A traditional information security model aimed at securing the back-office no longer addresses the realities of business today.
By now companies should recognize that cyber threats are just another part of doing business in the 21st century. However, some companies may not realize that their biggest cyber threat may not be external. Even the most well-meaning, technologically savvy employee can be duped into allowing hackers access to company networks and systems. The issue goes beyond Chief Information Officers (CIO) and Chief Information Security Officers (CISO). As the February 2016 Security Intelligence article, The View From the Top: C-Suite Insights on Cybersecurity points out, “… the C-suite and its functional teams need more education, understanding and engagement in order to have an appropriate, risk-aware posture that helps protect company assets, reputation and the broader business ecosystem (customers, partners, vendors).”
At the recent joint meeting of FEI’s Committee on Finance & IT (CFIT) and Committee on Governance, Risk and Compliance (CGRC) hosted by American Traditions Insurance Company in St. Petersburg, Florida, CFIT members Pervez Bamji, Vice President & General Auditor, Pitney Bowes, Inc. and Kristin White, Senior Director, IT Finance, Cisco Systems, Inc. shared their perspectives on their organizations’ cybersecurity preparedness.
In its on-going business transformation efforts, Pitney Bowes Cybersecurity base level preparedness and responsibility rests with the Information Technology with a very active participation from the Data Privacy & Protection function. In addition, the Engineering Technology & Innovation (R&D; Product Development function) group has individuals within it that have responsibilities to ensure that a high level of data on access security features are incorporated as product development takes place. This group closely follows the policies & procedures of and seeks active guidance from the Corporate Information Technology function. Audit & Advisory Services conducts various information technology and data privacy reviews that encompasses aspects of cybersecurity. All four of these functions – PB Information, Data Privacy, Engineering (Security) and Audit & Advisory Services present the Company’s cybersecurity posture, planning, current and future investments in that space.
Management constantly communicates with the employee base on the importance of every individual to be aware of what to do about cybersecurity. The frequent cybersecurity related news headlines have increased pressure on organizations to respond. “Breach fatigue” is creating reluctance by clients to share confidential and sensitive information. “There is greater scrutiny from our clients (e.g., the financial sector), including requests for audits, assessments and third party security testing” Pitney Bowes’ Bamji said.
With things like Cybersecurity Information Sharing legislation and the NIST Cybersecurity Framework, there is increased overlap and partnership between public and private sector security.
Bamji noted several privacy and information security trends he has seen more recently. Cyber-attacks are happening more frequently and are much more sophisticated. While continuing to invest in measures to prevent cyber-attacks, companies are re-allocating resources and investment from prevention to detection. This is driving the speed of response in order to improve threat update capabilities. Increasingly, outside experts are being requested to ensure cybersecurity compliance and drive cyber strategy and this could include third party verification and certification.
The way business operates has forever changed – the new global, digital economy has come of age and is bringing rapid change and complexity. Businesses now operate in an interconnected ecosystem and as a result, securing critical data, transactions and operations means working beyond the walls of the organization. There is increased reliance on technology, transactions and operations span multiple parties, and information and data are ubiquitous throughout the business ecosystem. New and advanced threats seek to take advantage of this new business reality. In short, successful businesses in the digital age will have to come to grips with cybersecurity.
Cisco’s White noted that just as the digital economy is providing opportunities for business it is also providing opportunity for cybercriminals. Cybercrime has become its own industrial economy. Cybercrime today is organized and well-funded and cybercriminals are targeting versus merely being opportunistic. There is value in the cybercrime food chain, and they are using technology just as much as legitimate businesses seek to use technology to their advantage.
A traditional information security model, one that is technology-focused, compliance-based, perimeter-oriented, and aimed at securing the back-office no longer addresses the realities of business today. White said, “When looking beyond the enterprise boundaries, organizations need to reevaluate security priorities. Cyber risk management today is a complex issue, requiring board and management engagement, sophisticated techniques, and new skills and capabilities.”
In their efforts to defend Cisco from cyber threats White remarked that, from an enterprise perspective, they have a very large, global and complex network. They have many partners and have to bring them into their network and protect them as well. At Cisco, they have a Security and Trust Organization that is part of Operations and has 6 foundational pillars they focus on:
- Trusted enterprise
- Data protection/privacy
- Transparency & validation
- Trusted cloud
- Trustworthy systems
- Value chain security
They have a pervasive security framework that looks at:
- Threats and risk – understanding the potential threats drives the framework and helps to prioritize the threats
- Look at regulatory environment – where they are doing business and associated regulatory requirements that can impact the business and how these requirements are fed into the network
One of the most important areas that must not be overlooked is people. As the saying goes, our people are our first line of defense. Simply making it known that “security is everyone’s business” will not cut it. Employers need to empower their employees with understanding and knowledge around what they need to do that is specific to their individual role. Make it personalized. Pervasive security requires an army of advocates. The goal is not to penalize but to create a partnership that leads to better, more informed decisions.