The C-suite is feeling the security heat
By: Dwight Koop, COO at Cohesive Networks
70% of security professionals believe the CEO should hold the ultimate responsibility in the case of a data breach, according to a 2015 survey from Websense. The C-suite is beginning to feel the security heat as reports of data breaches and cyberattacks have filled the news in the last few months.
Massive breaches, such as the Target, Home Depot, Sony and Anthem are highlighting how information security is no longer an IT department issue, but a huge risk for the entire company. Plus, upcoming security compliance regulations — like NIST, PCI, and the EU banking standards — are beginning to write in more security requirements rather than suggestions.
Don’t let it happen to you
After the credit card data breach in Winter 2013, Target dismissed CEO Gregg Steinhafel as well as their CIO. The Sony hack at the end of 2014 cost the studio nearly $15M in security and incident response alone. The additional loss of intellectual property, damaged reputation, and future business losses could total up to $172M.
According to a June 2013 PwC report, organizational leaders do not know or appreciate what their IT teams are up against in terms of industry threats, vulnerabilities and the costs required to deal with an attack. A report from KPMG argues that even the corporate board must understand that cybersecurity is a business risk issue, not just a problem for IT.
Frequently, C-suite leaders discover that their organizations have been using cloud-based CRM, email, and accounting tools without fully realizing their organizations’ data is therefore cloud-based. In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud.
Focus on data security, not data center security
Cisco reports that by 2018, 76% of all data center traffic will come from the cloud. As vital enterprise data moves outside of the protected data center and the IT silo, leadership should focus on new ways to secure critical data in any location.
Modern enterprises have teams and employees on the move all the time, visiting customers and checking in from devices of all types. Yet why do organizations still treat critical data as if it always stays in the same place?
In traditional data center security, the focus has been on keeping data physically isolated via the perimeter or “demilitarized zone” (DMZ). But this model focuses too much on protecting the outside, with little to no security features inside the network.
Prevention starts with a secure network
Today’s more complex and distributed networks can create a more porous data center perimeter. Once hackers (or a disgruntled employees) breach the perimeter, they can easily expose potential weaknesses inside the network. Nearly 85% of insider attacks or “privilege misuse” used the corporate local area network (LAN), according to a 2014 Verizon security report. Hackers are now using corporations’ networks against them.
Perimeter-based security need to evolve to better secure our critical data as it goes the road with our employees, to the cloud, and around the network. The weaknesses of the perimeter-based approach were on display when hackers accessed critical data inside the networks at Sony, Target and Home Depot.
A modern data-focused enterprise must add encryption and security within the network to strengthen existing hardware and virtualization security. With security focused on each enterprise application inside the network, organizations can secure critical data if it is traveling across the network to branch offices, accessed via hotel wifi, or residing in the public cloud.
Make sure to also read:
- Chicago School of Cybersecurity: How the NIST Cybersecurity Framework Can Apply to All IT Organizations (Part 1) — the history and implications of the NIST Framework
- “Putting the NIST Cybersecurity Framework to Work” a use case for applying the Framework to an IT organization
Subscribe to the Cybersecurity War Stories publication on Medium to get more from me and other IT security professionals in the trenches.
