IT specialists, managers, and leaders must stop talking and start shouting at top management about IT security. Put another way, they must manage the managers to make IT security a top goal.
Back in 2003, famed American investor Warren Buffet warned that complex financial instruments were "financial weapons of mass destruction." He asserted that they overstate values, can create debt and other spirals that lead to corporate meltdown, and even undermine the economy. Government and banks largely ignored the implied advice of regulation, resulting in a recession that may have fundamentally altered the economies of North America and Europe.
The same thing is now happening with IT and its security. Third-platform technologies have introduced multiple entry points for malware, viruses, and ransomware that simply did not exist two, five, or ten years ago. The risk of data loss and leakage has soared. Botnets are bigger, stronger, and smarter. Denial-of-service and hacking attacks are growing in frequency. Advanced persistent threats are getting more sophisticated. And it is now largely driven by cyber black markets, where malicious products can be created by extreme specialists and thus be highly customized.
Only unlike an investor, who does not have to purchase complex financial instruments, most organizations must embrace the cloud, social media, analytics, and mobility, both to appease staff and customers and to develop tools that enhance competitiveness.
A recent IDC IT security conference in Prague made this point with stunning clarity. The 300 or so IT professionals in attendance were decidedly aware of key threats. In a real-time poll during the event, 94% of poll participants said they believe a malware attack at their company is imminent. Moreover, among the 134 attendees who took part in the event survey, around 79% ranked disclosure of client data as one of the most serious threats facing organizations today. Given malware is a primary method for obtaining this information, and has proven to be extremely successful when applied to point-of-sale locations, it is surprising that only one-in-four firms have just basic malware detection and prevention and data loss prevention solutions in place, even if they are not retailers. It is also surprsing that only half rank mobility a serious or very serious threat, even if they do not allow BYOD.
Of course, we could take a "glass half full" approach. Two-thirds of the survey participants at the Prague IT security conference reported that they already have advanced malware protection in place, with another ten percent planning to in the next 12 months. Just over half of the attendees say they are planning to improve security for mobile devices. But this look-at-the-positive approach is a mistake. Given similar numbers, we would never do this with regards to health insurance or liability insurance; and we should not with cyber security, where the health of companies and possibly the economy are at stake. The accelerating pace of technology innovation also applies to the criminal sphere. The types and frequency of threats are increasing. Markets for stolen data are thriving as demand soars. The subtlety of using stolen data or hijacked devices and the careful selection of targets can also mean it takes longer to realize that an attack has occurred or that an account has been compromised. The impact is not just lost data or stolen funds, but also business disruption and a damaged reputation, which can have lasting repercussions.
Yet another real-time poll at the Prague event revealed that 37% of the attendees do not yet have the support of top-level management. This needs to change. IT security is often ranked as one of the top priorities in IDC and other surveys of IT users; it also needs to be a top priority among business leaders as well. That a firm "has no information of value to steal" or is "too small to be a target" are strawmen excuses at best. With IT integrated into nearly every aspect of most organizations, hitting small firms or firms with data of limited value is much easier, and even allows cyber criminals to keep a lower profile.
Getting directors and non-IT C-level leaders to embrace IT security - and make it a top priority - requires overcoming normalcy bias before being subjected to a ransomware attack or some other form of breach. The fact that it is difficult to quantify not just technical investments into IT security but also intangibles (see Thomas et al, for example) must not stop IT decision makers from making noise. Even for those firms that have top management support, IDC believes the following steps are crucial to getting non-IT decision makers on board to help develop and maintain a secure environment:
- Be relentless: CIOs, IT directors, and IT specialists should sound alarm bells in every conversation, IT project meeting, and business meeting. Groans, eye rolls, and even chastisements need to be treated as psychological firewalls to the earworm mantra "What about security?", which should be the first or second question introduced into any discussion about new and continuing initiatives, IT or otherwise.
- Be organized and consistent: Insist on regular reviews on the state of internal IT security and security policy - both with staff and leaders. The meetings do not have to be long, but they need to be frequent. Once a quarter at the very least. Some firms may need to do it monthly. Some weekly. And some may even need to do it daily, if only for a couple minutes.
- Tell a good story: Rather than just saying an event happened, IT security leaders should use specific examples to make their cases. To do this, take time to learn the story and develop it in your own words and slides, cite the numbers, report on the lasting ramifications, and point out what went wrong that allowed a breach to occur. Once the anecdote has been clearly represented and lodged in people's minds, supplement it with larger trend and survey numbers from research houses.
- Insist on the budget for quality: To paraphrase the old expression, be too poor to buy cheap. At the Prague IT security event, seven in ten attendees listed cost as a primary factor when considering an IT security solution. References were a distant second, with just over half listing it as a top factor. This needs to change. Low-cost (or sometime no-cost) packages generally provide only the basics, often omitting key elements such as network security. Before settling on a solution, organizations should seriously consider a third-party analysis of potential providers and how their solutions map to specific organizational needs.
When persistently and consistently making a case, it is always a good idea to be able to speak to newer solutions as well. For instance, analytics has emerged as a powerful weapon in combating cybercrime. The decades-old discussion about whitelisting has picked up again. Both are viable avenues to improved security, particularly now that processing power and larger bandwidths have made them far more tenable.
In the age of NSA and other government hacks and retail breaches that compromise tens of millions of credit cards, the bottom line is that non-IT business and public sector leaders need to be IT security champions. With the complexity of the threats rivaling those of the derivatives markets, it must be the IT team that makes this happen - before businesses are forced to do it because they have been attacked.
Between February and September, the IDC IT Security Roadshow is scheduled to stop in 30 cities in Central and Eastern Europe and the Middle East and Africa. For more information, visit: http://goo.gl/VqG3ki
- Mark Yates, IDC CEMA