The Chasm between IT and Cybersecurity
Perception is reality in the eye of the beholder
According to a recent article in the WALL STREET JOURNAL, “Half of all IT executives do not tell their Board the truth about breaches… Companies often don’t realize they have been hacked for weeks or months after the fact and in some cases only learn they havebeen breached after being notified by law enforcement. Even then, it’s often difficult for CIOs and their security teams to determine the extent of a cybersecurity breach, let alone figure out how to fix the problem. But that’s not the kind of news that chief executives and boards of directors want to hear, especially after they’ve given IT large budgets to deal with the issue, which goes a long way towards explaining why IT executives obfuscate the truth.”
Seemingly overnight, cybersecurity has evolved from an important enterprise function into a mission critical issue that affects almost every aspect of business and information technology. The biggest challenge of cybersecurity is the quickly and constantly evolving nature of the various security risks themselves.
Getting a handle on the current environment – including cyber-attacks, employee access, and choosing the right technology tools – is heaping additional pressure on already overwhelmed IT departments. A data breach is not a matter of if, but when. With all the ramifications of a data breach, cyber security is much more than an IT issue – it is a Board issue.
IT does not embrace cybersecurity; cybersecurity is counter to what drives IT. What I mean by this is that IT is measured and motivated to deliver “availability,” up-time, performance and controlled costs. Cybersecurity has other goals; protecting digital assets, serviceability of the network and protection of clients, employees & stakeholders. Cybersecurity is inversely related to availability and performance. The trade-off between performance and security is illustrated by credit card chip & pin technology (slow) versus the magnetic strip (fast).
The C-suite views security like quality; senior executives talk the talk but do not walk the talk; it is expensive to do e.g. time, money, resources. Yes, both impact performance. Only when a fire breaks out, do quality and security get the attention, e.g. Michael’s. If everyone does a good job, then the executives ask why they need to put money into quality and security when they can get a much better return on the dollars by investing it into additional functionality where we can make more money.
It’s the same with developers of software and hardware; they develop to deliver availability, up-time, performance and controlled costs. Although security is considered, it’s not a priority.
Many CIOs don’t want any outside assistance, because they think they have total control of security and don’t need any help and they use as an excuse that they don’t have the budget for an outside firm. Avivah Litan, an analyst with Gartner Inc. who specializes in cybersecurity, says “CIOs are scared to death of losing their jobs. People are defending what they have done and all the money they havespent on cybersecurity tools.” They feel threatened if an outside firm finds something they were unaware of related to their security approach.
Some CIOs don’t place importance on security because they either think their immune to outside threats and in some cases inexperienced CIOs who are putting their company at risk. Compounding the problem is that many business leaders simply do not understand the cybersecurity risk.
Often times politics get in the way. How to identify, quantify, and mitigate cyber risks are questions often left to the “techies” in the company. Executives believe that they have hired the right management team, and they in turn have hired the right people to manage cybersecurity risk.
It is a fact that cybersecurity will never be “solved” but will be “managed.” To deal with the current environment, advisory organizations such as the National Institute of Standards & Technology (NIST) and the Gartner Group are promoting a proactive approach to protecting digital assets. Both recommend an “eyes on” approach as the only way to be one step ahead of hackers along with using outside experts to augment internal skills.
CIOs don’t realize that if they have a breach they are vulnerable and don’t think that they need some other eyes on their security strategy and how they deploy it. Target is a good example; although they were getting notices from their threat prevention platform, they did not have the skill sets in-house to interpret the messages.
I have not found the magic approach that gets all C level folks in a company to sit up and take notice, except fear, e.g. Target, Neiman Marcus, Michael’s and Sally Beauty.
In conclusion, cybersecurity is a business issue and far beyond a technical issue. The cost of utilizing an outside resource to validate your security strategy and operating environment is minimal compared to costs associated with remediation and the consequences of theft of personal information, fraudulent financial transactions, or the theft of pre-patent technology. And last but not least, the reputational damage to their companies. Cybersecurity overlaps with IT; it is a unique function and should be owned by the CEO.
About the Blogger @TomHulsey
Tom’s passion is leveraging technology to make the world a safer place. Focusing on the intersection of public safety, technology and information, Tom uses his insights and ability to dig in to where actual customer benefits lie to approach the rapidly changing technology landscape. In an evolving marketplace, his focus is always on what any technology actually provides the business. His strengths include his ability to relate with senior management and serve as a critical resource. Evidenced by his commitment to excellence and zeal for security and safety technology, Tom has earned a reputation as a sophisticated and ethical client advocate and effective sales executive. His passion is further illustrated by his involvement with the North Texas Crime Commission (Cybercrime Committee secretary), ASIS (technology chairman), FBI Infragard and ASIS Information Technology Security Council. Tom is a graduate of the FBI, Plano Police, DPS, and District Attorney Prosecutor Citizen Academys.