Information security probably isn’t something that gets a lot of executive attention. It’s the CIO’s job or the responsibility of his lieutenants. Yet every so often when scanning the headlines, news about the latest high-profile cyberattacks elevates your blood pressure as you wonder: Could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders?
But then it’s often back to the more pressing issues of the day, and the state of your company’s information security recedes to the background. You won’t likely give it another thought—until there’s an incident. Then it’s damage-control mode, as the company deals with stolen customer data, disclosure of confidential financial information, a disabled Web storefront, or worse.
This reactive approach is all too common, even though the question is not if a company will suffer an incident but when. In the annual PwC, CIO, and CSO survey of more than 9,600 global executives, 41 percent of US respondents had experienced one or more security incidents during the past year.1 And that number is rising. Respondents reported financial losses, intellectual property theft, reputational damage, fraud, and legal exposure, among other effects. (See Figure 1.) With such high stakes, most would agree that information security deserves full attention at the highest levels of the company.
US business impact of security incidents
Government leaders, at least, are taking notice: Lawmakers, the Securities and Exchange Commission (SEC), and the Administration have been highlighting increased security risks and the need for both the private and public sectors to step up their security game. In October 2011, the SEC issued guidance on the disclosure of cybersecurity risks and incidents.2 While the guidance didn’t propose new requirements, it reminded company leaders—and boards of directors—of their obligations under current rules. That same month, in the aftermath of disclosures by WikiLeaks, President Obama issued an Executive Order calling for measures to enhance national security in order to reduce the risk of a similar breach in the future.3 These developments follow ongoing efforts to move cybersecurity legislation through Congress and into law.
Back in the corporate world, is cybersecurity still considered a purely technical matter? Or do businesses understand that it is the lynchpin for safeguarding their most precious assets—intellectual property, customer information, financial data, employee records, and much more?
It depends upon whom you ask. The PwC, CIO, and CSO survey revealed that executives may say and believe one thing, but the data and expert analysis indicate that they do another. First, the survey asked, How confident are you that your organization’s information security activities are effective? Seventy-two percent of respondents answered that they were very confident or somewhat confident.4 However, when executives were asked to characterize their company’s approach to information security, identifying whether they possess an information security strategy and have proactively implemented it, the positive results took a nosedive.
Just 43 percent of respondents self-identified as Front-runners; that is, those who felt they have an effective information security strategy in place and are proactive in executing the plan. Those who saw themselves as Strategists (27 percent) felt they have the big picture right but fall down on execution, while Tacticians (15 percent) said they are better at getting things done than in defining a broader strategy. Finally, the Firefighters (14 percent globally but 22 percent in the US) admitted to lacking a strategy and to being reactive regarding information security.5
But when it came time to let the data do the talking, the companies that were “walking the walk” and not merely “talking the talk” were significantly fewer: just 13 percent of respondents. (See Figure 2.) These leading companies not only have an information security strategy in place, but they demonstrate a number of other leading practices, including having a high-level security chief, regularly measuring and reviewing the effectiveness of their policies and procedures each year, and possessing a deep understanding of the types of security events that have occurred in their organizations.
Differing views of information security effectiveness and leadership
The majority of executives in the survey—72%—reported being very confident or somewhat confident that their organization’s information security activities were effective. Yet just 43% described themselves as Front-runners, meaning they had a strategy in place and proactively executed it. But when we analyzed their information security practices, only 13% of companies could be considered True Leaders.
Primary obstacles to information security, by senior executive
Addressing information security can be especially challenging because executives do not always agree about company issues and goals. In the survey, we asked respondents what the greatest obstacles were to improving their organization’s information security. While the number one response predictably was about resources—insufficient funding for capital expenditures—the answers often changed when we looked more specifically at who was answering.
CEOs agreed that lack of capital funding was the problem, but CFOs indicated a lack of leadership from the CEO was the reason. Meanwhile, CIOs and security executives pointed to a lack of actionable vision or understanding within the organization.
The companies in this top tier—whom we refer to as security leaders—understand that they are up against different types of cyberthreats. There essentially are four types of attacks, each of which has a different motive. It’s helpful to think of these as storm waves, swirling around your business. At any given time, it is impossible to know which wave will hit and what type of damage it will wreak.
The first and oldest wave is nuisance hacking, in which there is little material impact to the company. A classic example is hackers defacing your company’s website. More serious and widespread is the second wave, which is hacking for financial gain.
As business has migrated to the digital world, criminals have, too. What has emerged is a sophisticated criminal ecosystem that has matured to the point that it functions much like any business—management structure, quality control, offshoring, and so on. This type of hacking now goes beyond blindly stealing customer credit card information or employee passwords. For example, hackers might target a company’s financial function in order to obtain its earnings report before it is publicly released. With such advance knowledge, they can profit by acquiring or dumping stock.
Protecting the business from cybercrime is one thing, but companies also must worry about a new type of risk—the advanced persistent threat. If you think the term sounds like it’s out of a spy movie, you’re not far off. This type of hacking is predominantly about stealing intellectual property and typically is associated with state-sponsored espionage. The motives go beyond financial gain. Experts may quibble about the specifics of this type of attack and whether it always has involved use of advanced techniques, but this is a serious and growing threat. It is not an understatement to say that what’s at risk is not only your intellectual property but possibly national security.
The high-profile Stuxnet worm case demonstrates how specialized and sophisticated these attacks can be. The Stuxnet worm that was discovered in 2010 was designed to infiltrate industrial control systems, such as those that manage water or power plants. But it wasn’t an infrastructure system that was hit; hackers infiltrated and potentially sabotaged the Iranian systems that manage uranium. As the chilling details emerge, what’s noteworthy is that the attack was planned (and the worm developed and placed) as many as four years ahead of the incident.
This foresight echoes a trend we have seen in our work with companies such as defense contractors. When they announce plans to acquire another company, perpetrators go after the potential acquisition. Their hope is to embed malicious software on the systems of the acquisition target so that when the companies ultimately are integrated, hackers will have access to the parent company’s systems—even if it means biding time for 18 to 24 months or longer.
And it’s not only specialized industries like defense that are at risk for advanced persistent threats. We have seen considerable activity in the financial services and technology industries. In some cases, the perpetrators infiltrate a bank or service provider in order to get access to the organization’s customers’ systems.
Finally, there’s one more type of threat that is on the rise: hacktivism. WikiLeaks immediately comes to mind, but, for the private sector, think of this as the digital equivalent to Occupy Wall Street. The goal of perpetrators is to change or create a public perception of your brand. For example, hackers might obtain sensitive information and disclose it to the public.
Not only do companies face a myriad of threats, their exposure grows as they invest in technologies like mobile, social, and cloud. In the survey, only a minority of US companies had strategies in place to protect against the risks that these new technologies bring.6 (See Figure 3.)
Companies addressing security risks from new technologies
Mobile, in particular, challenges the business because suddenly corporate data can be widely accessed outside of the enterprise. And employees often don’t realize the risks being introduced when sharing, sending, or receiving corporate information on a smartphone or tablet, especially if it is a personal device.
Likewise, with social media, where the line between personal and professional can become blurry, employees inadvertently may be disclosing sensitive information. Called data leakage, it can happen when employees share seemingly innocuous details, such as the airport they are in or the coffee shop they are frequenting every morning. Others within their social networks can use these clues, along with profile information about their jobs (bankruptcy attorney, M&A specialist), to ferret out potentially sensitive information, such as the identity of a financially troubled company or a potential acquisition target.
Effective security leaders consistently demonstrate the linkages between security and the company’s goals. They remind the rest of the management team that security is a strategic issue. In the survey, the Front-runner group emphasized this approach by citing client requirements as the driving force behind the company’s information security investments. The other respondents pointed to legal and regulatory requirements as the main justification for information security spending in their organizations.
An organization that embraces this mindset, for example, might engage the security leader and the sales leader, together, to consider how better information security can help close or speed sales. They might determine that having well-documented information security controls, processes, or certifications in place enables them to anticipate and address customer concerns immediately when or before the issue first is raised.
Some companies we work with find it effective to have security leaders embedded within each business unit. These individuals report to line-of-business heads and work directly with them to evaluate how security can support each group’s business goals.
Companies that understand the value that security brings to the business also ensure that they have a comprehensive strategy in place—and that they have the processes and procedures to back up their vision. The guiding principles for strategy are driven, in large part, by their data. Companies will want to ask a seemingly simple question: What’s our most sensitive data?
Surprisingly, many companies can’t begin to answer that question. Company leaders will need to identify their most sensitive data. They’ll consider business assets like intellectual property, as well as information that they have a fiduciary responsibility to protect, including customer, business partner, or employee data.
As companies undertake this foundational exercise, they will ask: What data do we have? Where are they located? What laws and regulations apply to them? What controls do we have around them? Are we sending data to third parties? If so, is it being handled securely? There’s much work to be done here: In the survey, only 29 percent of companies have an accurate inventory of data—a decline of 10 percent from just two years ago.
For companies that have grown through mergers and acquisitions, there’s the additional hurdle of getting a handle on disparate data sources—not to mention different policies, processes, and systems that were inherited with each merger or acquisition.
In the process of evaluating what’s currently in place and where the company’s attention needs better focus, some organizations find it helpful to conduct an outside assessment of their current operations. Often, when companies get a glimpse into what really is going on, they are surprised. They discover that the biggest problems may be caused by their employees.
For example, companies may find that workers lack even a basic awareness of the information security risks to which employees are subjecting the business when they don’t follow policy—for example, they fail to change default passwords or they leave their computers on when they go home. Some companies bring in outside security experts to conduct an assessment, particularly if an organization wants to test the security of its networks. This so-called ethical hacking attempts to penetrate a company’s network to pinpoint vulnerabilities.
In our work as security specialists, the trend we’ve observed is that companies have become much better about protecting the organization from the outside. But once a perpetrator is able to gain access to an internal network—whether by walking in the door and plugging into a network jack or via malware that is dormant on a USB drive that an employee picks up in the parking lot and plugs into his networked computer—we always have been able to gain levels of unauthorized access.
A security assessment also might reveal that the company has not kept up with a changing IT environment, especially one in which business units or employees have independently added their own devices or applications to the mix. All too often, businesses maintain the status quo but don’t adequately address how these latest technologies and new ways of working put them at risk.
Recognizing that organizations are dynamic—and that criminals always are innovating—it’s especially important for companies to consistently monitor and test what they have in place. In the survey, the companies that we defined as True Leaders measure and review the effectiveness of their security policies and procedures annually (compared with just 54 percent of other respondents). These organizations also know where they are vulnerable and need to shore up their defenses. This is significant because just a few years ago, almost half of the survey’s respondents couldn’t answer the most basic questions about the nature of security-related breaches; now approximately 80 percent or more of respondents can provide specific information about the frequency, type, and source of security breaches their organizations faced. And they are seeing results: The leaders reported half as many information security incidents per year, compared with the rest of survey respondents.
Companies that are proactive about information security also consider the impact of breaches—especially given that these events are on the rise. Of those, risks associated with customers, partners, or suppliers are a major concern, having nearly doubled in the past two years. This situation is compounded by the fact that given recent economic uncertainty, security has not been a priority. The levels of investment, awareness, and training all have declined.
In thinking about potential breaches, organizations will determine to whom they need to disclose an event. This issue is gaining more attention in light of the SEC’s recent guidance on the matter, reminding public companies that the following impacts must be included: remediation costs to customers or partners, increased information security investments required to remedy the situation, lost revenues due to breach, litigation resulting from breach, and reputational damage affecting customer or investor confidence. Company management and boards will want to consider the balancing act required to fulfill these responsibilities to investors and customers while ensuring that leadership does not disclose information that would make the company further vulnerable to hackers.
Leading companies today are rethinking the role of information security in their organizations. They realize that in a digital world, cybersecurity is the key to safeguarding their most precious assets—intellectual property, customer information, financial data, and employee records, among others. But far more than a defensive measure, companies also know that cybersecurity can better position their organization with business partners, customers, investors, and other stakeholders.
Additionally, a sustained approach to security enables companies to better take advantage of newer technologies—mobile, social media, and cloud—that are driving business growth for many organizations. Company executives are leading the charge, working across the business to assess the current environment, define their most sensitive data, assign accountability, devise a strategy, and measure their progress. With strong leadership and a comprehensive approach that continually links information security back to business strategy, top managers will better position their organizations for success.
Like the very nature of business itself, information security challenges are evolving. This topic came up continually as we discussed the survey findings with companies in all fields. What are the security chiefs at leading organizations most worried about? Here are some of the top concerns:
Mobile devices The power of employee and customer mobile devices makes companies increasingly vulnerable. Consider just a few scary possibilities: Hackers mobilizing smartphone users to bring down a company network by organizing a “computational flash mob.” Or banking apps available from popular online stores that are not affiliated with the banks they claim to represent; instead, they are designed to steal data. What is the best thing companies can do? Come to terms with the fact that mobile is here to stay and address it head-on in your strategy and policies. Begin thinking of mobile devices not as phones or adjunct devices but on par with laptop computers that have their own powerful peer-to-peer networks.
Increasing sophistication of the attacks Whatever you call these attacks—and security experts have been known to go round and round about just what constitutes an advanced persistent threat and whether the term is useful—some perpetrators are changing the rules of the game. They are locking on a specific target and formulating long-range plans to accomplish their goals. In the last year, we have seen several industry-leading companies in the technology and financial services industries that have been victimized. If it could happen to them, it could happen to anyone.
Proposed legislation Experts seem to agree that it’s only a matter of time before information security is mandated by law. Over the past few years, various incarnations of bills have been proposed. While security chiefs understand the scrutiny, they have concerns about security becoming a compliance burden. They worry that this will cause businesses to lose sight of what really matters: focusing on their strategy and thinking about next threats.
1 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
4 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
5 Numbers reported do not total up to 100 due to rounding.
6 PwC, CIO, and CSO 2012 Global State of Information Security Survey.