Security concerns at firms continue to increase. It’s estimated that the cost of a single data breach is $4 million. Analysts estimate that cyber security attacks have caused the value of shares of publicly traded companies to drop by over $52 billion. The losses incurred by firms are only going into grow. Increasingly, bad actors are focusing on nefarious activities. Ransomware has taken numerous hospital systems and businesses offline for weeks at a time. Most notably, the WannaCry computer worm shut down 45 percent of Great Britain’s National Health Service for about three days.
“Alarmingly, the economics favor the bad actors. A team of three or four hackers can extort $30,000 to $40,000 a day via ransomware.” –Anup Ghosh, Founder of Invincea
Not all security breaches are the result of hacking. Evidence the recent release of 198 million voter records by a company providing services to the Republican National Committee. Hackers weren't responsible for the release of the voter records – sloppy handling of the information was the cause. Making matters worse, the technical security environment is getting more complex, not simpler – there are more companies providing more security solutions. The critical factor in mitigating these security matters is a comprehensive corporate security program. The key to such a program is a Chief Information Security Officer (CISO). Unfortunately, CISOs with the appropriate mix of skills are in short supply. The breadth of skills required of the CISO includes:
- Management presence and the executive skills to effectively lead, develop, communicate, and sell the security program;
- A deep technical awareness of the security ecosystem;
- The ability to effectively lead the technical experts.
This mix of skills is not easily found. From discussions we’ve had with executive recruiters and others, these positions are extremely difficult to fill. As a side note, successful CISOs receive multiple solicitations from recruiters each week. It’s no surprise that CISO’s are in short supply. Sadly, in our experience in working with companies, many security leaders do not have the complete set of skills. At one company, the CISO has excellent technical skills and implemented an impressive security program. The problem is despite her desire to be a CISO, she does not have the necessary executive skills. With another customer, we're seeing the exact reverse. Adding to the challenge is the likely requirement for corporate boards to attest to the thoroughness of the security program.
What can you do?
First, you need to hire the right CISO. It's likely that the executive suite will need help to vet the right candidate. Hire an expert to help you. A misstep in hiring will result in a substandard security program. A CFO recently told us that they wished they had retained someone to help with the interviews. As the CFO put it, the fees would have paled in comparison to them making the wrong hiring decision, paying the salary and benefits, and correcting the technical direction once they realized their mistake. Second, implement a comprehensive security program that follows one of the several industry standard frameworks. Third, make sure you don't ignore the human element. Insider threats, due to negligence or intent, account for almost one-third of all security breaches and exposures. Lastly, you need to treat the CISO’s mission as a C-level role. Involve the corporate leadership in oversight and decision-making with the CISO. Embrace the security program and make sure everyone else does, too. Get the right CISO and provide the right support, and you will be on your way to an effective security program.
About the Author: Mr. Dennis Conley is a managing partner with Transition Partners, a management consultancy headquartered in Reston, Virginia. He is a senior business and information technology executive and transformation leader with over 20 years of broad corporate and consulting experience. His extensive background and experience covers such areas as mergers and acquisitions, outsourcing, business development, technology management, organization development, security, business and strategic planning, and leadership training. Throughout his career, Mr. Conley has been providing strategic advice for merger and acquisition activities. He has directed over dozens of business process and information technology sourcing transactions valued in range from $1 million to over $250 million per year Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.