Breaches Serve as Wake-Up Call for Risk Mgt.Common Missing Link: Lack of Senior Infosec Leader
Among the most publicized - and embarrassing - breaches of 2011 was a common missing link: the lack of a senior-level, technology-savvy business leader who could explain to top executives the risk the organization faces by not taking the proper precautions to safeguard their information assets. Neither security provider RSA nor entertainment conglomerate Sony had a chief information security officer on duty when both companies fell victim to separate breaches this past spring. Since then, both companies have named highly respected information security professionals as their CISOs: Eddie Schwartz at RSA and Phillip Reitinger at Sony.
"You need a CISO today to manage not only the IT risks, but understand and influence the business risks that are imposed on the company by the decisions and strategies it takes," says John South, CISO at Heartland Payment Systems, the payment processor that experienced a highly publicized breach in 2009.
The impact on the business at RSA was far different from that of Sony, but in both cases, the breaches struck at their core offerings. The RSA breach exposed the secret code of its SecurID multifactor authentication token, raising questions among customers whether the product would function as promised. At Sony, the breach brought down its PlayStation and Qriocity online services for weeks and bared the personally identifiable information of tens of millions of customers. In the wake of the breaches, both companies realized a gap existed in their respective approaches to understanding the risks their businesses faced by not having a CISO.
Both breaches have been costly. The RSA breach cost parent company EMC at least $66.3 million. Sony pegged its losses to the breach at 14 million yen, which in October 2011 equaled more than $180 million.
Reputation Risk and Large Dollar Losses
A Ponemon Institute study last year measured the cost of a breach at $214 for each record, an amount that quickly grows when hundreds of thousands and millions of records are exposed. "The commercial challenge is the most pressing concern, thanks to the combination of reputation risk and large dollar losses," says Julie Conroy McNelley, a fraud analyst with Aite, a financial research and consulting firm to banks.
Being breached - especially one that highlights a enterprise's vulnerabilities - means companies must confront the reality that inadequately protecting their information technology could have a significant, adverse impact on their finances and the value of its publicly traded shares. In May, Michaels Stores uncovered that point-of-sale pads at 90 of its crafts stores in 20 states that customers use to key in their personal identification numbers were tampered with, potentially resulting in customer debit and credit card information being compromised. At least three class-action lawsuits have been filed by consumers, depending on their outcome, could have a despicable impact on Michael's bottom line.
Michaels does not contend its IT security is inadequate - indeed, it has said it has taken steps to mitigate such future breaches. But the retailer concedes in what could be described as boilerplate statements in a filing with the Security and Exchange Commission that unforeseen circumstances could results in its failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches such as the repayment card terminal tampering could materially adversely affect its financial health.
Communicating Risks to Top Management
Communicating risks to top management is becoming a key responsibility of CISOs. "After we did the executive briefing this year, we had a much stronger uptake with agencies who said, 'Please tell me how I can improve our compliance with the policy,'" says New York State Cybersecurity Director Tom Smith. "'Help me get the regular training. Help me move my information classification process forward.' ... There is a clear understanding among the agency commissioners that they want to address those risks before they are the ones who have the breach that's discussed in the news. There is a higher sensitivity to it. I think they are learning the message and the importance of being involved in this process."
Is educating top business and government leaders scaring them to act? Yes. Is that a good thing? Yes.
"If I'm worried about something, I might actually want to do something about it and take some action awareness," says Patricia Titus, global chief information security officer at IT services provider Unisys.
A fundamental reality is that breaches will occur. Recognizing that, businesses must comprehend that information risk management will help mitigate damage from attacks. "I don't know that you can fully prevent breaches," says Malcolm Harkins, chief information security officer at chipmaker Intel. "The fact of the matter is that it is a risk management issue.
"You can manage risk and mitigate risk, but you can not eliminate risks. That is just one mindset that has to be changed. How do you manage the risk and how do you mitigate the risks such that to some extent you can live with some level of potential compromise? It will occur. There are a number of things people can step back and consider regarding how to approach this when they think about managing those risks."
Intel, a few years back, shifted its information risk management strategy toward a concept that people are the new perimeter because of mobility, interaction among third parties and social computing, factors that affect how business functions. "Even if you had completely secure systems, you could still have an incident because an individual shared too much information and maybe by mistake disclosed some sensitive information that then causes an issue for a company," Harkins says.
'Typical' Awareness Training Doesn't Cut It
Indeed, people - employees and contractors - play a crucial role in information risk management if they know what to do. Too often, though, organizations don't allot the resources to make employees aware of the risks that could expose information assets to a breach. "The typical five minutes of annual training on information security and privacy that most healthcare organizations provide is just not cutting it," says healthcare security consultant Tom Walsh.
The wave in breaches forces organizations to take a more holistic view of risk rather than react with a knee-jerk response. "The first reaction always is to go and put up big, big walls and stop people from getting in every time we see one of these breaches," says Robert Stroud, vice president of service management and governance at enterprise software vendor CA Technologies and international vice president of ISACA, an IT association that encourages the use of best practices.
"For risk managers, it's the very nature of their role," Stroud says. "They need to understand the potential risk of any breach. Some breaches will have minimal impact on the business and some breaches may just be embarrassing and have some major impact. As risk managers, we've got to focus on that key information and data that we need to protect. We need to identify that to the organization. We need to clearly articulate that to the organization. Finally, we need to ensure that we help the organization put appropriate safeguards around that information, because at the end of the day really it's all about the data."
When evaluating threats, organizations must evaluate the various aspects that make up a business. "Our most critical vulnerabilities are the ones that can potentially bypass our technical enforcements," says Anthony Vitale, vice president of information technology development for Patelco Credit Union. Gartner analyst Avivah Litan says technology is just one leg of a three-pronged solution. "The other two equally important prongs are operations and strategy," she says. "Many breaches were accompanied by alerts that went off during the breach, but no one was paying attention to the alerts and alarms. ... People and processes can be showstoppers, even with the best technology."
But security awareness can go only so far, especially when dealing with customers. Matt Speare, who oversees security for M&T Bancorp, says the Buffalo, N.Y., bank company remains very concerned about customer vulnerabilities to cyberattack. "The odds are stacked against them having adequate controls to protect themselves," he says. "Despite our best efforts for awareness and education, they continue to make rudimentary mistakes, which put them at risk for exploitation."
It Can Happen to You
Customer vulnerability to attacks erodes trust in the business, a valuable asset that must be balanced with other factors in determining what risks an organization must take to mitigate breaches.
But Unisys' Titus says that for too many organizations the lessons from breaches that occurred to RSA and Sony will not be heeded until such attacks occur to them. "I don't know that it will stop a lot of people until it happens to them. Unfortunately a lot of people read about things happening and don't think it's going to happen to them," says Titus, the onetime CISO at the Transportation Security Administration, the federal agency charged with protecting the nation's airports. "What is the fallout from the Sony breach and are people going to hold their breath and wait and see what happens or are they going to proactively go and take actions? And are the institutions actually going to help people understand what protections they could put in place for themselves?"
It's a concerned echoed by Intel's Harkins: "The thing I worry about with all of these breaches is that companies, individuals and users start shying away from technology and the productive use of it. The best way to shape risk is to sometimes run toward the risk of your assets. I believe my mission at Intel, and more broadly information security's mission in any organization, should be protecting to enable.
"If we are not enabling the use of the information, then the organization can't get the value. That's why I think it's a risk management thing. That's why I think there's a lot of balancing of items. As much as organizations look to prevent, detection is a big area that they need to focus on. And certainly response needs to be a prepared critical control for what I think is inevitable in terms of potential breaches or intrusions into people's computer environments."