Knowing Reality of Threats Doesn't Assure ActionNeed Exists to Tie IT Security to Organization's Well-Being
That's a takeaway of a new survey of IT security executives in energy sector conducted by the Center for Strategic and International Studies (the public policy think thank that sponsored the Commission on Cybersecurity for the 44th Presidency) for security vendor McAfee.
The authors of the report - In the Dark: Crucial Industries Confront Cyberattacks - make that point with a quote from former CIA Director Jim Woolsey: "Ninety to 95 percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check."
Cybersecurity is a business risk; if the lights go out, everyone loses money.
Though the report focuses on energy, the lessons from the study are applicable to all sectors, be it government, banking, healthcare or some other industry. And that lesson is the strategic importance of IT security. A generation ago, government and business leaders began to accept the strategic importance of information technology to their enterprises, as evidenced by the growing number of chief information officers who began to report to either to the chief executive officer or chief operating officer. Today, IT security is approaching that similarlevel of importance.
Not doubt, more non-IT leaders understand the cyberthreats in the abstract, but as this survey suggests, they don't feel the threat in their gut.
"Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only 1 percent," Phyllis Schneck, McAfee chief technology officer/public sector, writes in her blog. She says these energy companies don't have the incentives to invest in cybersecurity in economically hard times when little tangible evidence exists that IT threats have caused them harm.
In this economic environment, IT security investment decisions aren't made by those on the top rung of the corporate ladder. "Cybersecurity investment is made often at the CIO/CISO level as a technology conversation for the technology budget vs. where it really needs to be - at the CEO/CFO level - where business risk is assessed," Schneck writes. "Cybersecurity is a business risk; if the lights go out, everyone loses money."
I spoke last fall with Schneck about this type of situation, and she said it's more important than ever to get those responsible for IT security together with the people who run the businesses the information systems support, as well as the finance team that funnels money for business functions and security (see Linking Machines, Humans to Secure IT.
"Typically, you want your security budget to be strong enough to support your investment that will enable you and sustain you to build a resilient infrastructure forward," Schneck said. "And sometimes those budgets are just low enough that they can't afford to buy what they really need, and just high enough that they have to go buy something. What you find is, if companies are investing in what I'll call mediocre security infrastructure; they have to keep spending that money over and over every year."
To avoid that situation, CEOs, CFOs, CIOs, CISOs and operational executives must team to determine how best to approach IT security. "Communications is very important because security has to be a business enabler at the same time as we fight this giant adversary," she said.
The lessons of this narrowly focused survey have implications for a wider audience of cybersecurity pros.