Target, Home Depot, and Sony have demonstrated how vulnerable businesses are to catastrophic data breaches. The ripple effects from massive strikes reverberated through these organizations, causing millions of dollars in damage.
Despite the headlines, most firms are not equipped to respond to such problems. However, a new, nuanced way of dealing with security threats is required, and IT is in a good position to lead this corporate transformation.
Here's how the new security paradigm is shaping up.
First, IT needs to recognize that the traditional methods of dealing with security breaches are not enough to effectively respond to the massive break-ins. "Companies are under attack every day," said Bill Stewart, executive VP at Booz Allen and leader of the firm's commercial cyber-business, which in April issued a report titled "Emerging Trends: Big Changes in Cyber Risk, Detection, Improved Incident Response."
Enterprises have put security solutions and business processes in place to deal with most threats. Systems are constantly probed, and tools like firewalls are sufficient to ward off many attacks.
But recently, the crooks have done a better job of skirting traditional system security, unlocking sensitive information, and stealing millions of records. These high-profile break-ins require more than patching a software flaw and blocking the hacker from the network. They demand a coordinated, multi-tiered, company-wide response -- one emanating from the boardroom and touching upon many departments.
Enterprises must change their security outlook from being an IT-only issue to a corporate concern.
To be successful, a business needs unprecedented levels of cooperation among different departments and a proactive, top-management-involved approach to dealing with security threats. The enterprise needs to form a cyber-crisis management team, a group that deals only with high-level threats.
"If a company waits until it's in crisis, time is spent trying to figure out who is in charge, rather than actually responding to the breach," said Dan Blum, principal consultant with Security Architects, a security consulting firm.
Because the group touches upon so many departments, the CIO is not the best person to chair the committee. Booz Allen's Stewart recommends that the chief operating officer (COO) run the committee, because far-reaching decisions are made within it.
"Shutting down mission-critical applications is on the table whenever businesses discover a major breach," explained Booz Allen's Stewart. Taking an online store offline on Black Friday is clearly a CEO- and board-level decision.
The CIO is likely to spearhead the group's formation since that role has the keenest insight into the challenges that the new massive threats represent.
"IT needs to clearly articulate the potential impact the new malware has on the business and then help put the processes in place to deal with them," said Blum. The CIO may not chair the committee, but he or she is in prime position to act as its top lieutenant.
In addition to IT, representatives from legal, public relations, marketing, compliance, and security typically are part of the committee. Once the team is formed, its job is to develop best practices, starting with problem notification. Here IT and data analytics play a key role. The major hacks are sophisticated and difficult to track. Days or often weeks pass before the security team digs into a system aberration and determines that a significant breach has occurred. Additional time is required to access the damage.
Determining how to notify the cyber-crisis management team of possible break-ins represents a balancing act. The company must put filters in place so members are not constantly bombarded by alerts every time an investigation occurs -- a situation all too common in security command centers. But the individuals need to be in the loop in case something major looms on the horizon.
Once the reporting process is determined, corporations must develop best practices, which will differ by company.
"The nature of the business, the corporate culture, and industry compliance regulations will determine how each business responds to a massive data breach," noted Stewart.
The plans then have to be tested. IT has to create a plausible flaw and then have the cyber-crisis management team quickly shift into response mode. "Sometimes, it is obvious to the participations that a drill is a drill, rather than a real breach," said Blum.
The days of keeping news of a security hole tucked inside the corporate walls are over. Nowadays, too many information outlets exist, so the bad news has to be shared. Typically marketing and public relations handle interactions with the public.
Again, being proactive smooths out an often bumpy road.
[What lessons are there from the OPM breach? InformationWeek asks here.]
Corporations must account for the dynamic process of identifying and publicizing the leak. "If you report a breach that has 100,000 records, and two days later you say 2 million records were impacted, your credibility will take a hit," said Stewart.
But the desire to report accurately may be offset by compliance regulations that require companies to make the breach known ASAP. "To truly be prepared, companies need to get everyone around the table (legal, compliance, IT, and marketing), talk through possible scenarios, develop best practices, and test them," Blum explained.
Even so, few corporations have developed cyber-crisis management teams and best practices.
"We are seeing a slow but growing awareness among CIOs that a new approach is needed to dealing with massive breaches," said Stewart. The process starts with the CIO recognizing the need for handling massive breaches in their own way and then putting the response pieces in place.Paul Korzeniowski is a freelance contributor to InformationWeek who has been examining IT issues for more than two decades. During his career, he has had more than 10,000 articles and 1 million words published. His work has appeared in the Boston Herald, Business 2.0, ... View Full Bio