Security leaders face identity challenge

Information security today is seriously big business. While cybercriminals are making hay on the black market with stolen identities and records, cybersecurity breaches are also clearly costing companies much more than before.

According to the Ponemon Institute's recent annual report, the cost of a data breach rose to $3.5 million in 2013. Companies lose an average of $145 per compromised record, according to annual Cost of Data Breach Study, while the average cost of a data breach rose 15% last year to $3.5 million.

Anyone that still dismisses information security as just an IT issue is delusional. Just the simple mention of the leading US retailer Target should send shivers down the spines of CEOs everywhere.

A total of 70 million records stolen that included the name, address, email address and phone number of Target shoppers. The cost to credit unions and financial institutions for reissuing the 21.8 million cards is estimated at $200 million, plus $100 million for Target to upgrade systems and payment terminals.

Who's to blame?

Profits fell 46% in Q3 of 2013 compared to the previous year, which all ultimately resulted in not only the CIO being axed but even the CEO was made to pay the ultimate price of this security failure.

Security leaders and experts noted at the annual InfoSecurity Conference organized by Computerworld Hong Kong and e21 MagicMedia, that security is today the responsibility of all business leaders.

Despite the critical nature of information security today, the role of chief security officer or chief information security officer is not as common as one would expect.

According to Amar Singh, former CISO at News International, information risk & GRC expert based in UK, there is huge demand today in Europe and US for CISO roles but the role is still seeing significant change. 'We're seeing the emergence of chief privacy officers and chief risk officers that are assuming much more responsibility for information security," said Singh during a panel discussion with IT leaders on day two of the conference.

He noted that security is now moving out of the IT domain which is a good sign as in the past, anything that involved information security immediately became pigeon holed in IT.

"It doesn't matter what you call it [the role] today, there is a clear demand for a person who can save the ship from sinking," said Singh.

IT at heart of security

Fellow panel speaker, Ted Suen, head of IT at MTRC, believed that IT will remain heavily involved in information security but that the growing involvement by other business leaders is critical to better security in the future.

Information is such a critical asset in business today, it can be a key differentiator for a bank and it can help derive unique insight into a customer, protection of that data is absolutely vital to company livelihood.

"The challenge is how to get the organization to create a more holistic view of data and security," said Suen. At MTRC the structure is in place with IT heading the information security committee which draws on key stakeholders from across business to ensure adequate awareness and broad business involvement.

"However the concern is whether smaller businesses have the necessary approach and structure to support information security properly given the information-centric era we live in today," said Suen.

"But in my mind there is no one person that can handle all security issues--a company may have a CSO and he or she may run the security department but they will need many different experts from different parts of the business to do the job effectively," he added.

Reporting lines

At global environmental services group Veolia, information security is handled by the CIO, while physical security is managed by the director of security. Interestingly the two departments rarely work together when it comes to information security but Lenny Baptiste-Conil, risk & business continuity manager at Veolia, predicted these two functions would see increased collaboration in future.

The physical security function covers safety of assets, buildings but also people. Where people are concerned then information becomes a major focus and that is clearly in the realm of IT.

Baptsiste-Conil also pointed out that the director of security actually has a direct reporting line to the company's CEO, reflecting the critical nature of that area of the business. While the person in charge of information security did not have that same level of CEO access, he raised the possibility of this changing in future.

The company nature will also dictate the level importance of data security, noted Baptiste-Conil. "If your business is in technology or if you're a bank then it makes sense to give a higher profile for information security and have direct report to the CEO."

Leadership responsibility

On the issue of whether CEOs should take the fall for major security breaches, the speakers had similar replies. It really depends on the data being exposed or impacted. If the risk or breach is around internal information then the customer reaction is not so great and therefore business impact is reduced.

"Customers will not desert the company if a few patents are lost," said Baptsiste-Conil. "But if the breach is around customer data and it's clear that leadership neglected their duties as the leaders of the organization then it may be fair that the CEO is to go."

For Fuller Yu, who effectively heads up the security function at AIA Group, he noted that it's not always necessary to have the CEO be heavily involved in information security initiatives. But the expectation today is for critical information security issues that have business impact to be an agenda item during board meetings.

"As a CIO it's important you are feeding critical security information to the business leaders and to communicate this in the correct terms around risk and financial impact," said Yu, who is head of Technology Risk Management at the group.

Security tips for marketing

One area of the business which is seeking more information security insight is marketing. There is a clear trend of growing IT spending by marketing departments as they seek digital marketing tools, analytics and cutting edge applications in an effort to improve customer engagement.

Singh questioned whether, as CMOs become in some cases the biggest spenders on technology, they will be aware of all the risks. "Some of the least security-aware people I have come across have been in marketing so the challenge is educating marketing of the heightened risks involved as they get more involved in digital commerce and digital engagement," he added.

Singh expects the security role to evolve into a hybrid role involving a combination of risk, privacy, security and compliance. "Whether it all comes under one person or a combination of people, marketing leaders and business leaders will increasingly require strong guidance on security issues," he said.

The challenge here for security and IT leaders is making the message heard. Yu at AIA stressed the need to speak in the language of the business leader whether he is from marketing or another line of business. "Ask the CMO what is critical to the brand and explain the things they should do to protect that brand," said Yu. "Focus on helping them achieve their goals, that's the way to create a winning partnership."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOMTRCNews InternationalTechnologyVeolia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Computerworld Hong Kong staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place