Hitting the cyber security snooze button
(page 1 of 2)
When it comes to cyber threats, Bob Turner likes to cite his own variation of a now popular warning: “There are two types of business organizations,” he says, “those who have been hacked and those who don’t know they have been hacked.”
With a full-fledged cyber war underway, that’s more of a cautionary tale than the standard line of “those who have been hacked and those who will be,” but after countless technology system breaches and the associated reputational and financial damage, it’s well past time to ratchet up the alarm.
By now, one would think cyber security would have top-of-mind awareness in both the executive suite and business boardrooms, yet for those attending the 2016 Fusion CEO-CIO Symposium produced by WTN Media, it was hard to escape the actual situation —while many wake up calls have been issued, business organizations are still hitting the snooze button.
There are several reasons for this, but a persuasive case based on managing risk has to be made to get business leaders to invest in the requisite technology tools, according to Turner, chief information security officer for the University of Wisconsin–Madison. “It becomes an awareness issue and that’s when the leaders and certainly anyone in a position of responsibility in an organization needs to understand that it’s not a question of if, it’s a question of have you already been?” Turner notes.
Turner, who has 35 years experience in information technology management with the likes of Booz Allen Hamilton and others, notes that business boards have a lot of things to worry about: profit and loss, external legislative and litigation risk, and business processes. In the overall scheme of worries, cyber security is relatively small, but it takes on importance beyond the IT department when upper management understands the potential impact. A great deal of the problem, Turner says, is they are just not well informed, most likely because they haven’t been close to IT and don’t understand the constant volume of cyber attackers probing the enterprise.
“What really has to happen for boards to understand and invest properly in cyber security is to get an appreciation for that risk,” Turner explains. “If the board is not listening to the chief information officer or other C-level executives, the CISO has to come in and, without spreading fear and uncertainty and doubt, at least make sure they understand the risk.”
Mounting cyber threats
During the Fusion conference, Turner was part of a panel that explored topics covered in a new expert guide for C-level executives titled Navigating the Digital Age, a collaboration of security leaders from the New York Stock Exchange and Palo Alto Networks, a technology security company based in Santa Clara, Calif.
In the face of mounting cyber threats, Turner’s advice to fellow technology executives is to understand their organization’s security baseline and manage risk above that baseline. By security baseline, he means the fundamental configurations that should apply to all systems. Do you have a firewall? Is your antivirus software effective in detecting computer viruses inside individual computers and servers? Is critical data encrypted? In terms of processes, do you have in-depth training for new employee users? Do the users have adequate credentials for what they are doing? Are they changing their passwords on a routine basis? Is there periodic user training in response to new threats?
“All of those become components of a robust baseline from which, for higher security levels for the data, you can add on controls,” he notes, “but it will never drop below, in theory, what the baseline level of security is.”