CIOs And Security: Time To Rethink The Processes? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
6/22/2015
08:03 AM
100%
0%

CIOs And Security: Time To Rethink The Processes?

Businesses need to develop new security responses to address gigantic attacks, and the CIO is in the best position to lead the way.

7 Bold Tech Ideas That Will Make You Uncomfortable
7 Bold Tech Ideas That Will Make You Uncomfortable
(Click image for larger view and slideshow.)

Target, Home Depot, and Sony have demonstrated how vulnerable businesses are to catastrophic data breaches. The ripple effects from massive strikes reverberated through these organizations, causing millions of dollars in damage.

Despite the headlines, most firms are not equipped to respond to such problems. However, a new, nuanced way of dealing with security threats is required, and IT is in a good position to lead this corporate transformation.

Here's how the new security paradigm is shaping up.

First, IT needs to recognize that the traditional methods of dealing with security breaches are not enough to effectively respond to the massive break-ins. "Companies are under attack every day," said Bill Stewart, executive VP at Booz Allen and leader of the firm's commercial cyber-business, which in April issued a report titled "Emerging Trends: Big Changes in Cyber Risk, Detection, Improved Incident Response."

Enterprises have put security solutions and business processes in place to deal with most threats. Systems are constantly probed, and tools like firewalls are sufficient to ward off many attacks.

But recently, the crooks have done a better job of skirting traditional system security, unlocking sensitive information, and stealing millions of records. These high-profile break-ins require more than patching a software flaw and blocking the hacker from the network. They demand a coordinated, multi-tiered, company-wide response -- one emanating from the boardroom and touching upon many departments.

Enterprises must change their security outlook from being an IT-only issue to a corporate concern.

Everyone Working Together

To be successful, a business needs unprecedented levels of cooperation among different departments and a proactive, top-management-involved approach to dealing with security threats. The enterprise needs to form a cyber-crisis management team, a group that deals only with high-level threats.

(Image: texelart/iStockphoto)

(Image: texelart/iStockphoto)

"If a company waits until it's in crisis, time is spent trying to figure out who is in charge, rather than actually responding to the breach," said Dan Blum, principal consultant with Security Architects, a security consulting firm.

Because the group touches upon so many departments, the CIO is not the best person to chair the committee. Booz Allen's Stewart recommends that the chief operating officer (COO) run the committee, because far-reaching decisions are made within it.

"Shutting down mission-critical applications is on the table whenever businesses discover a major breach," explained Booz Allen's Stewart. Taking an online store offline on Black Friday is clearly a CEO- and board-level decision.

The CIO is likely to spearhead the group's formation since that role has the keenest insight into the challenges that the new massive threats represent.

"IT needs to clearly articulate the potential impact the new malware has on the business and then help put the processes in place to deal with them," said Blum. The CIO may not chair the committee, but he or she is in prime position to act as its top lieutenant.

Digging Into The Problem

In addition to IT, representatives from legal, public relations, marketing, compliance, and security typically are part of the committee. Once the team is formed, its job is to develop best practices, starting with problem notification. Here IT and data analytics play a key role. The major hacks are sophisticated and difficult to track. Days or often weeks pass before the security team digs into a system aberration and determines that a significant breach has occurred. Additional time is required to access the damage.

Determining how to notify the cyber-crisis management team of possible break-ins represents a balancing act. The company must put filters in place so members are not constantly bombarded by alerts every time an investigation occurs -- a situation all too common in security command centers. But the individuals need to be in the loop in case something major looms on the horizon.

Paul Korzeniowski is a freelance contributor to InformationWeek who has been examining IT issues for more than two decades. During his career, he has had more than 10,000 articles and 1 million words published. His work has appeared in the Boston Herald, Business 2.0, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
6/22/2015 | 8:37:33 AM
Dealing with attacks
"We are seeing a slow but growing awareness among CIOs that a new approach is needed to dealing with massive breaches,"  I don't think that this is a new concept but it may be a more vocally addressed now.  Way back in the 90s I had talks with C level execs about the dangers of opening up systems the way they insisted were necessary to do business.  In their eyes security through obscurity was enough and there was always a fight if anyone suggested pulling some things back until we could get them reasonably secured.  Once business depends on a service though making changes for any reason is always an issue.  
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
6/22/2015 | 2:01:50 PM
Re: Dealing with attacks
I agree, but the frustrating thing for me is that we are still seeing a lack of what many would consider to be basic security controls.  Things like encryption and database security are sorely underutilized, either because of the perceived loss of performance on the database, or the sheer complexity of figuring out where all the assets are.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
6/23/2015 | 8:08:36 AM
Re: Dealing with attacks
You bring up a good point, very often things are avoided because either the user can't/won't see, it causes a performance or scalability issue or the time and expense exceed a projects limits.  What disappoints me is that we've seen amazing hardware performance gains over the decades but we still complain about encryption slowing down databases.
shakeeb
50%
50%
shakeeb,
User Rank: Ninja
6/30/2015 | 9:07:25 PM
Re: Dealing with attacks
IT and security goes in hand in hand. It is always better to focus on new security features when you are in IT. Further it is also useful to create a clear process and procedures.
shakeeb
50%
50%
shakeeb,
User Rank: Ninja
6/30/2015 | 9:11:42 PM
Re: Dealing with attacks
I agree with the point on working together. For a concept like IT security it is important to work together since there will be obvious resistance. 
shakeeb
50%
50%
shakeeb,
User Rank: Ninja
6/30/2015 | 9:11:42 PM
Re: Dealing with attacks
I agree with the point on working together. For a concept like IT security it is important to work together since there will be obvious resistance. 
shamika
50%
50%
shamika,
User Rank: Ninja
6/30/2015 | 9:23:42 PM
Re: Dealing with attacks
That is true.  It is important to work together when formulating new polices such as IT security. However it is better to document them and obtain signatures as reference.
batye
50%
50%
batye,
User Rank: Ninja
7/2/2015 | 1:18:12 AM
Re: Dealing with attacks
@shakeeb, you are right on the money... but this days... with corporare politics and departmental "games" it like three - four people trying to sleep on the single bed... with baby size blanket as a cover... how I see it...
batye
50%
50%
batye,
User Rank: Ninja
7/2/2015 | 1:15:57 AM
Re: Dealing with attacks
@shakeeb I could not agree more with you... and I hope to see it in my lifetime... :) as this days I see IT security failing far behind... sad reality...
shamika
50%
50%
shamika,
User Rank: Ninja
6/30/2015 | 9:31:21 PM
Re: Dealing with attacks
I agree with you. It is important to clearly define the security controls. Not only data security, I think it also important to have access controls and CCTV for physical security.
Slideshows
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
Commentary
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
News
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll