CIOs And Security: Time To Rethink The Processes?
Businesses need to develop new security responses to address gigantic attacks, and the CIO is in the best position to lead the way.
7 Bold Tech Ideas That Will Make You Uncomfortable
(Click image for larger view and slideshow.)
Target, Home Depot, and Sony have demonstrated how vulnerable businesses are to catastrophic data breaches. The ripple effects from massive strikes reverberated through these organizations, causing millions of dollars in damage.
Despite the headlines, most firms are not equipped to respond to such problems. However, a new, nuanced way of dealing with security threats is required, and IT is in a good position to lead this corporate transformation.
Here's how the new security paradigm is shaping up.
First, IT needs to recognize that the traditional methods of dealing with security breaches are not enough to effectively respond to the massive break-ins. "Companies are under attack every day," said Bill Stewart, executive VP at Booz Allen and leader of the firm's commercial cyber-business, which in April issued a report titled "Emerging Trends: Big Changes in Cyber Risk, Detection, Improved Incident Response."
Enterprises have put security solutions and business processes in place to deal with most threats. Systems are constantly probed, and tools like firewalls are sufficient to ward off many attacks.
But recently, the crooks have done a better job of skirting traditional system security, unlocking sensitive information, and stealing millions of records. These high-profile break-ins require more than patching a software flaw and blocking the hacker from the network. They demand a coordinated, multi-tiered, company-wide response -- one emanating from the boardroom and touching upon many departments.
Enterprises must change their security outlook from being an IT-only issue to a corporate concern.
Everyone Working Together
To be successful, a business needs unprecedented levels of cooperation among different departments and a proactive, top-management-involved approach to dealing with security threats. The enterprise needs to form a cyber-crisis management team, a group that deals only with high-level threats.
(Image: texelart/iStockphoto)
"If a company waits until it's in crisis, time is spent trying to figure out who is in charge, rather than actually responding to the breach," said Dan Blum, principal consultant with Security Architects, a security consulting firm.
Because the group touches upon so many departments, the CIO is not the best person to chair the committee. Booz Allen's Stewart recommends that the chief operating officer (COO) run the committee, because far-reaching decisions are made within it.
"Shutting down mission-critical applications is on the table whenever businesses discover a major breach," explained Booz Allen's Stewart. Taking an online store offline on Black Friday is clearly a CEO- and board-level decision.
The CIO is likely to spearhead the group's formation since that role has the keenest insight into the challenges that the new massive threats represent.
"IT needs to clearly articulate the potential impact the new malware has on the business and then help put the processes in place to deal with them," said Blum. The CIO may not chair the committee, but he or she is in prime position to act as its top lieutenant.
Digging Into The Problem
In addition to IT, representatives from legal, public relations, marketing, compliance, and security typically are part of the committee. Once the team is formed, its job is to develop best practices, starting with problem notification. Here IT and data analytics play a key role. The major hacks are sophisticated and difficult to track. Days or often weeks pass before the security team digs into a system aberration and determines that a significant breach has occurred. Additional time is required to access the damage.
Determining how to notify the cyber-crisis management team of possible break-ins represents a balancing act. The company must put filters in place so members are not constantly bombarded by alerts every time an investigation occurs -- a situation all too common in security command centers. But the individuals need to be in the loop in case something major looms on the horizon.
Paul Korzeniowski is a freelance contributor to InformationWeek who has been examining IT issues for more than two decades. During his career, he has had more than 10,000 articles and 1 million words published. His work has appeared in the Boston Herald, Business 2.0, ... View Full BioWe welcome your comments on this topic on our social media channels, or
[contact us directly] with questions about the site.

1 of 2

More Insights