regulation. Examples include PCI DSS, FSA regulations, the Data Protection Act and so on. Proposed EU regulations mandate notification of data breaches within 24 hours (in the UK, to the Information Commissioner's Office, which is already actively fining organisations for data breaches) and fines of up to 2% of annual global turnover.
While all of the above are laudable reasons to address information security in an organisation, they all have within them the same critical flaw - that, in effect, the organisation is allowing someone else to set their information security priorities and objectives. In scenario 1, the instigator of the incident is setting the agenda - the organisation is constrained to respond to the mess at hand, setting aside other priorities (and paying a distinct premium for improving defences fast). In scenario 2, the stakeholder(s) set the objectives and the timescales and in scenario 3, the relevant legislative or regulatory regime will require specific levels of compliance and reporting. Often, the organisation will in effect be paying to secure other people's data (customer data, payment card data and so on).
Consider this alongside the changing landscape within which all this takes place: an increasingly tech-savvy younger workforce posing a potential inside threat; cyber attacks increasingly dominated by organised crime (with a consequent order of magnitude increase in the level of threat); nation states appearing as actors in cyber attacks, often for economic reasons; increased systems complexity and difficulty of management increasing the probability of accidental damage. The picture is not a pretty one, especially when taking into account that the average cost of a data breach is variously estimated to be £1.5m and up.
No-one is saying that organisations should not response to outside pressure regarding information security - there is nothing wrong with third parties setting the agenda, especially when it is their data at risk (e.g PCI DSS). However, the clear the winning strategy here is to take control of information security internally before external pressure takes away the initiative and the opportunity to set the agenda. Third party pre-occupations will rarely be more than a limited subset of the risks that an organisation should consider - for example, it is unlikely that any third party other than an investor will care if your intellectual property is stolen.
Why then are more organisations not taking control of their information security risk? Well, many are, just not enough and not quickly enough, and the reasons seem to fall into one or more of the following categories:
1.Lack of executive commitment - the exec are not aware or not interested. From experience, without strong executive backing, information security projects invariably fail.
2. Perceived cost - information security is expensive, so let's not start.
3. It won't happen here syndrome - we are too small, or not a big enough brand, or otherwise invisible to the various parties instigating cyber-attacks. In fact, there is evidence to show that attackers will target smaller firms as they present an easy target. And the reasons for doing so may be as simple as using their resources to launch further attacks.
4. It's an IT problem - companies see Information Security as and IT issue, and therefore the diagnosis and responses are technology focused. Information security is not an IT problem, it is a business problem.
It is therefore incumbent on the CEO to take a lead in driving effective information security practices and ensuring that the organisation is protected from cyber attack. The question is how? How do you frame information security questions in a business context, and in a way that the business can respond to? The following steps should help:
1. Instigate some effective Information Security Governance - without an effective governance structure, little else can be achieved. It need not be large, costly or unnecessarily bureaucratic, but certain roles should be included. There should be a Chief Information Security Officer, either full or part time, who is tasked with working with the executive to ensure effective Information Security Management in the organisation. There should also be a nominated Executive with responsibility for Information security, sometimes referred to as the Senior Information Risk Owner. There should also be some consideration of operational roles, and integration of Infosec with change management.
2. Classify Data - start with the really critical stuff, and iterate. Ensure that everyone is clear on what your critical data actually is, and where it resides. In stage 4, below, you will define what people are actually allowed to do with it. Don't try to boil the ocean, start small and make this an ongoing task.
3. Undertake a Risk Assessment. Again, this need not be a massive undertaking - start with the most critical areas of the business and iterate. Ideally, it should be done to some recognised methodology, but anything that allows a shared view of risk will work.
4. Create a Risk Treatment Plan that involves enacting controls to manage the identified risks. Note that this stage - applying controls - is where most people start, when actually it should only be done with an understanding of the risks as identified by the business. Controls will be people, process and technology based, not solely technology focused.
The key thing is that the business must lead this process, and it must be led from the top. If you don't decide what you are going to do in this area, somebody else will. And you may find yourself making key investment decisions at 4am on a Sunday morning, when the worst has already happened.