By Bill Hancock No one really wants to spend money on cybersecurity. Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find -- and even harder to apply. Worse yet, most managers never learned how to calculate the value of -- and communicate the business case for -- cybersecurity.
Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way.
45,000 OPEN DOORS. The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems. Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue.
Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code -- and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them.
Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion.
EASY AS ABC. Most senior executives are aware of these cybersecurity issues. The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company. Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won't kill the business, and the expense to clean it up will be minimal.
There's a way to deal with this dilemma. Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can't ignore. The basic framework I've used to build the business case for cybersecurity I call the ABC's of Security Management:
Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can't let someone steal their patents. The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business.
Brand protection: Every CEO is concerned about the outfit's brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand -- and to your stock price?
Compliance: Probably the strongest justification for investing in cybersecurity is that you don't have a choice: It's the law. Actually, it's lots of laws. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability & Accountability Act (HIPAA), and the USA Patriot Act all have provisions that require securing IT applications, data, and infrastructure.
SHINING EXAMPLES. Once you've used the ABC's to make cybersecurity a business priority, what next? While there is no cookbook for cybersecurity, there are some best practices I've seen at leading companies.
Hire outside experts: The best approach is to integrate your internal IT expertise about applications, data, and business processes with outside expertise on how to identify and protect against cyberthreats. In most cases, you can save money by engaging these cybersecurity experts on a short term basis to do periodic assessments, audits, and updates of your security systems and procedures.
Evaluate your IT suppliers: Ensure that the IT solutions you buy -- just like corporate networks, applications, servers, and storage -- follow the best practices for cybersecurity and can be included in your "chain of trust" to comply with government regulations.
Take one step at a time: You can't solve all your cybersecurity problems at once. Build a list of your cybersecurity vulnerabilities and prioritize the items based on business value. Focus on the high-value items that keep the business running and allow it to grow.
Cybersecurity is a journey, not a destination -- you'll never be completely done. The important thing is to keep moving forward, continuously improve, and focus on the details many think aren't so important. Bill Hancock is Chief Security Officer of SAVVIS Communications and is chairman of the FCC's Network Reliability & Interoperability Council Homeland Security focus group on cybersecurity