Executives at Booz Allen Hamilton learned the importance of information security the hard way back in 2011 when the hacker group Anonymous claimed that it had penetrated one of Booz Allen’s servers and had deleted 4GB of source code and released a list of more than 90,000 military email addresses and encrypted passwords.
The breached server turned out to be a development environment containing test data, “but that didn’t really matter; it was a wakeup call,” says Michael Waters, director of information security at the consulting firm and government contractor. “It was a pretty unpleasant experience, but it did galvanize substantial investment — both capital and HR — in getting things done. The firm looked around and said, ‘We have been working on this, but we need to put more toward it.’”
Over the next year, Waters’ information security staff grew from 12 to 70 employees, budgets increased, and processes and governance improved significantly. But a security plan is never “finished,” and in 2013 Booz Allen received a second jolt — this time in the form of an insider threat — when recent hire Edward Snowden, working under contract to the NSA, leaked highly classified documents describing government surveillance programs.
Booz Allen promptly fired Snowden and further honed its infosec program — a practice that continues to this day, says Waters. “We constantly update our information security procedures, no matter what the circumstances, and we also are continuing to strengthen our ethics and compliance program every year,” he says.
Today, Waters would put his infosec program on par with those of the world’s biggest enterprises, but he would have preferred to get there without those pivotal events.
Many companies today hope to avoid similar high-profile wakeup calls. After years of news about disastrous breaches, information security has finally gotten the attention of upper management. Two-thirds of 287 U.S. respondents to a survey conducted by CSO, CIO and Computerworld said that senior business executives at their organizations are focusing more attention on infosec than they were in the past. And most of the respondents said they expect that focus to continue. Yet IT leaders still face challenges when it comes to aligning security goals with the needs of business, including justifying costs, defining risks, and clarifying roles and responsibilities.
Half of the survey respondents said security-related efforts account for less than 10 percent of their IT budgets, and nearly three-quarters said security efforts account for less than 25 percent of IT’s time. And while half of those polled said they’d grade their organization’s security practices as an A or B, an equal portion would choose C, D or F.
So how can enterprises get from where they are today to having a cohesive, funded and fully implemented information security program? IT leaders and analysts share tips for navigating these muddy waters and protecting the organization from threats.
About a year ago, customers of sales and marketing advisory firm SiriusDecisions started asking questions about the security of the information they share with the Wilton, Conn.-based company. With all the news about data breaches, they were concerned that a weak link might jeopardize the competitive intelligence they shared.
Vice president of IT Jonathan Block knew the firm’s infosec policies and procedures were sound. SiriusDecisions operates entirely in the cloud, relying on big-name vendors whose security practices far exceed what the firm could do on its own. But he says the growing number of client inquiries, along with a slew of highly publicized security breaches at other companies, “lit a fire under us,” underscoring the importance of information security both internally and for the firm’s clients.
Today, SiriusDecisions shares detailed information with customers about its service providers’ security certifications and audits, trains every employee on information security awareness, especially social engineering — its biggest threat today — and earmarks 10 percent of its IT budget specifically for infosec initiatives.
Asked to grade the firm’s efforts, Block says, “I’d give us a solid B. Our goal is to try to get ahead of a lot of these things. The frequency and severity of attacks are always going to increase, but we’ve identified the type of attacks that do the most damage, and we focus our efforts on those.”
Create a communication channel
At Wells Fargo, executives are much more knowledgeable about information security than they were four years ago, says chief information security officer Rich Baich, who became the bank’s first CISO in 2012.
Much of the improvement centers around better collaboration and communication between technical and nontechnical staff, business units and executives, he says. To help get there, Wells Fargo realigned its security hierarchy. In January 2015, Baich began reporting to the chief risk officer instead of the CIO to emphasize security’s risk-based focus and to improve transparency with the board of directors.
“I’m not in technology,” Baich says. “[The new hierarchy] allowed us to effectively create a communication channel that helped people understand the language of security, the importance of security, how it fits into the larger, overall risk management construct — and ultimately helped drive and make this part of our culture, [in which] every individual team member is a risk manager.”
Baich would not assign a letter grade to Wells Fargo’s information security program, saying that even a good grade might invite scrutiny from prospective hackers. But Elvis Moreland, who worked at the bank as an independent cybersecurity contractor from November 2015 to May 2016, applauds the steps Wells Fargo has taken to boost security, including its move to adopt federal NIST cybersecurity standards, which he helped plan as part of the bank’s hybrid security framework. “They’ll work their way up to a B easily” if those efforts continue, he says.
Moreland recommends the NIST cybersecurity framework because it applies to both the private sector and the federal government, and because it offers three decades of documented lessons learned that can be applied to any organization. “It’s hundreds of millions of dollars in free research,” says Moreland, who is now a senior cyber-security and risk management consultant at Atos BDS North America. “Companies would cover 80 percent of the security vulnerabilities and weaknesses we see today” just by realigning the security hierarchy and adopting the NIST framework, he adds.
Give it a spin
Even before the 2011 attack, Waters had been working on Booz Allen’s information security framework. However, “it was challenging to get the attention and budget I needed,” he recalls.
He soon learned that the tone and perspective he used to communicate infosec needs to the IT department, executives and business units were critical to getting things done.
Today, Waters says that when he and his team discuss security needs with their business colleagues, they might say, “It’s not that I want you to do something, but it’s this new regulation we need to comply with, and I can help you figure out how to do it.” Or, “Outside attackers are trying to steal our data or wreck our systems; I’m here to help implement the protections and controls because of these outside forces.”
Gary Vause, founder and president of cybersecurity consultancy VSC, says many companies keep tight caps on their infosec budgets because they expect to need resources to put out the next security fire. “They know it’s coming, but rather than be preventive, they choose to be reactive,” he says.
On the other hand, he cautions, throwing money at the problem isn’t the answer either. Developing an understanding of a company’s security maturity level — a view that includes people, processes and technology — can help organizations prioritize budgets based on the most critical vulnerabilities, he says.
Emily Mossburg, principal of Deloitte’s Resilient Services practice, agrees that it’s not about spending more money. The question, she says, is this: “Are you prioritizing the things that could actually hurt your business the most?” And are you remediating the areas where your business is the most vulnerable? She advises focusing on the areas where “the threat actors are really after your business and, ultimately, where the impact would be the greatest.”
Make it real
Companies often look at the easy-to-identify, tangible losses in a data breach, such as the number of records with personally identifiable information. Those should certainly be protected, Mossburg says, but less obvious losses could actually prove costlier.
In June, Deloitte released a report that uncovers 14 business impacts of a cybersecurity incident, half of which are hidden costs, including loss of intellectual property, devaluation of your trade name and lost contract revenue. Those hidden costs can be far more expensive than the initial triage and damage control expenses, and they can go on for years.
In one hypothetical model that Deloitte created based on its experiences with customers, the cost to a healthcare company that lost a significant number of medical records was more than $1.6 billion. Of that figure, only 3.5 percent of the costs were considered “above the surface” tangibles that are generally expected in the wake of a cyberattack, such as post-breach customer protection services and cybersecurity improvements.
The remaining 96.5 percent of the costs were for less tangible hits, such as lost customer relationships and increases in insurance premiums. Such “beneath the surface” costs often come as a shock for companies in the post-breach remediation process.
“We need to make this real for people,” Mossburg says. “It’s very important to understand the industry, the nuances to the types of systems they use, their interconnectedness to third parties, the types of data they have, how they’re using it and what that might be.” All those contributing factors, along with the type of incident, make scenarios unique for every company. “We’ve had a lot of conversations [with clients] on what are the scenarios that they should be modeling for themselves,” she says.
Articulating risks is an important first step, says Michael Eisenberg, vice president in the office of the CISO at cybersecurity solutions provider Optiv. “When you can articulate a risk that the business and board of directors agree with, then you can come up with a plan to mitigate and manage that risk” — a plan that includes additional funding and resources, he says.
Writing on the wall
Five years after the Anonymous breach at Booz Allen, Waters still displays a framed copy of the Washington Post article about the attack on his office wall. “For me and my leadership team,” he says, “it’s a reminder that this is never allowed to happen again.”