IT security, the cloak that costs 8% of your IT budget. Is it a necessary evil? CIOs who think of IT security as an expensive suit of software are missing the point -- it's good for the business.
"Security can be a valued business component. It can help the business grow and it can become a competitive edge," said Roland Cloutier, chief security officer of EMC Corp.'s global security organization. Rather than defining IT security management in terms of defending software systems, think of it as protecting the business.
That won't happen, however, until CIOs, chief technology officers, chief information security officers (CISO) and all their C-buddies on the business side come to terms with what IT security management for the business means, said Cloutier, a speaker recently featured at the Center for Information Management Studies at Babson College in Wellesley, Mass.
Cloutier, who began his career in law enforcement, said protection is not a one-size-fits-all deal. "No one should have the same answer." Protection depends on what kind of business you're in, the regulatory climate and the "downstream impact" of a security breach. In a field like the IT-enabled health care industry, the downstream impact of failing to protect the organization is a matter of life or death.
One reason all companies need to think about security differently is that the nature of the threat has changed, Cloutier said. The days are gone when hackers cracked a company's security code for the thrill of getting their names in the news, or to piggyback on your storage systems.
Organized crime, which Cloutier claims sends recruits to college to learn how to break into your business, has moved beyond blackmail ("Pay me this because I found this.") to selling your company secrets to the highest bidder. Companies are also not immune to terrorist attacks, Cloutier said, citing statistics that 65% of all terrorist attacks are targeted at businesses, not governments. At EMC, a big focus of his job these days is workplace violence -- protecting against it and finding technological solutions for making dangerous places of the globe safe for EMC employees.
A less dramatic, but equally game-changing development is that business no longer happens within the four corporate walls but with a widely distributed network of employees and business partners. Companies can no longer rely on security systems that are "crunchy on the outside and soft and gooey on the inside," Cloutier said. "The edge is disappearing."
In addition, your next security breach is likely to be internal. "If you think you are not losing data out of your company, you're wrong; 75% of leakage comes from internal threats," Cloutier said.
Many information security systems attempt to impose moats or walls, said Scott Matsumoto, principal consultant at Citigal Inc., a consulting firm in Dulles, Va., that specializes in software security. But perimeter security does not protect software. Nor does software testing, because success depends on knowing the threat you're looking for, said Matsumoto, who spoke about the need to build software that's resilient to attack. "Software security is not security software," he said.
Security in CEO terms
CIOs will never be able to sell security as a company asset to the CEO until they think like a CEO, Cloutier said. "What does the CEO care about? The CEO cares about protecting company assets." That means protecting intellectual property and the supply chain, making sure people are not walking out the door with valuable information, and complying with regulations. "CEOs don't look good in orange jumpers," he quipped.
The edge is disappearing.
Roland Cloutier, chief security officer, EMC Corp.
Viruses and malware continue to pose a major threat to businesses. Protecting the business against these threats will affect the bottom line. This may seem obvious to security professionals, but it's not always apparent to top business brass, Cloutier claimed. When a large EMC facility went offline for 16 hours because of an IT virus, that was "measured in the millions of dollars." Now considerable resources are dedicated to making sure that doesn't happen again, Cloutier said. "That's backing up the business."
Cloutier is a big fan of convergence, or having a single security strategy for the enterprise. Yes, there will be bruised egos and "hard conversations," but a single strategy keeps resources focused on protecting the business rather than tending to individual security strategies. Having a single system also gives you better metrics, Cloutier said, because you can begin to see trends. These trends can help guide spending, pointing to areas where you'll want to invest more heavily or change tactics.
In any case, the level of security protection is not the CIO's decision to make, but the company's, Cloutier said. He advises that security be sold as a service, with the business or business units taking responsibility for the level of risk they're willing to tolerate.
Cloutier's talk resonated with David Saul, CISO of Boston-based State Street Corp. "We view security as a business asset. That view comes from the board of directors, the audit committee, the CEO, the CIO, CTO on down," he said. "Our customers expect it of us; we are responsible for protecting their information." Protecting the "perimeter" is required but not sufficient, he agreed, and State Street has for many years protected at the database and application levels.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.