CAMBRIDGE, MASS. -- A digital world is a world infested with cybercriminals who eat enterprise security for lunch....
That was the message from Roland Cloutier, chief security officer (CSO) at human capital management solutions provider ADP, at this year's MIT CIO Sloan Symposium.
"Whether it's organized crime or state-sponsored entities -- or whatever it may be for the week that's trying to attack you -- they have, in many effects, better technology capabilities than you do sometimes, and often better communications within their ecosystem," he said at the conference's session on cybersecurity.
Not only are criminals using these new tools to their advantage, but they also don't have the standards, policies and financial issues that companies are saddled with. Add to these advantages a highly organized subterranean economy, and the result is that criminals are able to use technology to create malware at an alarming rate, Cloutier said. "So how do you defend against that?"
As the panelists revealed, the question is complex and multilayered with no easy answers.
A major challenge for many companies today is that they're limited by a traditional security infrastructure, said some of Cloutier's fellow panelists. Traditional not just in the sense that their security programs are built on older technologies, but also founded on outdated assumptions and established in a relatively lax security culture, they said.
"This sophistication is really something that traditional security never contemplated," said panelist Shuman Ghosmajumder, head of product management at Google-backed security startup Shape Security. For instance, he pointed out, traditional security works from the assumption that IP addresses are difficult to obtain. So to traditional IP-based analysis or IP-based throttling tools, an attacker that has access to botnets looks just like any other new user.
Moreover, IT security leaders who think they're doing everything right from a security perspective often forget to pair those measures with systems management, said Nick Milne-Home, COO and president of software firm 1E in North America. This myopic view of security is a crucial mistake, he said, citing a recent SANS Institute survey that found that 90% of all cyberattacks are preventable by implementing four basic systems management controls, including OS and application patching. (Milne-Holme added that 12% of companies have no patching policies, period.)
One of the biggest dilemmas many companies today face is finding the balance between innovation and risk. No IT leader wants to stand in the way of innovation or customer satisfaction, Cloutier said. Plus, security tools cost money.
"Innovation is such a positive thing, and defensive operations and prevention capabilities [can] be problematic," he said, particularly when it's often the board that controls the purse strings when it comes to data security.
The CIO's role in cybersecurity
How can CIOs address these various challenges as the threat landscape continues to evolve? The panelists offered the following advice.
- CSOs should report to a non-technology executive: Having the CSO report to the CIO is a conflict of interest because, in reality, IT and security priorities often don't jibe, said George Wrenn, CSO and VP of security for Schneider Electric. IT departments are under tremendous pressure to deliver, and security can slow things down.
- Security belongs with the department that does risk management best, whether it's finance, operations or IT, said Cloutier. The question for companies is: Who has the keenest understanding of how cyberattacks undermine overall business goals and can articulate those risks to the rest of the business?
- A successful cybersecurity program depends as much on a culture of security awareness as anything else, said Ghosmajumder. Organizations in high-risk sectors, such as banking, understand that cybersecurity is a risk management issue more quickly than other businesses, (e.g., a restaurant chain), but every industry has to adopt a culture of security awareness in a digital era or face the consequences, he said.
- Measure security risks at a financial level, regardless of whether the company is facing a criminal liability, brand impact or contract liability, Cloutier advised. "At the end of the day, that's cost. … That's how the board interprets it; that's how the business makes decisions on it," he said.
CIO news roundup for week of May 18
Here is more technology news from the week:
- The rumors are false: German software company SAP dismissed claims that it was interested in acquiring rival Salesforce.com. SAP's CEO went on to say that he doesn't see anyone else in the industry buying Salesforce. Famous last words?
- Five major global banks -- Barclays, Citigroup, JPMorgan Chase, RBS and UBS -- confessed to deliberately manipulating foreign exchange rates for years, with traders at four of the banks using online chat rooms to collude. (They called themselves "the cartel" and "the mafia.")
- One way to make sure that your hundreds of classmates are represented in your law school commencement speech? Crowdsource it.
- President Obama has a Twitter account, which was six years in the making, according to his first tweet. The handle: @POTUS; as of Friday morning, 2.3 million followers had shown up, including the haters. Such is the price of free speech.
- Public shaming like you've never seen it before: The Hong Kong Cleanup Initiative collected DNA from discarded cigarette butts, gum and other trash to create visualizations of the faces of the people who threw them away. Hong Kong produces over 6.5 million tons of trash annually.
Columnist and CIO expert Harvey Koeppel offers tips on next-generation security in today's mobile era. And features writer Dina Gerdeman lays out new security strategies in the wake of the 2014 data breaches.