CIO Leadership, Security

CIOs cannot afford to be less proactive than security adversaries

Proactive risk management vital to addressing board-level security concerns

Blog-post by,
HP Blogger

US boardrooms wake up to data security, says this article by Antony Savvas in this ComputerworldUK article based on a survey of 11,000 public company directors and 2000 general counsels who rank data security as their top corporate fear. This research conducted by advisory firms Corporate Board Member and FTI Consulting shows that 55 percent of general counsels rate data security as a major concern, and 48 percent of directors feel likewise. However, are enterprises taking proactive steps to address this board-level security concern? Even if they are, how proactive are they? How proactive can they afford to be?

"We would better get security right," says HP Security Strategist Mary Ann Mezzapelle in her keynote at the recently held Open Group Conference at Newport Beach, CA. Asserting that proactive risk management is the most effective approach, Mezzapelle challenges us with a few questions about the presence of shadow IT, data ownership, security tools and standards as well as a comprehensive approach to security end-to-end within the enterprise. The responses to these questions can trigger enterprises to proactively take steps internally to secure their business of IT.

On the other hand, in his keynote at the RSA 2013 conference, Art Gilliland, Senior VP & GM, HP Software Enterprise Security Products, asserts that the very frameworks enterprises strive to comply with (such as ISO and PCI) set a low bar for security that adversaries capitalize on. Criminal minds take the "proactive approach" to the next level. Thus, conformance to such standards is essential but not sufficient to address the next attack lurking in the wings.

So, what are other steps that enterprises can take to be proactive in assessing, gauging and penetrating the mind of the hacker?

  • How about the inception of OODA techniques into the security hacker's mind?
  • Andy Ellis discusses managing risk with psychology instead of brute force in his keynote at the RSA Conference.
  • At the same conference, in another keynote, world re-knowned game-designer and inventor of SuperBetter, Jane McGonigal suggests the application of the "collective intelligence" that gaming generates can combat security concerns.
  • Gilliland himself suggests techniques such as Benchmarking for enterprises to share their experience in managing risk.

The results of the HP Ponemon 2012 Cost of Cyber Crime Study reinforce the need for such proactive measures.  This study revealed that cyber-attacks have more than doubled and the financial impact has increased by nearly 40 percent in a three year period. It is no surprise that security concerns have been escalated to the board-level.

The real challenge for CIOs is balancing the cost of executing such proactive measures against the cost of cyber-crime -- average annualized cost of $8.9 million per year, with a range of $1.4 million to $46 million for 56 organizations according to the HP Ponemon 2012 study.

How about you? How proactive is your enterprise today? What are some of the other approaches enterprises can take to be more proactive? Have you assessed the cost of cyber-crime for your enterprise? Please let me know.

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

Would you like to comment on this content? Log in or Register.